Multiple resource servers interacting with single OAuth server
First Claim
1. A computer-implemented method comprising:
- receiving, at an OAuth authorization server including one or more hardware processors, a request to access a first resource server from a first client application that executes in a context of a first identity domain of a plurality of isolated identity domains;
selecting, from a plurality of OAuth service profiles that the OAuth authorization server maintains, a first OAuth service profile that is applicable only to the first identity domain, wherein the first OAuth service profile indicates a first set of resource servers that the first client application is permitted to access in the context of the first identity domain;
determining, based on the first set of resource servers indicated by the first OAuth service profile, whether the first client application is permitted to access the first resource server in the context of the first identity domain, wherein the first client application is permitted access to the first resource server based on determining that the first resource server is included in the first set of resource servers;
in response to determining that the first client application is not permitted to access the first resource server in the context of the first identity domain, denying the request to access the first resource server, wherein denying the request to access the first resource server includes blocking communication from the first client application to the first resource server in the context of the first identity domain;
in response to determining that the first client application is permitted to access the first resource server in the context of the first identity domain, accessing the first resource server to obtain first scope information for the first resource server;
generating a first token for the first client application to access the first resource server based on the first scope information that the OAuth authorization server obtains from the first resource server;
receiving, at the OAuth authorization server, a request to access a second resource server from a second client application that executes in a context of a second identity domain of the plurality of isolated identity domains, the second identity domain being separate from the first identity domain;
selecting, from the plurality of OAuth service profiles that the OAuth authorization server maintains, a second OAuth service profile that is applicable only to the second identity domain, wherein the second OAuth service profile indicates a second set of resource servers that the second client application is permitted to access in the context of the second identity domain;
determining, based on the second set of resource servers indicated by the second OAuth service profile, whether the second client application is permitted to access the second resource server in the context of the second identity domain, wherein the second client application is permitted access to the second resource server based on determining that the second resource server is included in the second set of resource servers;
in response to determining that the second client application is permitted to access the second resource server in the context of the second identity domain, accessing the second resource server to obtain second scope information for the second resource server; and
generating a second token for the second client application to access the second resource server based on second scope information that the OAuth authorization server obtains from the second resource server.
1 Assignment
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
84 Citations
19 Claims
-
1. A computer-implemented method comprising:
-
receiving, at an OAuth authorization server including one or more hardware processors, a request to access a first resource server from a first client application that executes in a context of a first identity domain of a plurality of isolated identity domains; selecting, from a plurality of OAuth service profiles that the OAuth authorization server maintains, a first OAuth service profile that is applicable only to the first identity domain, wherein the first OAuth service profile indicates a first set of resource servers that the first client application is permitted to access in the context of the first identity domain; determining, based on the first set of resource servers indicated by the first OAuth service profile, whether the first client application is permitted to access the first resource server in the context of the first identity domain, wherein the first client application is permitted access to the first resource server based on determining that the first resource server is included in the first set of resource servers; in response to determining that the first client application is not permitted to access the first resource server in the context of the first identity domain, denying the request to access the first resource server, wherein denying the request to access the first resource server includes blocking communication from the first client application to the first resource server in the context of the first identity domain; in response to determining that the first client application is permitted to access the first resource server in the context of the first identity domain, accessing the first resource server to obtain first scope information for the first resource server; generating a first token for the first client application to access the first resource server based on the first scope information that the OAuth authorization server obtains from the first resource server; receiving, at the OAuth authorization server, a request to access a second resource server from a second client application that executes in a context of a second identity domain of the plurality of isolated identity domains, the second identity domain being separate from the first identity domain; selecting, from the plurality of OAuth service profiles that the OAuth authorization server maintains, a second OAuth service profile that is applicable only to the second identity domain, wherein the second OAuth service profile indicates a second set of resource servers that the second client application is permitted to access in the context of the second identity domain; determining, based on the second set of resource servers indicated by the second OAuth service profile, whether the second client application is permitted to access the second resource server in the context of the second identity domain, wherein the second client application is permitted access to the second resource server based on determining that the second resource server is included in the second set of resource servers; in response to determining that the second client application is permitted to access the second resource server in the context of the second identity domain, accessing the second resource server to obtain second scope information for the second resource server; and generating a second token for the second client application to access the second resource server based on second scope information that the OAuth authorization server obtains from the second resource server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
-
receiving, at an OAuth authorization server, a request to access a first resource server from a first client application that executes in a context of a first identity domain of a plurality of isolated identity domains; selecting, from a plurality of OAuth service profiles that the OAuth authorization server maintains, a first OAuth service profile that is applicable only to the first identity domain, wherein the first OAuth service profile indicates a first set of resource servers that the first client application is permitted to access in the context of the first identity domain; determining, based on the first set of resource servers indicated by the first OAuth service profile, whether the first client application is permitted to access the first resource server in the context of the first identity domain, wherein the first client application is permitted access to the first resource server based on determining that the first resource server is included in the first set of resource servers; in response to determining that the first client application is not permitted to access the first resource server in the context of the first identity domain, denying the request to access the first resource server, wherein denying the request to access the first resource server includes blocking communication from the first client application to the first resource server in the context of the first identity domain; in response to determining that the first client application is permitted to access the first resource server in the context of the first identity domain, accessing the first resource server to obtain first scope information for the first resource server; generating a first token for the first client application to access the first resource server based on the first scope information that the OAuth authorization server obtains from the first resource server; receiving, at the OAuth authorization server, a request to access a second resource server from a second client application that executes in a context of a second identity domain of the plurality of isolated identity domains, the second identity domain being separate from the first identity domain; selecting, from the plurality of OAuth service profiles that the OAuth authorization server maintains, a second OAuth service profile that is applicable only to the second identity domain, wherein the second OAuth service profile indicates a second set of resource servers that the second client application is permitted to access in the context of the second identity domain; determining, based on the second set of resource servers indicated by the second OAuth service profile, whether the second client application is permitted to access the second resource server in the context of the second identity domain, wherein the second client application is permitted access to the second resource server based on determining that the second resource server is included in the second set of resource servers; in response to determining that the second client application is permitted to access the second resource server in the context of the second identity domain, accessing the second resource server to obtain second scope information for the second resource server; and generating a second token for the second client application to access the second resource server based on second scope information that the OAuth authorization server obtains from the second resource server. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An OAuth authorization server comprising:
-
a memory; and one or more hardware processors coupled to the memory and configured to; receive, at an OAuth authorization server including one or more hardware processors, a request to access a first resource server from a first client application that executes in a context of a first identity domain of a plurality of isolated identity domains; select, from a plurality of OAuth service profiles that the OAuth authorization server maintains, a first OAuth service profile that is applicable only to the first identity domain, wherein the first OAuth service profile indicates a first set of resource servers that the first client application is permitted to access in the context of the first identity domain; determine, based on the first set of resource servers indicated by the first OAuth service profile, whether the first client application is permitted to access the first resource server in the context of the first identity domain, wherein the first client application is permitted access to the first resource server based on determining that the first resource server is included in the first set of resource servers; in response to determining that the first client application is not permitted to access the first resource server in the context of the first identity domain, deny the request to access the first resource server, wherein denying the request to access the first resource server includes blocking communication from the first client application to the first resource server in the context of the first identity domain; in response to determining that the first client application is permitted to access the first resource server in the context of the first identity domain, access the first resource server to obtain first scope information for the first resource server; generate a first token for the first client application to access the first resource server based on the first scope information that the OAuth authorization server obtains from the first resource server; receive, at the OAuth authorization server, a request to access a second resource server from a second client application that executes in a context of a second identity domain of the plurality of isolated identity domains, the second identity domain being separate from the first identity domain; select, from the plurality of OAuth service profiles that the OAuth authorization server maintains, a second OAuth service profile that is applicable only to the second identity domain, wherein the second OAuth service profile indicates a second set of resource servers that the second client application is permitted to access in the context of the second identity domain; determine, based on the second set of resource servers indicated by the second OAuth service profile, whether the second client application is permitted to access the second resource server in the context of the second identity domain, wherein the second client application is permitted access to the second resource server based on determining that the second resource server is included in the second set of resource servers; in response to determining that the second client application is permitted to access the second resource server in the context of the second identity domain, access the second resource server to obtain second scope information for the second resource server; and generate a second token for the second client application to access the second resource server based on second scope information that the OAuth authorization server obtains from the second resource server.
-
Specification