Authorization server and client apparatus, server cooperative system, and token management method

US 9,571,494 B2
Filed: 04/10/2013
Issued: 02/14/2017
Est. Priority Date: 05/25/2012
Status: Active Grant

First Claim

Patent Images

1. An authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, the server comprising:

a processor;

and a memory storing instructions that, when executed by the processor, cause the server to execute;

an issuance step of issuing an access token used to access the resource server and a refresh token used to re-issue a new access token in accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus;

a re-issuance step of re-issuing a new access token and a new refresh token in accordance with a refresh processing request received together with the refresh token, and storing the refresh token issued by the issuance step so as to re-issue a new refresh token and access token as initial update authorization information in association with the re-issued access token and refresh token;

and an invalidation step of invalidating, in accordance with an invalidation request received together with the refresh token, a refresh token with which the received refresh token is associated as initial update authorization information,wherein the refresh token received in the invalidation step together with the invalidation request is the first refresh token issued in the re-issuance step before re-issuance of a refresh token in accordance with an authorization request from the client apparatus,and wherein, where the first refresh token is received in the re-issuance step together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is a method of generating a token required to transfer an access authority to a cooperating system to a cooperation asking system. In this method, a refresh token is issued to update a token without confirmation to a user after a valid period of a token has expired. When information which is required to update a token is leaked, an unintended system updates a token, and the cooperating system is illicitly used. For this reason, a unit for invalidating the leaked refresh token is required. An access management service stores a refresh token issued at the time of first authorization processing linked to tokens re-issued when a series of token is issued using refresh tokens. Then, upon designation of the refresh token issued first, all refresh tokens linked to the refresh token issued first are invalidated.

17 Citations

View as Search Results

9 Claims

1. An authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, the server comprising:
- a processor;
  
  and a memory storing instructions that, when executed by the processor, cause the server to execute;
  
  an issuance step of issuing an access token used to access the resource server and a refresh token used to re-issue a new access token in accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus;
  
  a re-issuance step of re-issuing a new access token and a new refresh token in accordance with a refresh processing request received together with the refresh token, and storing the refresh token issued by the issuance step so as to re-issue a new refresh token and access token as initial update authorization information in association with the re-issued access token and refresh token;
  
  and an invalidation step of invalidating, in accordance with an invalidation request received together with the refresh token, a refresh token with which the received refresh token is associated as initial update authorization information,wherein the refresh token received in the invalidation step together with the invalidation request is the first refresh token issued in the re-issuance step before re-issuance of a refresh token in accordance with an authorization request from the client apparatus,and wherein, where the first refresh token is received in the re-issuance step together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.
- View Dependent Claims (2, 3)
- - 2. The server according to claim 1, wherein theinvalidation step further invalidates the received refresh token, andwherein the invalidation step invalidates the access token with which the received refresh token is associated as initial update authorization information in addition to the refresh token with which the received refresh token is associated as initial update authorization information.
  - 3. The server according to claim 1, wherein when the reissuance step re-issues a new access token, the re-issuance step invalidates the refresh token received together with a refresh processing request.

4. A client apparatus which transmits an access request to a resource server together with an access token issued by an authorization server to request a service by the resource server, the client apparatus comprising:
- a processor;
  
  and a memory storing instructions that, when executed by the processor, cause the client to execute;
  
  a storage step of storing in a storage unit device the access token issued by the authorization server, a refresh token used to re-issue a new access token, and initial update authorization information issued first by the authorization server so as to re-issue the access token, in association with each other; and
  
  an invalidation request step of transmitting an invalidation request together with the stored initial update authorization information as a first refresh token that has been issued first to the authorization server to request the authorization server to invalidate the refresh token associated with the initial update authorization information,wherein the refresh token transmitted in the invalidation request step together with the invalidation request is the first refresh token issued before re-issuance of a new refresh token by the authorization server in accordance with the authorization request from the client apparatus,and wherein, where the first refresh token is received by the authorization server together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.
- View Dependent Claims (5)
- - 5. The apparatus according to claim 4, further comprising a transmission step of, when a response indicating that the access token is invalid is received in response to the access request, transmitting a refresh processing request to the authorization server together with the refresh token associated with the access token corresponding to the response indicating that the access token is invalid, wherein when a response indicating that the refresh token is invalid is received in response to the refresh processing request, the invalidation request step requests to invalidate the refresh token.

6. A server cooperative system including an authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, a client apparatus, which transmits an access request to a resource server together with the access token issued by the authorization server to request a service by the resource server, and the resource server, which provides a service to the client apparatus,the authorization server comprising:
- a processor;
  
  and a memory storing instructions that, when executed by the processor, cause the authorization server to execute;
  
  an issuance step of issuing an access token used to access the resource server and a refresh token used to re-issue a new access token in accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus;
  
  a re-issuance step of re-issuing a new refresh token and a new access token in accordance with a refresh processing request received together with the refresh token, and storing the refresh token issued by the issuance step so as to re-issue a new refresh token and an access token as initial update authorization information in association with the re-issued access token and refresh token;
  
  and an invalidation step of invalidating, in accordance with an invalidation request received together with the refresh token a refresh token with which the received refresh token is associated as initial update authorization information,wherein the refresh token received in the invalidation step together with the invalidation request is a first refresh token issued in the re-issuance step before re-issuance of a new refresh token in accordance with an authorization request from the client apparatus,and wherein, where the first refresh token is received in the re-issuance step together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated,and the client apparatus comprising;
  
  a processor;
  
  and a memory storing instructions that, when executed by the processor, cause the client to execute;
  
  a storage step of storing in a storage device the access token issued by the authorization server, the refresh token used to re-issue a new access token, and initial update authorization information issued first by the authorization server so as to re-issue the access token, in association with each other;
  
  and an invalidation request step of transmitting an invalidation request together with the stored initial update authorization information as a first refresh token that has been issued first to the authorization server to request the authorization server to invalidate a refresh token associated with the initial update authorization information.

7. A non-transitory computer-readable storage medium storing computer-executable code of a program for controlling a computer to function as an authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, the program comprising:
- code of an issuance step for issuing an access token used to access the resource server and a refresh token used to re-issue a new access token accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus;
  
  code of a re-issuance step for re-issuing a new refresh token and a new access token in accordance with a refresh processing request received together with the refresh token,and storing the refresh token issued by the issuance step so as to re-issue a new refresh token and an access token as initial update authorization information in association with the re-issued access token and refresh token;
  
  and code of an invalidation step for invalidating, in accordance with an invalidation request received together with the refresh token, a refresh token with which the received refresh token is associated as initial update authorization information, wherein the refresh token received in the invalidation step together with the invalidation request is the first refresh token issued in the re-issuance step before re-issuance of a refresh token in accordance with an authorization request from the client apparatus,and wherein, where the first refresh token is received in the re-issuance step together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.

8. A non-transitory computer-readable storage medium storing computer-executable code of a program for controlling a computer to function as a client apparatus, which transmits an access request to a resource server together with an access token issued by an authorization server to request a service by the resource server, the program comprising:
- code of a storage step for storing in a storage device the access token issued by the authorization server, a refresh token used to re-issue a new access token, and initial update authorization information issued first by the authorization server so as to re-issue the access token, in association with each other;
  
  and code of an invalidation request step for transmitting an invalidation request together with the stored initial update authorization information as a first refresh token that has been issued first to the authorization server to request the authorization server to invalidate a refresh token associated with the initial update authorization information, wherein the refresh token transmitted in the invalidation request step together with the invalidation request is the first refresh token issued before re-issuance of a new refresh token by the authorization server in accordance with the authorization request from the client apparatus,and wherein, where the first refresh token is received by the authorization server together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.

9. A token management method in a server cooperative system including an authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, a client apparatus, which transmits an access request to a resource server together with the access token issued by the authorization server to request a service by the resource server, and the resource server, which provides a service to the client apparatus, the method comprising:
- issuing, by the authorization server, an access token used to access the resource server and a refresh token used to re-issue a new access token in accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus;
  
  storing, by the client apparatus, the access token issued by the authorization server, the refresh token used to re-issue a new access token, and initial update authorization information issued first by the authorization server so as to re-issue the access token, in association with each other;
  
  transmitting, by the client apparatus, when a response indicating that the access token is invalid is received from the authorization server in response to the access request, a refresh processing request to the authorization server together with the refresh token associated with the access token corresponding to the response indicating that the access token is invalid;
  
  re-issuing, by the authorization server, a new refresh token and a new access token in accordance with a refresh processing request received together with the refresh token, and storing the refresh token issued in the issuing so as to re-issue a new refresh token and access token as initial update authorization information in association with the re-issued access token and refresh token;
  
  transmitting, by the client apparatus, an invalidation request together with the stored initial update authorization information as a first refresh token that has been issued first to the authorization server to request the authorization server to invalidate the refresh token associated with the initial update authorization information;
  
  and invalidating, by the authorization server, in accordance with an invalidation request received together with the refresh token a refresh token with which the received refresh token is associated as initial update authorization information,wherein the refresh token transmitted in the transmitting together with the invalidation request is the first refresh token issued before re-issuance of a new refresh token by the authorization server in accordance with the authorization request from the client apparatus,and wherein, where the first refresh token is received by the authorization server together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Canon Kabushiki Kaisha (Canon Inc.)
Original Assignee
Canon Kabushiki Kaisha (Canon Inc.)
Inventors
Mogaki, Shunsuke
Primary Examiner(s)
Avery, Jeremiah

Application Number

US14/001,658
Publication Number

US 20140230020A1
Time in Patent Office

1,406 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 67/1001   for accessing one among a p...

H04L 9/0891   Revocation or update of sec...

H04L 9/3213   using tickets or tokens, e....

Authorization server and client apparatus, server cooperative system, and token management method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization server and client apparatus, server cooperative system, and token management method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links