Authorization server and client apparatus, server cooperative system, and token management method
First Claim
1. An authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, the server comprising:
- a processor;
and a memory storing instructions that, when executed by the processor, cause the server to execute;
an issuance step of issuing an access token used to access the resource server and a refresh token used to re-issue a new access token in accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus;
a re-issuance step of re-issuing a new access token and a new refresh token in accordance with a refresh processing request received together with the refresh token, and storing the refresh token issued by the issuance step so as to re-issue a new refresh token and access token as initial update authorization information in association with the re-issued access token and refresh token;
and an invalidation step of invalidating, in accordance with an invalidation request received together with the refresh token, a refresh token with which the received refresh token is associated as initial update authorization information,wherein the refresh token received in the invalidation step together with the invalidation request is the first refresh token issued in the re-issuance step before re-issuance of a refresh token in accordance with an authorization request from the client apparatus,and wherein, where the first refresh token is received in the re-issuance step together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.
1 Assignment
0 Petitions
Accused Products
Abstract
There is a method of generating a token required to transfer an access authority to a cooperating system to a cooperation asking system. In this method, a refresh token is issued to update a token without confirmation to a user after a valid period of a token has expired. When information which is required to update a token is leaked, an unintended system updates a token, and the cooperating system is illicitly used. For this reason, a unit for invalidating the leaked refresh token is required. An access management service stores a refresh token issued at the time of first authorization processing linked to tokens re-issued when a series of token is issued using refresh tokens. Then, upon designation of the refresh token issued first, all refresh tokens linked to the refresh token issued first are invalidated.
17 Citations
9 Claims
-
1. An authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, the server comprising:
-
a processor; and a memory storing instructions that, when executed by the processor, cause the server to execute; an issuance step of issuing an access token used to access the resource server and a refresh token used to re-issue a new access token in accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus; a re-issuance step of re-issuing a new access token and a new refresh token in accordance with a refresh processing request received together with the refresh token, and storing the refresh token issued by the issuance step so as to re-issue a new refresh token and access token as initial update authorization information in association with the re-issued access token and refresh token; and an invalidation step of invalidating, in accordance with an invalidation request received together with the refresh token, a refresh token with which the received refresh token is associated as initial update authorization information, wherein the refresh token received in the invalidation step together with the invalidation request is the first refresh token issued in the re-issuance step before re-issuance of a refresh token in accordance with an authorization request from the client apparatus, and wherein, where the first refresh token is received in the re-issuance step together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated. - View Dependent Claims (2, 3)
-
-
4. A client apparatus which transmits an access request to a resource server together with an access token issued by an authorization server to request a service by the resource server, the client apparatus comprising:
-
a processor; and a memory storing instructions that, when executed by the processor, cause the client to execute; a storage step of storing in a storage unit device the access token issued by the authorization server, a refresh token used to re-issue a new access token, and initial update authorization information issued first by the authorization server so as to re-issue the access token, in association with each other; and an invalidation request step of transmitting an invalidation request together with the stored initial update authorization information as a first refresh token that has been issued first to the authorization server to request the authorization server to invalidate the refresh token associated with the initial update authorization information, wherein the refresh token transmitted in the invalidation request step together with the invalidation request is the first refresh token issued before re-issuance of a new refresh token by the authorization server in accordance with the authorization request from the client apparatus, and wherein, where the first refresh token is received by the authorization server together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated. - View Dependent Claims (5)
-
-
6. A server cooperative system including an authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, a client apparatus, which transmits an access request to a resource server together with the access token issued by the authorization server to request a service by the resource server, and the resource server, which provides a service to the client apparatus,
the authorization server comprising: -
a processor; and a memory storing instructions that, when executed by the processor, cause the authorization server to execute; an issuance step of issuing an access token used to access the resource server and a refresh token used to re-issue a new access token in accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus; a re-issuance step of re-issuing a new refresh token and a new access token in accordance with a refresh processing request received together with the refresh token, and storing the refresh token issued by the issuance step so as to re-issue a new refresh token and an access token as initial update authorization information in association with the re-issued access token and refresh token; and an invalidation step of invalidating, in accordance with an invalidation request received together with the refresh token a refresh token with which the received refresh token is associated as initial update authorization information, wherein the refresh token received in the invalidation step together with the invalidation request is a first refresh token issued in the re-issuance step before re-issuance of a new refresh token in accordance with an authorization request from the client apparatus, and wherein, where the first refresh token is received in the re-issuance step together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated, and the client apparatus comprising; a processor; and a memory storing instructions that, when executed by the processor, cause the client to execute; a storage step of storing in a storage device the access token issued by the authorization server, the refresh token used to re-issue a new access token, and initial update authorization information issued first by the authorization server so as to re-issue the access token, in association with each other; and an invalidation request step of transmitting an invalidation request together with the stored initial update authorization information as a first refresh token that has been issued first to the authorization server to request the authorization server to invalidate a refresh token associated with the initial update authorization information.
-
-
7. A non-transitory computer-readable storage medium storing computer-executable code of a program for controlling a computer to function as an authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, the program comprising:
-
code of an issuance step for issuing an access token used to access the resource server and a refresh token used to re-issue a new access token accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus; code of a re-issuance step for re-issuing a new refresh token and a new access token in accordance with a refresh processing request received together with the refresh token, and storing the refresh token issued by the issuance step so as to re-issue a new refresh token and an access token as initial update authorization information in association with the re-issued access token and refresh token; and code of an invalidation step for invalidating, in accordance with an invalidation request received together with the refresh token, a refresh token with which the received refresh token is associated as initial update authorization information, wherein the refresh token received in the invalidation step together with the invalidation request is the first refresh token issued in the re-issuance step before re-issuance of a refresh token in accordance with an authorization request from the client apparatus, and wherein, where the first refresh token is received in the re-issuance step together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.
-
-
8. A non-transitory computer-readable storage medium storing computer-executable code of a program for controlling a computer to function as a client apparatus, which transmits an access request to a resource server together with an access token issued by an authorization server to request a service by the resource server, the program comprising:
-
code of a storage step for storing in a storage device the access token issued by the authorization server, a refresh token used to re-issue a new access token, and initial update authorization information issued first by the authorization server so as to re-issue the access token, in association with each other; and code of an invalidation request step for transmitting an invalidation request together with the stored initial update authorization information as a first refresh token that has been issued first to the authorization server to request the authorization server to invalidate a refresh token associated with the initial update authorization information, wherein the refresh token transmitted in the invalidation request step together with the invalidation request is the first refresh token issued before re-issuance of a new refresh token by the authorization server in accordance with the authorization request from the client apparatus, and wherein, where the first refresh token is received by the authorization server together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.
-
-
9. A token management method in a server cooperative system including an authorization server, which authorizes an access request from a client apparatus to a resource server based on a valid access token received from the client apparatus in association with the request, a client apparatus, which transmits an access request to a resource server together with the access token issued by the authorization server to request a service by the resource server, and the resource server, which provides a service to the client apparatus, the method comprising:
-
issuing, by the authorization server, an access token used to access the resource server and a refresh token used to re-issue a new access token in accordance with an issuance request received from the client apparatus, wherein the refresh token is a first refresh token that has been issued first based on an authorization request from the client apparatus; storing, by the client apparatus, the access token issued by the authorization server, the refresh token used to re-issue a new access token, and initial update authorization information issued first by the authorization server so as to re-issue the access token, in association with each other; transmitting, by the client apparatus, when a response indicating that the access token is invalid is received from the authorization server in response to the access request, a refresh processing request to the authorization server together with the refresh token associated with the access token corresponding to the response indicating that the access token is invalid; re-issuing, by the authorization server, a new refresh token and a new access token in accordance with a refresh processing request received together with the refresh token, and storing the refresh token issued in the issuing so as to re-issue a new refresh token and access token as initial update authorization information in association with the re-issued access token and refresh token; transmitting, by the client apparatus, an invalidation request together with the stored initial update authorization information as a first refresh token that has been issued first to the authorization server to request the authorization server to invalidate the refresh token associated with the initial update authorization information; and invalidating, by the authorization server, in accordance with an invalidation request received together with the refresh token a refresh token with which the received refresh token is associated as initial update authorization information, wherein the refresh token transmitted in the transmitting together with the invalidation request is the first refresh token issued before re-issuance of a new refresh token by the authorization server in accordance with the authorization request from the client apparatus, and wherein, where the first refresh token is received by the authorization server together with the invalidation request after re-issuance of a new refresh token, both the new refresh token and the first refresh token are invalidated.
-
Specification