Using representational state transfer (REST) for consent management

US 9,350,718 B2
Filed: 04/30/2014
Issued: 05/24/2016
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, at an OAuth authorization server, from a software application executing on a device associated with a user, through a Representational State Transfer (REST)-based interface, a request for permission to access a scope of information associated with the user;

upon the OAuth authorization server authenticating the user associated with the device, sending, from the OAuth authorization server, to the device through the REST-based interface, a request for consent by the user to allow the software application to access information that is within the scope of information associated with the user;

receiving, at the OAuth authorization server, from the device, through the REST-based interface, consent to allow the software application to access the information that is within the scope of information; and

in response to receiving the consent, storing, at the OAuth authorization server, a mapping between the software application and the scope of information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

296 Citations

20 Claims

1. A computer-implemented method comprising:
- receiving, at an OAuth authorization server, from a software application executing on a device associated with a user, through a Representational State Transfer (REST)-based interface, a request for permission to access a scope of information associated with the user;
  
  upon the OAuth authorization server authenticating the user associated with the device, sending, from the OAuth authorization server, to the device through the REST-based interface, a request for consent by the user to allow the software application to access information that is within the scope of information associated with the user;
  
  receiving, at the OAuth authorization server, from the device, through the REST-based interface, consent to allow the software application to access the information that is within the scope of information; and
  
  in response to receiving the consent, storing, at the OAuth authorization server, a mapping between the software application and the scope of information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising:
    - in response to the request for permission, sending, from the OAuth authorization server to the device associated with the user, through the REST-based interface, a request for an authentication credential associated with the user.
  - 3. The computer-implemented method of claim 2, further comprising:
    - receiving, from the device, the authentication credential at the OAuth authorization server through the REST-based interface; and
      
      authenticating the user associated with the device by determining, at the OAuth authorization server, whether the authentication credential is associated with the user.
  - 4. The computer-implemented method of claim 1, further comprising:
    - determining, at the OAuth authorization server, whether the OAuth authorization server has stored the mapping between the software application and the scope of information specified in the request for permission received from the software application; and
      
      in response to a determination by the OAuth authorization server that the OAuth authorization server has stored the mapping between the software application and the scope of information specified in the request for permission, providing, to the software application, through the REST-based interface, the information that is within the scope of information specified in the mapping.
  - 5. The computer-implemented method of claim 1, wherein the consent is received through the REST-based interface without involving a Hypertext Transfer Protocol (HTTP) redirect operation.
  - 6. The computer-implemented method of claim 1, further comprising:
    - receiving, at the OAuth authorization server, through the REST-based interface, from the software application, a request to revoke the consent; and
      
      in response to receiving the request to revoke the consent, deleting the mapping stored at the OAuth authorization server.
  - 7. The method of claim 1, wherein the request for consent is sent to the software application on the device, and wherein the consent is received from the software application on the device.
  - 8. The method of claim 1, wherein communication through the REST-based interface does not involve an HTML-based redirect.

9. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
- receiving, at an OAuth authorization server, from a software application executing on a device associated with a user, through a Representational State Transfer (REST)-based interface, a request for permission to access a scope of information associated with the user;
  
  upon the OAuth authorization server authenticating the user associated with the device, sending, from the OAuth authorization server, to the device through the REST-based interface, a request for consent by the user to allow the software application to access information that is within the scope of information associated with the user;
  
  receiving, at the OAuth authorization server, from the device, through the REST-based interface, consent to allow the software application to access the information that is within the scope of information; and
  
  in response to receiving the consent, storing, at the OAuth authorization server, a mapping between the software application and the scope of information.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer-readable memory of claim 9, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - in response to the request for permission, sending, from the OAuth authorization server to the device associated with the user, through the REST-based interface, a request for an authentication credential associated with the user.
  - 11. The computer-readable memory of claim 10, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, from the device, the authentication credential at the OAuth authorization server through the REST-based interface; and
      
      authenticating the user associated with the device by determining, at the OAuth authorization server, whether the authentication credential is associated with the user.
  - 12. The computer-readable memory of claim 9, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - determining, at the OAuth authorization server, whether the OAuth authorization server has stored the mapping between the software application and the scope of information specified in the request for permission received from the software application; and
      
      in response to a determination by the OAuth authorization server that the OAuth authorization server has stored the mapping between the software application and the scope of information specified in the request for permission, providing, to the software application, through the REST-based interface, the information that is within the scope of information specified in the mapping.
  - 13. The computer-readable memory of claim 9, wherein the consent is received through the REST-based interface without involving a Hypertext Transfer Protocol (HTTP) redirect operation.
  - 14. The computer-readable memory of claim 9, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, at the OAuth authorization server, through the REST-based interface, from the software application, a request to revoke the consent; and
      
      in response to receiving the request to revoke the consent, deleting the mapping stored at the OAuth authorization server.

15. A system comprising:
- a first machine that stores a software application, wherein the first machine is associated with a user; and
  
  a second machine that includes an OAuth authorization server that is configured to;
  
  receive, from the software application stored on the first machine, through a Representational State Transfer (REST)-based interface, a request for permission to access a scope of information associated with the user;
  
  upon the OAuth authorization server authenticating the user associated with the first machine, send, to the first machine through the REST-based interface, a request for consent by the user to allow the software application to access information that is within the scope of information associated with the user;
  
  receive, from the first machine through the REST-based interface, consent to allow the software application to access the information that is within the scope of information; and
  
  store, in response to receiving the consent, a mapping between the software application and the scope of information.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the OAuth authorization server is configured to:
    - send, in response to the request for permission, through the REST-based interface, to the first machine, a request for an authentication credential associated with the user.
  - 17. The system of claim 16, wherein the OAuth authorization server is configured to:
    - receive, from the first machine, the authentication credential through the REST-based interface; and
      
      authenticating the user associated with the first machine by determining whether the authentication credential is associated with the user.
  - 18. The system of claim 15, wherein the OAuth authorization server is configured to:
    - determine whether the OAuth authorization server has stored the mapping between the software application and the scope of information specified in the request for permission from the software application; and
      
      in response to a determination by the OAuth authorization server that the OAuth authorization server has stored the mapping between the software application and the scope of information specified in the request for permission, provide, to the software application, through the REST-based interface, the information that is within the scope of information specified in the mapping.
  - 19. The system of claim 15, wherein the OAuth authorization server is configured to receive the consent through the REST-based interface without involving a Hypertext Transfer Protocol (HTTP) redirect operation.
  - 20. The system of claim 15, wherein the OAuth authorization server is configured to:
    - receive, through the REST-based interface, from the software application, a request to revoke the consent; and
      
      delete the mapping in response to receiving the request to revoke the consent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sondhi, Ajay, Chu, Ching-Wen, Kim, Beomsuk, Hingarajiya, Ravi
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/266,466
Publication Number

US 20150089596A1
Time in Patent Office

755 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2221/2103   Challenge-response

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

Using representational state transfer (REST) for consent management

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

296 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Using representational state transfer (REST) for consent management

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

296 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links