Multiple resource servers interacting with single OAuth server

US 9,450,963 B2
Filed: 10/08/2015
Issued: 09/20/2016
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at an authorization computing system, a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains;

identifying, at the authorization computing system, a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain;

determining, at the authorization computing system and based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers;

upon determining that the client application is not permitted to access the resource server in the context of the identity domain, denying, at the authorization computing system, the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and

upon determining that the client application is permitted to access the resource server in the context of the identity domain, accessing, at the authorization computing system, the resource server to obtain scope information for the resource server; and

generating, at the authorization computing system, based on the scope information obtained from the resource server, a token for the client application to access the resource server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Citations

20 Claims

1. A method comprising:
- receiving, at an authorization computing system, a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains;
  
  identifying, at the authorization computing system, a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain;
  
  determining, at the authorization computing system and based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers;
  
  upon determining that the client application is not permitted to access the resource server in the context of the identity domain, denying, at the authorization computing system, the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and
  
  upon determining that the client application is permitted to access the resource server in the context of the identity domain, accessing, at the authorization computing system, the resource server to obtain scope information for the resource server; and
  
  generating, at the authorization computing system, based on the scope information obtained from the resource server, a token for the client application to access the resource server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the authorization computing system is included in an OAuth authorization server.
  - 3. The method of claim 1, further comprising:
    - receiving, at the authorization computing system, an authentication request to authenticate the client application; and
      
      upon receiving the authentication request, selecting, from a plurality of client plug-ins, a client plug-in that is mapped to the identity domain and sending the authentication request to the client-plug in.
  - 4. The method of claim 1, further comprising:
    - identifying based on the request, a service requested by the client application; and
      
      determining, based on the service, the resource server to be accessed by the client application for the service.
  - 5. The method of claim 1, further comprising:
    - determining using the service profile, a callback uniform resource locator (URL) corresponding to the resource server, wherein accessing the resource server is performed using the callback URL, and wherein the resource server determines the scope information based on an authorization policy associated with the identity domain.
  - 6. The method of claim 1, wherein the scope information indicates one or more operations that are permitted for a service accessing a resource provided by the resource server, and wherein the service is indicated in the request.
  - 7. The method of claim 1, wherein the service profile indicates one or more services that the client application is permitted to access, and wherein the one or more services are provided by the resource server.
  - 8. The method of claim 7, further comprising:
    - determining using the service profile, that a service indicated in the request by the client application is not included in the one or more services that the client application is permitted to access; and
      
      denying the request based on determining that the service not included in the one or more services.

9. A computing system comprising:
- one or more hardware processors; and
  
  a memory operatively coupled to the one or more hardware processors, the memory storing a set of instructions that, when executed by the one or more hardware processors, causes the one or more hardware processors to;
  
  receive a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains;
  
  identify a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain;
  
  determine, based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers;
  
  upon determining that the client application is not permitted to access the resource server in the context of the identity domain, deny the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and
  
  upon determining that the client application is permitted to access the resource server in the context of the identity domain, access the resource server to obtain scope information for the resource server; and
  
  generate, based on the scope information obtained from the resource server, a token for the client application to access the resource server.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computing system of claim 9, wherein the one or more hardware processors and the memory are included in an OAuth authorization server.
  - 11. The computing system of claim 9, wherein the set of instructions, when executed by the one or more hardware processors, further causes the one or more hardware processors to:
    - receive an authentication request to authenticate the client application; and
      
      upon receiving the authentication request, select, from a plurality of client plug-ins, a client plug-in that is mapped to the identity domain and send the authentication request to the client-plug in.
  - 12. The computing system of claim 9, wherein the set of instructions, when executed by the one or more hardware processors, further causes the one or more hardware processors to:
    - identify, based on the request, a service requested by the client application; and
      
      determine, based on the service, the resource server to be accessed by the client application for the service.
  - 13. The computing system of claim 9, wherein the set of instructions, when executed by the one or more hardware processors, further causes the one or more hardware processors to:
    - determine, using the service profile, a callback uniform resource locator (URL) corresponding to the resource server, wherein accessing the resource server is performed using the callback URL, and wherein the resource server determines the scope information based on an authorization policy associated with the identity domain.
  - 14. The computing system of claim 9, wherein the scope information indicates one or more operations that are permitted for a service accessing a resource provided by the resource server, and wherein the service is indicated in the request.
  - 15. The computing system of claim 9, wherein the service profile indicates one or more services that the client application is permitted to access, and wherein the one or more services are provided by the resource server.
  - 16. The computing system of claim 15, wherein the set of instructions, when executed by the one or more hardware processors, further causes the one or more hardware processors to:
    - determine, using the service profile, that a service indicated in the request by the client application is not included in the one or more services that the client application is permitted to access; and
      
      deny the request based on determining that the service not included in the one or more services.

17. A non-transitory computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to:
- receive, at an authorization computing system, a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains;
  
  identify, at the authorization computing system, a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain;
  
  determine, at the authorization computing system and based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers;
  
  upon determining that the client application is not permitted to access the resource server in the context of the identity domain, deny, at the authorization computing system, the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and
  
  upon determining that the client application is permitted to access the resource server in the context of the identity domain, access, at the authorization computing system, the resource server to obtain scope information for the resource server; and
  
  generate, at the authorization computing system and based on the scope information obtained from the resource server, a token for the client application to access the resource server.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable memory of claim 17, wherein the scope information indicates one or more operations that are permitted for a service accessing a resource provided by the resource server, and wherein the service is indicated in the request.
  - 19. The non-transitory computer-readable memory of claim 17, wherein the instructions, when executed by the one or more processors, further causes the one or more processors to:
    - identify, based on the request, a service requested by the client application; and
      
      determine, based on the service, the resource server to be accessed by the client application for the service.
  - 20. The non-transitory computer-readable memory of claim 17, wherein the service profile indicates one or more services that the client application is permitted to access, and wherein the one or more services are provided by the resource server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Srinivasan, Uppili, Sondhi, Ajay, Chu, Ching-Wen, Evani, Venkata S., Kim, Beomsuk
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/878,412
Publication Number

US 20160028737A1
Time in Patent Office

348 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/068   using credential vaults, e....

Multiple resource servers interacting with single OAuth server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple resource servers interacting with single OAuth server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links