Bidirectional authorization system, client and method
First Claim
1. A system for bidirectional authorization, comprising a first service provision subsystem, a second service provision subsystem and a user terminal, wherein,the first service provision subsystem is configured to acquire a first temporary credential of the first service provision subsystem and a second temporary credential of the second service provision subsystem, respectively, send the second temporary credential to the user terminal for authorization, receive a second authorization credential returned by the user terminal, send the second authorization credential to the second service provision subsystem to exchange for a second access token, acquire resources in the second service provision subsystem according to the second access token and send the first temporary credential to the second service provision subsystem;
- the second service provision subsystem is configured to receive the first temporary credential from the first service provision subsystem, modify an identifier in the first temporary credential, send the modified first temporary credential to the user terminal for authorization, receive a first authorization credential returned by the user terminal, send the first authorization credential to the first service provision subsystem to exchange for a first access token, and acquire resources in the first service provision subsystem according to the first access token; and
the user terminal is configured to respectively receive the second temporary credential from the first service provision subsystem and the first temporary credential from the second service provision subsystem, respectively authorize the second and first temporary credentials, and send the second and first authorization credentials to the first and second service provision subsystems, respectively.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is a bidirectional authorization system, including a first service provision subsystem configured to acquire a first temporary credential of the first service provision subsystem and a second temporary credential of a second service provision subsystem, respectively, send the second and the first temporary credential to the user terminal and the second service provision subsystem, respectively, send the second authorization credential returned by the user terminal to the second service provision subsystem to exchange for a second access token and acquire the second service resources; a second service provision subsystem configured to modify the first temporary credential and send it to the user terminal, send the first authorization credential returned by the user terminal to the first service provision subsystem to exchange for a first access token, and acquire the first service resources; and a user terminal configured to authorize the received second and first temporary credentials, respectively, and return the second and first authorization credentials to the first and second service provision subsystems, respectively. A bidirectional authorization client and a method are also disclosed. The present disclosure can be used to enable clients on both sides to simultaneously access resources of the opposite side.
13 Citations
11 Claims
-
1. A system for bidirectional authorization, comprising a first service provision subsystem, a second service provision subsystem and a user terminal, wherein,
the first service provision subsystem is configured to acquire a first temporary credential of the first service provision subsystem and a second temporary credential of the second service provision subsystem, respectively, send the second temporary credential to the user terminal for authorization, receive a second authorization credential returned by the user terminal, send the second authorization credential to the second service provision subsystem to exchange for a second access token, acquire resources in the second service provision subsystem according to the second access token and send the first temporary credential to the second service provision subsystem; -
the second service provision subsystem is configured to receive the first temporary credential from the first service provision subsystem, modify an identifier in the first temporary credential, send the modified first temporary credential to the user terminal for authorization, receive a first authorization credential returned by the user terminal, send the first authorization credential to the first service provision subsystem to exchange for a first access token, and acquire resources in the first service provision subsystem according to the first access token; and the user terminal is configured to respectively receive the second temporary credential from the first service provision subsystem and the first temporary credential from the second service provision subsystem, respectively authorize the second and first temporary credentials, and send the second and first authorization credentials to the first and second service provision subsystems, respectively. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A client provided in a service provision subsystem, the service provision subsystem further comprising an Open Auth (OAuth) server and a resources server;
- the client comprising a memory storing programming instructions and a processor configured to be capable of executing the stored programming instructions to perform steps comprising;
sending commands for requesting a temporary credential to the OAuth server of the service provision subsystem at a local side and an OAuth server of a service provision subsystem at another side, respectively, receiving a first temporary credential returned by the OAuth server of the service provision subsystem at the local side and a second temporary credential returned by the OAuth server of the service provision subsystem at the another side, respectively, and sending the first temporary credential to a client of the service provision subsystem at the another side; sending the second temporary credential to a user terminal for authorization, receiving an authorization credential returned by the user terminal and sending the authorization credential to the OAuth server of the service provision subsystem at the another side to exchange for an access token; and sending the access token to a resources server of the service provision subsystem at the another side for authentication, accessing resources provided by the resources server of the service provision subsystem at the another side after successful authentication by the resources server of the service provision subsystem at the another side.
- the client comprising a memory storing programming instructions and a processor configured to be capable of executing the stored programming instructions to perform steps comprising;
-
7. A client provided in a service provision subsystem, the service provision subsystem further comprising an OAuth server and a resources server;
- the client comprising a memory storing programming instructions and a processor configured to be capable of executing the stored programming instructions to perform steps comprising;
receiving a first temporary credential from an OAuth server of a service provision subsystem at another side, and modifying a client identifier of the service provision subsystem at the another side in the first temporary credential to be a client identifier of the service provision subsystem at a local side; sending the modified first temporary credential to a user terminal for authorization, receiving a first authorization credential returned by the user terminal, and sending the first authorization credential to the OAuth server of the service provision subsystem at the another side to exchange for a first access token; and sending the first access token to a resources server of the service provision subsystem at the another side for authentication, and accessing resources provided by the resources server of the service provision subsystem at the another side after successful authentication by the resources server of the service provision subsystem at the another side.
- the client comprising a memory storing programming instructions and a processor configured to be capable of executing the stored programming instructions to perform steps comprising;
-
8. A method for bidirectional authorization, comprising:
-
acquiring, by a first service provision subsystem, a first temporary credential of the first service provision subsystem and a second temporary credential of a second service provision subsystem, sending the second temporary credential to a user terminal for authorization and obtaining a second authorization credential, sending the second authorization credential to the second service provision subsystem to exchange for a second access token, acquiring resources in the second service provision subsystem according to the second access token, and sending the first temporary credential to the second service provision subsystem for modification of an identifier; and sending, by the second service provision subsystem, the modified first temporary credential to the user terminal for authorization and obtaining a first authorization credential, sending the first authorization credential to the first service provision subsystem to exchange for a first access token, and acquiring resources in the first service provision subsystem according to the first access token. - View Dependent Claims (9, 10, 11)
-
Specification