Pluggable authorization policies

US 9,544,294 B2
Filed: 04/30/2014
Issued: 01/10/2017
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

storing a first mapping between a first authorization policy and a first identity domain;

receiving, at an authorization server computer, a first token request from a first client application that is associated with the first identity domain, the first token request for accessing a service provided by a resource server computer;

in response to receiving the first token request, identifying, based on the first mapping, the first authorization policy for facilitating the first client application to access the service provided by the resource server computer;

determining, based on the first authorization policy, a first scope of access information for the first client application to access the service provided by the resource server computer, wherein the first scope of access information indicates a first operation permitted by the first client application while accessing the service, and the first scope of access information indicates a second operation not permitted by the first client application while accessing the service provided by the resource server computer, and wherein determining the first scope of access information based on the first authorization policy comprises determining whether the resource server computer provides the first scope of access information;

generating a first token that includes the first scope of access information; and

sending, from the authorization sever computer to the first client application, the first token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

108 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- storing a first mapping between a first authorization policy and a first identity domain;
  
  receiving, at an authorization server computer, a first token request from a first client application that is associated with the first identity domain, the first token request for accessing a service provided by a resource server computer;
  
  in response to receiving the first token request, identifying, based on the first mapping, the first authorization policy for facilitating the first client application to access the service provided by the resource server computer;
  
  determining, based on the first authorization policy, a first scope of access information for the first client application to access the service provided by the resource server computer, wherein the first scope of access information indicates a first operation permitted by the first client application while accessing the service, and the first scope of access information indicates a second operation not permitted by the first client application while accessing the service provided by the resource server computer, and wherein determining the first scope of access information based on the first authorization policy comprises determining whether the resource server computer provides the first scope of access information;
  
  generating a first token that includes the first scope of access information; and
  
  sending, from the authorization sever computer to the first client application, the first token.
- View Dependent Claims (2, 3, 4, 5, 6, 19, 20)
- - 2. The computer-implemented method of claim 1, wherein determining the first scope of access information based on the first authorization policy comprises:
    - in response to determining that the resource server computer provides the first scope of access information, requesting, by the authorization server, the first scope of access information from the resource server computer;
      
      determining, at the resource server, based on the first mapping, that the first identity domain is mapped to the first authorization policy;
      
      in response to identifying, based on the first mapping, the first authorization policy, applying, at the resource server computer, the first authorization policy to attributes of the first client application to produce the first scope of access information; and
      
      sending the first scope of access information from the resource server computer to the authorization server computer in response to said requesting.
  - 3. The computer-implemented method of claim 1, further comprising:
    - storing a second mapping between a second authorization policy and a second identity domain;
      
      receiving, at the authorization server computer, a second token request from a second client application contained in the second identity domain, the second token request for accessing the service provided by the resource server computer;
      
      in response to receiving the second token request, the authorization server computer requesting a second scope of access information from the resource server computer;
      
      determining, at the resource server computer, based on the second mapping, that the second identity domain is mapped to the second authorization policy;
      
      in response to determining based on the second mapping that the second identity domain is mapped to the second authorization policy, applying, at the resource server computer, the second authorization policy to attributes of the second client application to produce the second scope of access information;
      
      sending the second scope of access information from the resource server computer to the authorization server computer in response to said requesting;
      
      generating, at the authorization server computer, a second token that includes the second scope of access information; and
      
      sending, from the authorization server computer to the second client application, the second token;
      
      wherein the second authorization policy differs from the first authorization policy.
  - 4. The computer-implemented method of claim 1, further comprising:
    - receiving, at the authorization server computer, a second token request from a second client application contained in the first identity domain;
      
      in response to receiving the second token request, the authorization server requesting second scope of access information from the resource server computer;
      
      determining, at the resource server computer, based on the first mapping, that the first identity domain is mapped to the first authorization policy;
      
      in response to determining based on the first mapping that the first identity domain is mapped to the first authorization policy, applying, at the resource server computer, the first authorization policy to attributes of the second client application to produce the second scope of access information;
      
      sending the second scope of access information from the resource server computer to the authorization server computer in response to said requesting;
      
      generating at the authorization server computer, a second token that includes the second scope of access information; and
      
      sending, from the authorization server computer to the second client application, the second token that specifies the second scope of access information;
      
      wherein the second client application is separate from the first client application; and
      
      wherein the second scope of access information differs from the first scope of access information.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving, at the authorization server computer, a configuration that specifies a set of user attributes;
      
      storing the configuration at the authorization server computer;
      
      retrieving, from a user identity repository, in response to the first token request, values of the user attributes that are specified in the configuration; and
      
      inserting the values of the user attributes into the first token prior to sending the first token to the first client application.
  - 6. The computer-implemented method of claim 1, further comprising:
    - receiving, at the authorization server computer, a first uniform resource locator (URL) for a first plug-in that is designed to access a user identity repository of a first type;
      
      storing, at the authorization server computer, a second mapping between a first client application type and the first URL;
      
      receiving, at the authorization server computer, a second uniform resource locator (URL) for a second plug-in that is designed to access a user repository of a second type that differs from the first type;
      
      storing, at the authorization server computer, a third mapping between a second client application type and the second URL;
      
      receiving, at the authorization server computer, an authentication request from a particular client application of a particular client application type;
      
      in response to receiving the authentication request, selecting, from among the first URL and the second URL, a particular URL that is mapped, in either the second mapping or the third mapping, to the particular client application type; and
      
      forwarding the authentication request from the authorization server computer to a particular plug-in that is located at the particular URL.
  - 19. The method of claim 1, wherein identifying the first authorization policy includes:
    - requesting, at the authorization server computer, the resource server computer to identify an authorization policy for the first client application, wherein the first authorization policy is stored at the resource server computer; and
      
      receiving the first authorization policy from the resource server computer in response to the requesting.
  - 20. The method of claim 1, further comprising:
    - receiving, at the authorization server computer, a second token request from a second client application that is associated with the first identity domain for accessing the service provided by the resource server computer;
      
      in response to receiving the second token request, identifying, based on a second mapping between a second authorization policy and the first identity domain, the first authorization policy for facilitating the second client application to access the service provided by the resource server computer;
      
      determining, based on the second authorization policy, a second scope of access information for the second client application to access the service provided by the resource server computer, wherein the second scope of access information indicates a third operation permitted by the second client application while accessing the service provided by the resource server computer, indicates a fourth operation not permitted by the second client application while accessing the service provided by the resource server computer, and wherein the second scope of access information is distinct from the first scope of access information;
      
      generating, at the authorization server computer, a second token that includes second scope of access information; and
      
      sending, from the authorization server computer to the second client application the second token.

7. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform operations comprising:
- storing a first mapping between a first authorization policy and a first identity domain;
  
  at an authorization server computer, receiving, from a first client application, a first token request, the first client application that is associated with the first identity domain, the first token request for accessing a service provided by a resource server computer;
  
  in response to receiving the first token request, identifying, based on the first mapping, that the first authorization policy for facilitating the first client application to access the service provided by the resource server computer;
  
  determining, based on the first authorization policy, a first scope of access information for the first client application to access the service provided by the resource server computer, wherein the first scope of access information indicates a first operation permitted by the first client application while accessing the service, and the first scope of access information indicates a second operation not permitted by the first client application while accessing the service provided by the resource server computer, and wherein determining the first scope of access information based on the first authorization policy comprises determining whether the resource server computer provides the first scope of access information;
  
  generating a first token that includes the first scope of access information; and
  
  sending, from the authorization server to the first client application, the first token that includes the first scope of access information.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable memory of claim 7, wherein determining the first scope of access information based on the first authorization policy comprise:
    - in response to determining that the resource server computer provides the first scope of access information, requesting, by the authorization server computer, the first scope of access information from the resource server;
      
      determining, at the resource server computer, based on the first mapping, that the first identity domain is mapped to the first authorization policy;
      
      in response to identifying, based on the first mapping, the first authorization policy, applying, at the resource server computer, the first authorization policy to attributes of the first client application to produce the first scope of access information; and
      
      sending the first scope of access information from the resource server to the authorization server computer in response to said requesting.
  - 9. The computer-readable memory of claim 7, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
    - storing a second mapping between a second authorization policy and a second identity domain;
      
      receiving, at the authorization server computer, a second token request from a second client application that is associated with the second identity domain, the second token request for accessing the service provided by a resource server computer;
      
      in response to receiving the second token request, the authorization server computer requesting second scope of access information from the resource server computer;
      
      determining, at the resource server computer, based on the second mapping, that the second identity domain is mapped to the second authorization policy;
      
      in response to determining based on the second mapping that the second identity domain is mapped to the second authorization policy, applying, at the resource server computer, the second authorization policy to attributes of the second client application to produce the second scope of access information;
      
      sending the second scope of access information from the resource server computer to the authorization server computer in response to said requesting;
      
      generating, at the authorization server computer, a second token that includes the second scope of access information; and
      
      sending, from the authorization server computer to the second client application, a second token;
      
      wherein the second authorization policy differs from the first authorization policy.
  - 10. The computer-readable memory of claim 7, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
    - receiving, at the authorization server computer, a second token request from a second client application that is associated with the first identity domain;
      
      in response to receiving the second token request, the authorization server computer requesting second scope of access information from the resource server computer;
      
      determining, at the resource server computer, based on the first mapping, that the first identity domain is mapped to the first authorization policy;
      
      in response to determining based on the first mapping that the first identity domain is mapped to the first authorization policy, applying, at the resource server, the first authorization policy to attributes of the second client application to produce the second scope of access information;
      
      sending the second scope of access information from the resource server computer to the authorization server computer in response to said requesting;
      
      generating at the authorization server computer, a second token that includes the second scope of access information; and
      
      sending, from the authorization server computer to the second client application, the second token that includes the second scope of access information;
      
      wherein the second client application is separate from the first client application; and
      
      wherein the second scope of access information differs from the first scope of access information.
  - 11. The computer-readable memory of claim 7, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
    - receiving, at the authorization server computer, a configuration that specifies a set of user attributes;
      
      storing the configuration at the authorization server computer;
      
      retrieving, from a user identity repository, in response to the first token request, values of the user attributes that are specified in the configuration; and
      
      inserting the values of the user attributes into the first token prior to sending the first token to the first client application.
  - 12. The computer-readable memory of claim 7, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
    - receiving, at the authorization server computer, a first uniform resource locator (URL) for a first plug-in that is designed to access a user identity repository of a first type;
      
      storing, at the authorization server computer, a second mapping between a first client application type and the first URL;
      
      receiving, at the authorization server computer, a second uniform resource locator (URL) for a second plug-in that is designed to access a user repository of a second type that differs from the first type;
      
      storing, at the authorization server computer, a third mapping between a second client application type and the second URL;
      
      receiving, at the authorization server computer, an authentication request from a particular client application of a particular client application type;
      
      in response to receiving the authentication request, selecting, from among the first URL and the second URL, a particular URL that is mapped, in either the second mapping or the third mapping, to the particular client application type; and
      
      forwarding the authentication request from the authorization server computer to a particular plug-in that is located at the particular URL.

13. A system comprising:
- a first machine comprising a processor configured to enable a resource server computer that is configured to store a first mapping between a first authorization policy and a first identity domain of a plurality of identity domains;
  
  a second machine comprising a processor configured to enable a first client application that is associated with the first identity domain; and
  
  a third machine comprising a processor configured to enable an authorization server computer that is configured to;
  
  receive a first token request from the first client application;
  
  identify, in response to receiving the first token request, and based on the first mapping, that the first authorization policy for facilitating the first client application to access a service provided by the resource server computer;
  
  determine, based on the first authorization policy, first scope of access information for the first client application to access the service provided by the resource server computer, wherein the first scope of access information indicates a first operation permitted by the first client application while accessing the service, and the first scope of access information indicates a second operation not permitted by the first client application while accessing the service provided by the resource server computer, and wherein determining the first scope of access information based on the first authorization policy comprises determining whether the resource server computer provides the first scope of access information;
  
  generate a first token that includes the first scope of access information; and
  
  send, to the first client application, the first token.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein, to determine the first scope of access information determined based on the first authorization policy, the authorization server computer is configured to request the first scope of access information from the resource server computer, and the resource server computer is configured to:
    - identify, based on the first mapping, the first authorization policy;
      
      apply, in response to identifying the first authorization policy, the first authorization policy to attributes of the first client application to produce the first scope of access information; and
      
      send the first scope of access information to the authorization server computer.
  - 15. The system of claim 13, wherein the system comprises a fourth machine comprising a processor configured to enable a second client application that is associated with a second identity domain of the plurality of identity domains;
    - wherein the authorization server computer is configured to receive a second token request from the second client application and to request, in response to receiving the second token request, second scope of access information from the resource server computer; and
      
      wherein the resource server computer is configured to;
      
      store a second mapping between a second authorization policy and the second identity domain;
      
      determine, based on the second mapping, that the second identity domain is mapped to the second authorization policy;
      
      apply, in response to determining based on the second mapping that the second identity domain is mapped to the second authorization policy, the second authorization policy to attributes of the second client application to produce the second scope of access information; and
      
      send the second scope of access information to the authorization server computer;
      
      wherein the second authorization policy differs from the first authorization policy.
  - 16. The system of claim 13, wherein the system comprises a fourth machine comprising a processor configured to enable a second client application that is associated with the first identity domain;
    - wherein the authorization server computer is configured to receive a second token request from the second client application and to request, in response to receiving the second token request, second scope of access information from the resource server computer; and
      
      wherein the resource server computer is configured to;
      
      determine, based on the first mapping, that the first identity domain is mapped to the first authorization policy;
      
      apply, in response to determining based on the first mapping that the first identity domain is mapped to the first authorization policy, the first authorization policy to attributes of the second client application to produce the second scope of access information; and
      
      send the second scope of access information to the authorization server computer;
      
      wherein the second client application is separate from the first client application; and
      
      wherein the second scope of access information differs from the first scope of access information.
  - 17. The system of claim 13, wherein the authorization server computer is configured to:
    - receive a configuration that specifies a set of user attributes;
      
      store the configuration;
      
      retrieve, from a user identity repository, in response to the first token request, values of the user attributes that are specified in the configuration; and
      
      insert the values of the user attributes into the first token prior to sending the first token to the first client application.
  - 18. The system of claim 13, wherein the system comprises a fourth machine comprising a processor configured to enable a first plug-in that is designed to access a user identity repository of a first type;
    - wherein the system comprises a fifth machine comprising a processor configured to enable a second plug-in that is designed to access the user identity repository of a second type that differs from the first type; and
      
      wherein the authorization server is configured to;
      
      receive a first uniform resource locator (URL) for the first plug-in;
      
      store a second mapping between a first type of client application and the first URL;
      
      receive a second uniform resource locator (URL) for the second plug-in;
      
      store a third mapping between a second type of client application and the second URL;
      
      receive an authentication request from a particular client application of a particular type;
      
      select, in response to receiving the authentication request, and from among the first URL and the second URL, a particular URL that is mapped, in either the second mapping or the third mapping, to the particular type; and
      
      forward the authentication request from the authorization server to a particular plug-in that is located at the particular URL.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Srinivasan, Uppili, Sondhi, Ajay, Chu, Ching-Wen, Bhat, Shivaram, Evani, Venkata S.
Primary Examiner(s)
Gelagay, Shwaye
Assistant Examiner(s)
LE, KHOI V

Application Number

US14/266,515
Publication Number

US 20150089571A1
Time in Patent Office

986 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2221/2103   Challenge-response

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

Pluggable authorization policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

108 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Pluggable authorization policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links