Pluggable authorization policies
First Claim
1. A computer-implemented method comprising:
- storing a first mapping between a first authorization policy and a first identity domain;
receiving, at an authorization server computer, a first token request from a first client application that is associated with the first identity domain, the first token request for accessing a service provided by a resource server computer;
in response to receiving the first token request, identifying, based on the first mapping, the first authorization policy for facilitating the first client application to access the service provided by the resource server computer;
determining, based on the first authorization policy, a first scope of access information for the first client application to access the service provided by the resource server computer, wherein the first scope of access information indicates a first operation permitted by the first client application while accessing the service, and the first scope of access information indicates a second operation not permitted by the first client application while accessing the service provided by the resource server computer, and wherein determining the first scope of access information based on the first authorization policy comprises determining whether the resource server computer provides the first scope of access information;
generating a first token that includes the first scope of access information; and
sending, from the authorization sever computer to the first client application, the first token.
1 Assignment
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
108 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
storing a first mapping between a first authorization policy and a first identity domain; receiving, at an authorization server computer, a first token request from a first client application that is associated with the first identity domain, the first token request for accessing a service provided by a resource server computer; in response to receiving the first token request, identifying, based on the first mapping, the first authorization policy for facilitating the first client application to access the service provided by the resource server computer; determining, based on the first authorization policy, a first scope of access information for the first client application to access the service provided by the resource server computer, wherein the first scope of access information indicates a first operation permitted by the first client application while accessing the service, and the first scope of access information indicates a second operation not permitted by the first client application while accessing the service provided by the resource server computer, and wherein determining the first scope of access information based on the first authorization policy comprises determining whether the resource server computer provides the first scope of access information; generating a first token that includes the first scope of access information; and sending, from the authorization sever computer to the first client application, the first token. - View Dependent Claims (2, 3, 4, 5, 6, 19, 20)
-
-
7. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform operations comprising:
-
storing a first mapping between a first authorization policy and a first identity domain; at an authorization server computer, receiving, from a first client application, a first token request, the first client application that is associated with the first identity domain, the first token request for accessing a service provided by a resource server computer; in response to receiving the first token request, identifying, based on the first mapping, that the first authorization policy for facilitating the first client application to access the service provided by the resource server computer; determining, based on the first authorization policy, a first scope of access information for the first client application to access the service provided by the resource server computer, wherein the first scope of access information indicates a first operation permitted by the first client application while accessing the service, and the first scope of access information indicates a second operation not permitted by the first client application while accessing the service provided by the resource server computer, and wherein determining the first scope of access information based on the first authorization policy comprises determining whether the resource server computer provides the first scope of access information; generating a first token that includes the first scope of access information; and sending, from the authorization server to the first client application, the first token that includes the first scope of access information. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a first machine comprising a processor configured to enable a resource server computer that is configured to store a first mapping between a first authorization policy and a first identity domain of a plurality of identity domains; a second machine comprising a processor configured to enable a first client application that is associated with the first identity domain; and a third machine comprising a processor configured to enable an authorization server computer that is configured to; receive a first token request from the first client application; identify, in response to receiving the first token request, and based on the first mapping, that the first authorization policy for facilitating the first client application to access a service provided by the resource server computer; determine, based on the first authorization policy, first scope of access information for the first client application to access the service provided by the resource server computer, wherein the first scope of access information indicates a first operation permitted by the first client application while accessing the service, and the first scope of access information indicates a second operation not permitted by the first client application while accessing the service provided by the resource server computer, and wherein determining the first scope of access information based on the first authorization policy comprises determining whether the resource server computer provides the first scope of access information; generate a first token that includes the first scope of access information; and send, to the first client application, the first token. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification