Bundled authorization requests

US 9,699,170 B2
Filed: 04/30/2014
Issued: 07/04/2017
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, at an authorization computer system, from a client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server;

obtaining, at the authorization computer system, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises;

sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and

receiving, at the authorization computer system, the first scope of access information from the first resource server;

obtaining, at the authorization computer system, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises;

sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and

receiving, from the second resource server at the authorization computer system, the second scope of access information;

generating, at the authorization computer system, a single token that includes the first scope of access information and the second scope of access information; and

sending the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

134 Citations

14 Claims

1. A computer-implemented method comprising:
- receiving, at an authorization computer system, from a client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server;
  
  obtaining, at the authorization computer system, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises;
  
  sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and
  
  receiving, at the authorization computer system, the first scope of access information from the first resource server;
  
  obtaining, at the authorization computer system, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises;
  
  sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and
  
  receiving, from the second resource server at the authorization computer system, the second scope of access information;
  
  generating, at the authorization computer system, a single token that includes the first scope of access information and the second scope of access information; and
  
  sending the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving the first policy at the authorization computer system from the first resource server;
      
      storing the first policy at the authorization computer system in response to receiving the first policy from the first resource server;
      
      receiving the second policy at the authorization computer system from the second resource server; and
      
      storing the second policy at the authorization computer system in response to receiving the second policy from the second resource server.
  - 3. The computer-implemented method of claim 2, wherein obtaining the first scope of access information comprises:
    - applying, at the authorization computer system, the first policy stored at the authorization computer system to the one or more attributes associated with the identity of the client application; and
      
      wherein obtaining the second scope of access information comprises;
      
      applying, at the authorization computer system, the second policy stored at the authorization computer system to the one or more attributes associated with the identity of the client application.
  - 4. The computer-implemented method of claim 1, wherein the first service is resource service, and wherein the second service is a communication service.
  - 5. The computer-implemented method of claim 1, wherein the first scope of access information indicates the client application is permitted to access the first service.
  - 6. The computer-implemented method of claim 1, wherein the second scope of access information indicates the client application is not permitted to access the second service.
  - 7. The computer-implemented method of claim 1, further comprising:
    - selecting, at the authorization computer system, from a plurality of resource servers, the first resource server to provide the first service to the client application; and
      
      selecting, at the authorization computer system, from the plurality of resource servers, the second resource server to provide the second service to the client application.
  - 8. The computer-implemented method of claim 1, wherein the first policy indicates a user of the client application is authorized or is not authorized to access a content of the first service provided by the first resource server.

9. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
- receiving, at an authorization computer system, from a client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server;
  
  obtaining, at the authorization computer system, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises;
  
  sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and
  
  receiving, at the authorization computer system, the first scope of access information from the first resource server;
  
  obtaining, at the authorization computer system, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises;
  
  sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and
  
  receiving, from the second resource server at the authorization computer system, the second scope of access information;
  
  generating, at the authorization computer system, a single token that includes the first scope of access information and the second scope of access information; and
  
  sending the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token.
- View Dependent Claims (10, 11)
- - 10. The computer-readable memory of claim 9, wherein the instructions, when executed by the one of more processors, further cause the one or more processors to perform:
    - receiving the first policy at the authorization computer system from the first resource server;
      
      storing the first policy at the authorization computer system in response to receiving the first policy from the first resource server;
      
      receiving the second policy at the authorization computer system from the second resource server; and
      
      storing the second policy at the authorization computer system in response to receiving the second policy from the second resource server.
  - 11. The computer-readable memory of claim 10, wherein obtaining the first scope of access information comprises:
    - applying, at the authorization computer system, the first policy stored at the authorization computer system to the one or more attributes associated with the identity of the client application; and
      
      wherein obtaining the second scope of access information comprises;
      
      applying, at the authorization computer system, the second policy stored at the authorization computer system to the one or more attributes associated with the identity of the client application.

12. A system comprising:
- a first machine that stores a client application; and
  
  a second machine that stores an authorization computer system that is configured to;
  
  receive, from the client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server;
  
  obtain, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises;
  
  sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and
  
  receiving, at the authorization computer system, the first scope of access information from the first resource server;
  
  obtain, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises;
  
  sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and
  
  receiving, from the second resource server at the authorization computer system, the second scope of access information;
  
  generate, a single token that includes the first scope of access information and the second scope of access information; and
  
  send the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12, wherein the authorization computer system is configured to:
    - receive the first policy information from the first resource server;
      
      store the first policy information in response to receiving the first policy information from the first resource server;
      
      receive the second policy information from the second resource server; and
      
      store the second policy information in response to receiving the second policy information from the second resource server.
  - 14. The system of claim 13, wherein, to obtain the first scope of access information and the second scope of access information, the authorization computer system is configured to:
    - apply the first policy information stored at the authorization computer system to the one or more attributes associated with the identity of the client application; and
      
      apply the second policy information stored at the authorization computer system to the one or more attributes associated with the identity of the client application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Evani, Venkata S., Sondhi, Ajay, Chu, Ching-Wen
Primary Examiner(s)
Leung, Robert
Assistant Examiner(s)
DE JESUS LASSAIA, CARLOS MANUEL

Application Number

US14/266,454
Publication Number

US 20150089569A1
Time in Patent Office

1,161 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2221/2103   Challenge-response

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

Bundled authorization requests

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

134 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Bundled authorization requests

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links