Controlling access by web applications to resources on servers
First Claim
Patent Images
1. A system that facilitates granting a third-party application access to a user resource located on a network system, the system comprising:
- a user-based access control list (ACL) checking utility implemented on a hardware processor configured to determine whether a first user has permission to access the user resource;
a token-grant server checking utility implemented on the hardware processor configured to determine whether a token grant server has authenticated the third-party application with the network system by determining whether the token-grant server has sent an authorization code to a third-party application along with a document ID when the first user installs the third-party application for use with a resource identified by the document ID, whether the token-grant server has received the authorization code back from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code, and whether the token-grant server has sent an authorization access token to the third-party application after receiving the authorization code and client secret from the third-party application;
a resource-based ACL checking utility implemented on the hardware processor configured to determine whether the third-party application has permission to access the user resource on behalf of the first user, based on metadata associated with the user resource, and information indicating whether a second user has used the third-party application to access the user resource, wherein the first user is not the second user; and
an authentication-fulfillment utility implemented on the hardware processor configured to fulfill the third-party application access request upon receiving affirmative determinations in all of the determinations made by the system, the fulfillment including enabling an authentication of the third-party application and granting the third-party application permission to access the user resource.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are shown for providing third-party applications access to user resources based on user actions and processes that provide the third-party applications with the correct security tokens. The scope of access granted in various implementations of the disclosure is all documents which the user has already opened with the third-party application.
-
Citations
15 Claims
-
1. A system that facilitates granting a third-party application access to a user resource located on a network system, the system comprising:
-
a user-based access control list (ACL) checking utility implemented on a hardware processor configured to determine whether a first user has permission to access the user resource; a token-grant server checking utility implemented on the hardware processor configured to determine whether a token grant server has authenticated the third-party application with the network system by determining whether the token-grant server has sent an authorization code to a third-party application along with a document ID when the first user installs the third-party application for use with a resource identified by the document ID, whether the token-grant server has received the authorization code back from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code, and whether the token-grant server has sent an authorization access token to the third-party application after receiving the authorization code and client secret from the third-party application; a resource-based ACL checking utility implemented on the hardware processor configured to determine whether the third-party application has permission to access the user resource on behalf of the first user, based on metadata associated with the user resource, and information indicating whether a second user has used the third-party application to access the user resource, wherein the first user is not the second user; and an authentication-fulfillment utility implemented on the hardware processor configured to fulfill the third-party application access request upon receiving affirmative determinations in all of the determinations made by the system, the fulfillment including enabling an authentication of the third-party application and granting the third-party application permission to access the user resource. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer implemented method that facilitates granting a third-party application access to one or more user resources located on a web-based storage system, the method comprising:
-
determining, using a processor, whether a first user is on a user-based access control list (ACL) granting the first user access to the one or more user resources; determining, using the processor, whether an authorization access token has been granted by a token-grant server granting the third-party application limited access to the one or more resources by determining whether the token-grant server has sent an authorization code to a third-party application when the first user installs the third-party application, whether the token-grant server has received the authorization code from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code, and whether the token-grant server has sent an authorization access token to the third-party application after receiving the authorization code and client secret at the token-grant server from the third-party application; determining, using the processor, whether the third-party application is on a resource-specific ACL, indicating that a second user has used the third-party application to access the one or more resources, wherein the first user is not the second user; determining, using the processor, whether the third-party application has been installed by the first user; and in response to an affirmative determination for each of the determinings, fulfilling, using the processor, the third-party application access request, the fulfilling including enabling an authentication of the third-party application and granting the third-party application permission to access the one or more user resources. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A tangible, machine-readable, non-transitory storage medium having stored thereon program instructions that facilitate granting a third-party application access to one or more user resources located on a web-based storage system, the instructions when executed by a machine cause the machine to perform operations comprising:
-
determining whether a first user is on a user-based access control list (ACL) granting the first user access to the one or more user resources; determining whether an authorization access token has been granted by a token-grant server granting the third-party application limited access to the one or more resources by determining whether an authorization code has been sent from the token-grant server to a third-party application when the first user installs the third-party application, whether the authorization code has been received at the token-grant server from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code, and whether an authorization access token has been sent to the third-party application after receiving the authorization code and client secret from the third-party application; determining whether the third-party application is on a resource-specific ACL, indicating that a second user has used the third-party application to access the one or more resources, wherein the first user is not the second user; determining whether the third-party application has been installed by the first user; and in response to an affirmative determination for each of the determinings, fulfilling the third-party application access request, the fulfilling including enabling an authentication of the third-party application and granting the third-party application permission to access the one or more user resources. - View Dependent Claims (15)
-
Specification