Bundled authorization requests
First Claim
1. A computer-implemented method comprising:
- receiving, at an authorization computer system, from a client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server;
obtaining, at the authorization computer system, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises;
sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and
receiving, at the authorization computer system, the first scope of access information from the first resource server;
obtaining, at the authorization computer system, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises;
sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and
receiving, from the second resource server at the authorization computer system, the second scope of access information;
generating, at the authorization computer system, a single token that includes the first scope of access information and the second scope of access information; and
sending the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token.
1 Assignment
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
134 Citations
14 Claims
-
1. A computer-implemented method comprising:
-
receiving, at an authorization computer system, from a client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server; obtaining, at the authorization computer system, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises; sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and receiving, at the authorization computer system, the first scope of access information from the first resource server; obtaining, at the authorization computer system, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises; sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and receiving, from the second resource server at the authorization computer system, the second scope of access information; generating, at the authorization computer system, a single token that includes the first scope of access information and the second scope of access information; and sending the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
-
receiving, at an authorization computer system, from a client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server; obtaining, at the authorization computer system, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises; sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and receiving, at the authorization computer system, the first scope of access information from the first resource server; obtaining, at the authorization computer system, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises; sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and receiving, from the second resource server at the authorization computer system, the second scope of access information; generating, at the authorization computer system, a single token that includes the first scope of access information and the second scope of access information; and sending the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token. - View Dependent Claims (10, 11)
-
-
12. A system comprising:
-
a first machine that stores a client application; and a second machine that stores an authorization computer system that is configured to; receive, from the client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server; obtain, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises; sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and receiving, at the authorization computer system, the first scope of access information from the first resource server; obtain, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises; sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and receiving, from the second resource server at the authorization computer system, the second scope of access information; generate, a single token that includes the first scope of access information and the second scope of access information; and send the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token. - View Dependent Claims (13, 14)
-
Specification