Service profile-specific token attributes and resource server token attribute overriding
First Claim
1. A computer-implemented method comprising:
- receiving, by an authorization computer system, a first service profile that specifies a value for each of a set of token attributes including a first token attribute, wherein the first service profile specifies a first value for the first token attribute;
storing, by the authorization computer system, a first mapping of a plurality of mappings, wherein the first mapping is between the first service profile and a first identity domain of a plurality of identity domains, each of the plurality of identity domains being a different partitioned computing environment associated with one or more client applications;
receiving, by the authorization computer system, a second service profile that specifies a second value for the first token attribute;
storing, by the authorization computer system, a second mapping of the plurality of mappings, wherein the second mapping is between the second service profile and a second identity domain of the plurality of identity domains;
receiving, at the authorization computer system, a token request from a client application contained in the first identity domain;
in response to receiving the token request, selecting the first mapping from the plurality of mappings for processing the token request, wherein the first mapping is selected based on the first identity domain containing the client application;
in response to selecting the first mapping for processing the token request, determining, at the authorization computer system, based on the selected first mapping, that the token request is mapped to the first service profile;
in response to determining that the token request is mapped to the first service profile, the authorization computer system, reading, from the first service profile, values for the set of token attributes as specified by the first service profile, such that the first value for the first token attribute as specified by the first service profile is read;
determining whether the authorization computer system has obtained a third value for the first token attribute from a resource server;
based on determining that the authorization computer system has not obtained the third value for the first token attribute from the resource server, generating, at the authorization computer system, a new token that specifies the first value for the first token attribute; and
sending the new token from the authorization computer system to the client application;
wherein the second value for the first token attribute specified in the second service profile differs from the first value for the first token attribute specified in the first service profile; and
,wherein the second identify domain is isolated from the first identity domain such that the client application contained in the first identity domain is prevented from accessing at least one service associated with the second identity domain.
1 Assignment
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
-
Citations
19 Claims
-
1. A computer-implemented method comprising:
-
receiving, by an authorization computer system, a first service profile that specifies a value for each of a set of token attributes including a first token attribute, wherein the first service profile specifies a first value for the first token attribute; storing, by the authorization computer system, a first mapping of a plurality of mappings, wherein the first mapping is between the first service profile and a first identity domain of a plurality of identity domains, each of the plurality of identity domains being a different partitioned computing environment associated with one or more client applications; receiving, by the authorization computer system, a second service profile that specifies a second value for the first token attribute; storing, by the authorization computer system, a second mapping of the plurality of mappings, wherein the second mapping is between the second service profile and a second identity domain of the plurality of identity domains; receiving, at the authorization computer system, a token request from a client application contained in the first identity domain; in response to receiving the token request, selecting the first mapping from the plurality of mappings for processing the token request, wherein the first mapping is selected based on the first identity domain containing the client application; in response to selecting the first mapping for processing the token request, determining, at the authorization computer system, based on the selected first mapping, that the token request is mapped to the first service profile; in response to determining that the token request is mapped to the first service profile, the authorization computer system, reading, from the first service profile, values for the set of token attributes as specified by the first service profile, such that the first value for the first token attribute as specified by the first service profile is read; determining whether the authorization computer system has obtained a third value for the first token attribute from a resource server; based on determining that the authorization computer system has not obtained the third value for the first token attribute from the resource server, generating, at the authorization computer system, a new token that specifies the first value for the first token attribute; and sending the new token from the authorization computer system to the client application; wherein the second value for the first token attribute specified in the second service profile differs from the first value for the first token attribute specified in the first service profile; and
,wherein the second identify domain is isolated from the first identity domain such that the client application contained in the first identity domain is prevented from accessing at least one service associated with the second identity domain. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer-readable media comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
-
receiving, by an authorization computer system, a first service profile that specifies a value for each of a set of token attributes including a first token attribute, wherein the first service profile specifies a first value for the first token attribute; storing, by the authorization computer system, a first mapping of a plurality of mappings, wherein the first mapping is between the first service profile and a first identity domain of a plurality of identity domains, each of the plurality of identity domains being a different partitioned computing environment associated with one or more client applications; receiving, by the authorization computer system, a second service profile that specifies a second value for the first token attribute; storing, by the authorization computer system, a second mapping of the plurality of mappings, wherein the second mapping is between the second service profile and a second identity domain of the plurality of identity domains; receiving, at the authorization computer system, a token request from a client application contained in the first identity domain; in response to receiving the token request, selecting the first mapping from the plurality of mappings for processing the token request, wherein the first mapping is selected based on the first identity domain containing the client application; in response to selecting the first mapping for processing the token request, determining, at the authorization computer system, based on the selected first mapping, that the token request is mapped to the first service profile; in response to determining that the token request is mapped to the first service profile, the authorization computer system reading, from the first service profile, values for the set of token attributes as specified by the first service profile, such that the first value for the first token attribute as specified by the first service profile is read; determining whether the authorization computer system has obtained a third value for the first token attribute from a resource server; based on determining that the authorization computer system has not obtained the third value for the first token attribute from the resource server, generating, at the authorization computer system, a new token that specifies the first value for the first token attribute; and sending the new token from the authorization computer system to the client application; wherein the second value for the first token attribute specified in the second service profile differs from the first value for the first token attribute specified in the first service profile; and
,wherein the second identify domain is isolated from the first identity domain such that the client application contained in the first identity domain is prevented from accessing at least one service associated with the second identity domain. - View Dependent Claims (12, 13, 14)
-
-
15. A system comprising:
-
a first machine that has a client application contained in a particular identity domain of a plurality of identity domains, each of the plurality of identity domains being a being a different partitioned computing environment associated with one or more client applications; and a second machine that includes an authorization computer system that is configured to; receive a first service profile that specifies a value for each of a set of token attributes including a first token attribute, wherein the first service profile specifies a first value for the first token attribute; store a first mapping of a plurality of mappings, wherein the first mapping is between the first service profile and a first identity domain of the plurality of identity domains; receive a second service profile that specifies a second value for the first token attribute; store a second mapping of the plurality of mappings, wherein the second mapping is between the second service profile and a second identity domain of the plurality of identity domains; receive a token request from the client application contained in the first identity domain; in response to receiving the token request, select the first mapping from the plurality of mappings for processing the token request, wherein the first mapping is selected based on the first identity domain containing the client application; determine, in response to selecting the first mapping for processing the token request, and based on the selected first mapping, that the token request is mapped to the first service profile; read, in response to determining that the token request is mapped to the first service profile, and from the first service profile, values for the set of token attributes as specified by the first service profile, such that the first value for the first token attribute as specified by the first service profile is read; determine whether the authorization computer system has obtained a third value for the first token attribute from a resource server; based on determining that the authorization computer system has not obtained the third value for the first token attribute from the resource server, generate a new token that specifies the first value for the first token attribute; and send the new token to the client application; wherein the second value for the first token attribute specified in the second service profile differs from the first value for the first token attribute specified in the first service profile; and wherein the second identify domain is isolated from the first identity domain such that the client application contained in the first identity domain is prevented from accessing at least one service associated with the second identity domain. - View Dependent Claims (16, 17, 18, 19)
-
Specification