Service profile-specific token attributes and resource server token attribute overriding

US 9,578,014 B2
Filed: 04/30/2014
Issued: 02/21/2017
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by an authorization computer system, a first service profile that specifies a value for each of a set of token attributes including a first token attribute, wherein the first service profile specifies a first value for the first token attribute;

storing, by the authorization computer system, a first mapping of a plurality of mappings, wherein the first mapping is between the first service profile and a first identity domain of a plurality of identity domains, each of the plurality of identity domains being a different partitioned computing environment associated with one or more client applications;

receiving, by the authorization computer system, a second service profile that specifies a second value for the first token attribute;

storing, by the authorization computer system, a second mapping of the plurality of mappings, wherein the second mapping is between the second service profile and a second identity domain of the plurality of identity domains;

receiving, at the authorization computer system, a token request from a client application contained in the first identity domain;

in response to receiving the token request, selecting the first mapping from the plurality of mappings for processing the token request, wherein the first mapping is selected based on the first identity domain containing the client application;

in response to selecting the first mapping for processing the token request, determining, at the authorization computer system, based on the selected first mapping, that the token request is mapped to the first service profile;

in response to determining that the token request is mapped to the first service profile, the authorization computer system, reading, from the first service profile, values for the set of token attributes as specified by the first service profile, such that the first value for the first token attribute as specified by the first service profile is read;

determining whether the authorization computer system has obtained a third value for the first token attribute from a resource server;

based on determining that the authorization computer system has not obtained the third value for the first token attribute from the resource server, generating, at the authorization computer system, a new token that specifies the first value for the first token attribute; and

sending the new token from the authorization computer system to the client application;

wherein the second value for the first token attribute specified in the second service profile differs from the first value for the first token attribute specified in the first service profile; and

,wherein the second identify domain is isolated from the first identity domain such that the client application contained in the first identity domain is prevented from accessing at least one service associated with the second identity domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Citations

19 Claims

1. A computer-implemented method comprising:
- receiving, by an authorization computer system, a first service profile that specifies a value for each of a set of token attributes including a first token attribute, wherein the first service profile specifies a first value for the first token attribute;
  
  storing, by the authorization computer system, a first mapping of a plurality of mappings, wherein the first mapping is between the first service profile and a first identity domain of a plurality of identity domains, each of the plurality of identity domains being a different partitioned computing environment associated with one or more client applications;
  
  receiving, by the authorization computer system, a second service profile that specifies a second value for the first token attribute;
  
  storing, by the authorization computer system, a second mapping of the plurality of mappings, wherein the second mapping is between the second service profile and a second identity domain of the plurality of identity domains;
  
  receiving, at the authorization computer system, a token request from a client application contained in the first identity domain;
  
  in response to receiving the token request, selecting the first mapping from the plurality of mappings for processing the token request, wherein the first mapping is selected based on the first identity domain containing the client application;
  
  in response to selecting the first mapping for processing the token request, determining, at the authorization computer system, based on the selected first mapping, that the token request is mapped to the first service profile;
  
  in response to determining that the token request is mapped to the first service profile, the authorization computer system, reading, from the first service profile, values for the set of token attributes as specified by the first service profile, such that the first value for the first token attribute as specified by the first service profile is read;
  
  determining whether the authorization computer system has obtained a third value for the first token attribute from a resource server;
  
  based on determining that the authorization computer system has not obtained the third value for the first token attribute from the resource server, generating, at the authorization computer system, a new token that specifies the first value for the first token attribute; and
  
  sending the new token from the authorization computer system to the client application;
  
  wherein the second value for the first token attribute specified in the second service profile differs from the first value for the first token attribute specified in the first service profile; and
  
  ,wherein the second identify domain is isolated from the first identity domain such that the client application contained in the first identity domain is prevented from accessing at least one service associated with the second identity domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein the token request is a first token request, and wherein the computer-implemented method further comprises:
    - receiving, by a particular resource server, a resource server-specific profile that specifies the third value for the first token attribute;
      
      storing, at the particular resource server, the resource server-specific profile;
      
      receiving, at the authorization computer system, a second token request from a second client application contained in the first identity domain;
      
      in response to receiving the second token request, determining, at the authorization computer system, based on the first mapping, that the first identity domain is mapped to the first service profile;
      
      in response to determining that the first identity domain is mapped to the first service profile, the authorization computer system reading, from the first service profile, the first value for the first token attribute;
      
      determining, by the authorization computer system, that the particular resource server provides a service requested in the second token request;
      
      in response to determining that the particular resource server provides the service, determining, by the authorization computer system, whether the resource server-specific profile stored by the particular resource server specifies a value for the first token attribute;
      
      in response to determining that the resource server-specific profile specifies the third value, generating, at the authorization computer system, a particular token that specifies the third value for the first token attribute; and
      
      sending the particular token from the authorization computer system to the second client application.
  - 3. The computer-implemented method of claim 2, wherein the first token request specifies, for one or more other token attributes, one or more other values that are specified in the first service profile.
  - 4. The computer-implemented method of claim 1, wherein the token request is a first token request, and wherein the computer-implemented method further comprises:
    - receiving, at the authorization computer system, a second token request from a second client application contained in the second identity domain;
      
      in response to receiving the second token request, selecting the second mapping from the plurality of mappings for processing the second token request based on the second identity domain containing the second client application;
      
      in response to selecting the second mapping for processing the second token request, determining, at the authorization computer system, based on the second mapping, that the second identity domain is mapped to the second service profile;
      
      in response to determining that the second identity domain is mapped to the second service profile, the authorization computer system, reading, from the second service profile, the second value for the particular token attribute as specified by the second service profile;
      
      determining, by the authorization computer system, that a particular resource server provides a service requested in the second token request;
      
      in response to determining that the particular resource server provides the service, determining, by the authorization computer system, whether a resource server-specific profile stored by the particular resource server specifies a value for the particular token attribute;
      
      in response to determining that the resource server-specific profile does not specify a value for the particular token attribute, generating, at the authorization computer system, a particular token that specifies the second value for the first token attribute; and
      
      sending the particular token from the authorization computer system to the second client application.
  - 5. The computer-implemented method of claim 1, wherein the first token attribute is a token time-out attribute that represents a duration of time for which a token generated by the authorization computer system is to remain valid following generation.
  - 6. The computer-implemented method of claim 1, wherein the first value for the first token attribute specifies a first duration of time after which a token will cease to be valid, wherein the second value for the first token attribute specifies a second duration of time after which the token will cease to be valid, and wherein the second value is less than the first value.
  - 7. The computer-implemented method of claim 1, wherein the first token attribute is a token time-out attribute that represents a duration of time for which a token generated by the authorization computer system is to remain valid following generation.
  - 8. The computer-implemented method of claim 1, wherein the first service profile is received from a resource server that provides a first service to client applications in one or more of the plurality of identity domains, and wherein the first value for the first token attribute in the first service profile is specified by the authorization computer system.
  - 9. The computer-implemented method of claim 1, wherein the first service profile is received from a resource server that provides a first service to client applications in one or more of the plurality of identity domains, and wherein the first value for the first token attribute in the first service profile is specified by the resource server for client applications in the first identity domain.
  - 10. The computer-implemented method of claim 1, further comprisingidentifying, by the authorization computer system, a particular resource server that provides a service requested in the token request, wherein the service provided by the resource server is characterized by one or more token attributes including the first token attribute;
    - requesting, by the authorization computer system, the particular resource server to provide a value for the first token attribute;
      
      receiving, by the authorization computer system, from the particular resource server, the third value for the first token attribute; and
      
      in response to receiving the third value for the first token attribute, modifying, by the authorization computer system, the first value of the first token attribute in the new token with the third value.

11. A non-transitory computer-readable media comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
- receiving, by an authorization computer system, a first service profile that specifies a value for each of a set of token attributes including a first token attribute, wherein the first service profile specifies a first value for the first token attribute;
  
  storing, by the authorization computer system, a first mapping of a plurality of mappings, wherein the first mapping is between the first service profile and a first identity domain of a plurality of identity domains, each of the plurality of identity domains being a different partitioned computing environment associated with one or more client applications;
  
  receiving, by the authorization computer system, a second service profile that specifies a second value for the first token attribute;
  
  storing, by the authorization computer system, a second mapping of the plurality of mappings, wherein the second mapping is between the second service profile and a second identity domain of the plurality of identity domains;
  
  receiving, at the authorization computer system, a token request from a client application contained in the first identity domain;
  
  in response to receiving the token request, selecting the first mapping from the plurality of mappings for processing the token request, wherein the first mapping is selected based on the first identity domain containing the client application;
  
  in response to selecting the first mapping for processing the token request, determining, at the authorization computer system, based on the selected first mapping, that the token request is mapped to the first service profile;
  
  in response to determining that the token request is mapped to the first service profile, the authorization computer system reading, from the first service profile, values for the set of token attributes as specified by the first service profile, such that the first value for the first token attribute as specified by the first service profile is read;
  
  determining whether the authorization computer system has obtained a third value for the first token attribute from a resource server;
  
  based on determining that the authorization computer system has not obtained the third value for the first token attribute from the resource server, generating, at the authorization computer system, a new token that specifies the first value for the first token attribute; and
  
  sending the new token from the authorization computer system to the client application;
  
  wherein the second value for the first token attribute specified in the second service profile differs from the first value for the first token attribute specified in the first service profile; and
  
  ,wherein the second identify domain is isolated from the first identity domain such that the client application contained in the first identity domain is prevented from accessing at least one service associated with the second identity domain.
- View Dependent Claims (12, 13, 14)
- - 12. The non-transitory computer-readable media of claim 11, wherein the token request is a first token request, and wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, by a particular resource server, a resource server-specific profile that specifies the third value for the first token attribute;
      
      storing, at the particular resource server, the resource server-specific profile;
      
      receiving, at the authorization computer system, a second token request from a second client application contained in the first identity domain;
      
      in response to receiving the second token request, determining, at the authorization computer system, based on the first mapping, that the first identity domain is mapped to the first service profile;
      
      in response to determining that the first identity domain is mapped to the first service profile, the authorization computer system reading, from the first service profile, the first value for the first token attribute;
      
      determining, by the authorization computer system, that the particular resource server provides a service requested in the second token request;
      
      in response to determining that the particular resource server provides the service, determining, by the authorization computer system, whether the resource server-specific profile stored by the particular resource server specifies a value for the first token attribute;
      
      in response to determining that the resource server-specific profile specifies the third value, generating, at the authorization computer system, a particular token that specifies the third value for the first token attribute; and
      
      sending the particular token from the authorization computer system to the second client application.
  - 13. The non-transitory computer-readable media of claim 11, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, at the authorization computer system, a second token request from a second client application contained in the second identity domain;
      
      in response to receiving the second token request, selecting the second mapping from the plurality of mappings for processing the second token request based on the second identity domain containing the second client application;
      
      in response to selecting the second mapping for processing the second token request, determining, at the authorization computer system, based on the second mapping, that the second identity domain is mapped to the second service profile;
      
      in response to determining that the second identity domain is mapped to the second service profile, the authorization computer system reading, from the second service profile, the second value for the particular token attribute as specified by the second service profile;
      
      determining, by the authorization computer system, that a particular resource server provides a service requested in the second token request;
      
      in response to determining that the particular resource server provides the service, determining, by the authorization computer system, whether a resource server-specific profile stored by the particular resource server specifies a value for the particular token attribute;
      
      in response to determining that the resource server-specific profile does not specify a value for the particular token attribute, generating, at the authorization computer system, a particular token that specifies the second value for the first token attribute; and
      
      sending the particular token from the authorization computer system to the second client application.
  - 14. The non-transitory computer-readable media of claim 11, wherein the first token attribute is a token time-out attribute that represents a duration of time for which a token generated by the authorization computer system is to remain valid following generation.

15. A system comprising:
- a first machine that has a client application contained in a particular identity domain of a plurality of identity domains, each of the plurality of identity domains being a being a different partitioned computing environment associated with one or more client applications; and
  
  a second machine that includes an authorization computer system that is configured to;
  
  receive a first service profile that specifies a value for each of a set of token attributes including a first token attribute, wherein the first service profile specifies a first value for the first token attribute;
  
  store a first mapping of a plurality of mappings, wherein the first mapping is between the first service profile and a first identity domain of the plurality of identity domains;
  
  receive a second service profile that specifies a second value for the first token attribute;
  
  store a second mapping of the plurality of mappings, wherein the second mapping is between the second service profile and a second identity domain of the plurality of identity domains;
  
  receive a token request from the client application contained in the first identity domain;
  
  in response to receiving the token request, select the first mapping from the plurality of mappings for processing the token request, wherein the first mapping is selected based on the first identity domain containing the client application;
  
  determine, in response to selecting the first mapping for processing the token request, and based on the selected first mapping, that the token request is mapped to the first service profile;
  
  read, in response to determining that the token request is mapped to the first service profile, and from the first service profile, values for the set of token attributes as specified by the first service profile, such that the first value for the first token attribute as specified by the first service profile is read;
  
  determine whether the authorization computer system has obtained a third value for the first token attribute from a resource server;
  
  based on determining that the authorization computer system has not obtained the third value for the first token attribute from the resource server, generate a new token that specifies the first value for the first token attribute; and
  
  send the new token to the client application;
  
  wherein the second value for the first token attribute specified in the second service profile differs from the first value for the first token attribute specified in the first service profile; and
  
  wherein the second identify domain is isolated from the first identity domain such that the client application contained in the first identity domain is prevented from accessing at least one service associated with the second identity domain.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein the token request is a first token request, and wherein the system further comprises:
    - a third machine that includes a particular resource server that is configured to;
      
      receive a resource server-specific profile that specifies the third value for the particular token attribute, andstore the resource server-specific profile; and
      
      a fourth machine that stores a second client application contained in the first identity domain;
      
      wherein the authorization computer system is configured to;
      
      receive a second token request from the second client application,determine, in response to receiving the second token request, and based on the first mapping, that the first identity domain is mapped to the first service profile,read, in response to determining that the first identity domain is mapped to the first service profile, and from the first service profile, the first value for the first token attribute,determine that the particular resource server provides a service requested in the second token request,determine, in response to determining that the particular resource server provides the service, whether the resource server-specific profile stored by the particular resource server specifies a value for the first token attribute,generate, in response to determining that the resource server-specific profile specifies the third value, a particular token that specifies the third value for the particular token attribute, andsend the particular token to the second client application.
  - 17. The system of claim 15, further comprising:
    - a third machine that stores a particular resource server; and
      
      a fourth machine that stores a second client application contained in the second identity domain;
      
      wherein the authorization computer system is configured to;
      
      receive a second token request from the second client application,in response to receiving the second token request, select the second mapping from the plurality of mappings for processing the second token request based on the second identity domain containing the second client application;
      
      determine, selecting the second mapping for processing the second token request, and based on the second mapping, that the second identity domain is mapped to the second service profile,read, in response to determining that the second identity domain is mapped to the second service profile, and from the second service profile, the second value for the particular token attribute as specified by the second service profile,determine that a particular resource server provides a service requested in the second token request,determine, in response to determining that the particular resource server provides the service, whether a resource server-specific profile stored by the particular resource server specifies a value for the particular token attribute,generate, in response to determining that the resource server-specific profile does not specify a value for the particular token attribute, a particular token that specifies the second value for the first token attribute, andsend the particular token to the second client application.
  - 18. The system of claim 15, wherein the first token attribute is a token time-out attribute that represents a duration of time for which a token generated by the authorization computer system is to remain valid following generation.
  - 19. The system of claim 15, wherein the first value for the first token attribute specifies a first duration of time after which a token will cease to be valid, wherein the second value for the first token attribute specifies the second duration of time after which a token will cease to be valid, and wherein the second value is less than the first value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sondhi, Ajay, Chu, Ching-Wen, Evani, Venkata S.
Primary Examiner(s)
Abedin, Shanto M

Application Number

US14/266,505
Publication Number

US 20150089623A1
Time in Patent Office

1,028 Days
Field of Search

726 1- 10, 709225-229
US Class Current

1/1
CPC Class Codes

G06F 2221/2103   Challenge-response

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

Service profile-specific token attributes and resource server token attribute overriding

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Service profile-specific token attributes and resource server token attribute overriding

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links