Multiple resource servers interacting with single OAuth server
First Claim
1. A method comprising:
- receiving, at an authorization computing system, a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains;
identifying, at the authorization computing system, a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain;
determining, at the authorization computing system and based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers;
upon determining that the client application is not permitted to access the resource server in the context of the identity domain, denying, at the authorization computing system, the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and
upon determining that the client application is permitted to access the resource server in the context of the identity domain, accessing, at the authorization computing system, the resource server to obtain scope information for the resource server; and
generating, at the authorization computing system, based on the scope information obtained from the resource server, a token for the client application to access the resource server.
2 Assignments
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, at an authorization computing system, a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains; identifying, at the authorization computing system, a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain; determining, at the authorization computing system and based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers; upon determining that the client application is not permitted to access the resource server in the context of the identity domain, denying, at the authorization computing system, the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and upon determining that the client application is permitted to access the resource server in the context of the identity domain, accessing, at the authorization computing system, the resource server to obtain scope information for the resource server; and generating, at the authorization computing system, based on the scope information obtained from the resource server, a token for the client application to access the resource server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computing system comprising:
-
one or more hardware processors; and a memory operatively coupled to the one or more hardware processors, the memory storing a set of instructions that, when executed by the one or more hardware processors, causes the one or more hardware processors to; receive a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains; identify a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain; determine, based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers; upon determining that the client application is not permitted to access the resource server in the context of the identity domain, deny the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and upon determining that the client application is permitted to access the resource server in the context of the identity domain, access the resource server to obtain scope information for the resource server; and generate, based on the scope information obtained from the resource server, a token for the client application to access the resource server. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to:
-
receive, at an authorization computing system, a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains; identify, at the authorization computing system, a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain; determine, at the authorization computing system and based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers; upon determining that the client application is not permitted to access the resource server in the context of the identity domain, deny, at the authorization computing system, the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and upon determining that the client application is permitted to access the resource server in the context of the identity domain, access, at the authorization computing system, the resource server to obtain scope information for the resource server; and generate, at the authorization computing system and based on the scope information obtained from the resource server, a token for the client application to access the resource server. - View Dependent Claims (18, 19, 20)
-
Specification