×

Service profile-specific token attributes and resource server token attribute overriding

  • US 9,578,014 B2
  • Filed: 04/30/2014
  • Issued: 02/21/2017
  • Est. Priority Date: 09/29/2011
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method comprising:

  • receiving, by an authorization computer system, a first service profile that specifies a value for each of a set of token attributes including a first token attribute, wherein the first service profile specifies a first value for the first token attribute;

    storing, by the authorization computer system, a first mapping of a plurality of mappings, wherein the first mapping is between the first service profile and a first identity domain of a plurality of identity domains, each of the plurality of identity domains being a different partitioned computing environment associated with one or more client applications;

    receiving, by the authorization computer system, a second service profile that specifies a second value for the first token attribute;

    storing, by the authorization computer system, a second mapping of the plurality of mappings, wherein the second mapping is between the second service profile and a second identity domain of the plurality of identity domains;

    receiving, at the authorization computer system, a token request from a client application contained in the first identity domain;

    in response to receiving the token request, selecting the first mapping from the plurality of mappings for processing the token request, wherein the first mapping is selected based on the first identity domain containing the client application;

    in response to selecting the first mapping for processing the token request, determining, at the authorization computer system, based on the selected first mapping, that the token request is mapped to the first service profile;

    in response to determining that the token request is mapped to the first service profile, the authorization computer system, reading, from the first service profile, values for the set of token attributes as specified by the first service profile, such that the first value for the first token attribute as specified by the first service profile is read;

    determining whether the authorization computer system has obtained a third value for the first token attribute from a resource server;

    based on determining that the authorization computer system has not obtained the third value for the first token attribute from the resource server, generating, at the authorization computer system, a new token that specifies the first value for the first token attribute; and

    sending the new token from the authorization computer system to the client application;

    wherein the second value for the first token attribute specified in the second service profile differs from the first value for the first token attribute specified in the first service profile; and

    ,wherein the second identify domain is isolated from the first identity domain such that the client application contained in the first identity domain is prevented from accessing at least one service associated with the second identity domain.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×