User managed access scope specific obligation policy for authorization
First Claim
Patent Images
1. A method comprising:
- sending, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set;
receiving, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including;
(i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy;
modifying the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant;
modifying the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy; and
controlling access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set;
wherein;
the request for a first delegated authorization grant data set includes a first obligation correlation token, andthe first delegated authorization grant data set includes the first obligation correlation token.
1 Assignment
0 Petitions
Accused Products
Abstract
A method sends a request for a delegated authorization grant data set, receives a delegated authorization grant data set that defines the delegated authorization grant scope, with respect to a resource. The delegated authorization grant data set includes a scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device. The scope controls access to the resource in a manner limited by the scope of the delegated authorization grant defined by the delegated authorization grant data set.
-
Citations
18 Claims
-
1. A method comprising:
-
sending, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set; receiving, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including;
(i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy;modifying the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant; modifying the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy; and controlling access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set; wherein; the request for a first delegated authorization grant data set includes a first obligation correlation token, and the first delegated authorization grant data set includes the first obligation correlation token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product comprising a computer readable storage medium that is not a transitory signal per se having stored thereon:
-
first program instructions programmed to send, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set; second program instructions programmed to receive, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including;
(i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy;third program instructions programmed to modify the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant; fourth program instruction programmed to modify the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy; and fifth program instructions programmed to control access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set; wherein; the request for a first delegated authorization grant data set includes a first obligation correlation token, and the first delegated authorization grant data set includes the first obligation correlation token. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer system comprising:
-
a processor(s) set; and a computer readable storage medium that is not a transitory signal per se; wherein; the processor set is structured, located, connected or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include; first program instructions programmed to send, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set, second program instructions programmed to receive, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including;
(i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy,third program instructions programmed to modify the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant, fourth program instruction programmed to modify the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy, and fifth program instructions programmed to control access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set; wherein; the request for a first delegated authorization grant data set includes a first obligation correlation token, and the first delegated authorization grant data set includes the first obligation correlation token. - View Dependent Claims (15, 16, 17, 18)
-
Specification