Authority delegation system, method, authentication server system, and storage medium therefor
First Claim
Patent Images
1. An authentication server system capable of communicating with a server system providing a service accessible from a first client and a second client, the authentication server system comprising:
- one or more processors; and
at least one memory device storing a program which, when executed by the one or more processors, causes the authentication server system to function as;
an authentication unit configured to determine whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client;
an issuance unit configured to issue authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user by the authentication unit, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client;
an authorization unit configured to authorize the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service;
a management unit configured to manage an identifier of the user determined to be the legitimate user by the authentication unit and an identifier of a client in association with each other;
wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, thelegitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen,a first determination unit configured to determine whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by the authentication unit; and
a second determination unit configured to determine whether the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client used by the user wherein, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and the management second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client, the issuance unit issues authority information indicating that the authority of the user has been delegated to the second client without receiving an instruction for authorizing the second client on the service,wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of thesecond client instructed via the association confirmation screen, andwherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen.
1 Assignment
0 Petitions
Accused Products
Abstract
There is provided an authority delegation system capable of issuing, in a case where an identifier of a user is associated with an identifier of a client, authority information indicating that an authority of the user has been delegated to the client without receiving an instruction for authorizing the authority of the user on the service to be delegated to the client.
-
Citations
11 Claims
-
1. An authentication server system capable of communicating with a server system providing a service accessible from a first client and a second client, the authentication server system comprising:
-
one or more processors; and at least one memory device storing a program which, when executed by the one or more processors, causes the authentication server system to function as; an authentication unit configured to determine whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client; an issuance unit configured to issue authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user by the authentication unit, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client; an authorization unit configured to authorize the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service; a management unit configured to manage an identifier of the user determined to be the legitimate user by the authentication unit and an identifier of a client in association with each other; wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, the legitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen, a first determination unit configured to determine whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by the authentication unit; and a second determination unit configured to determine whether the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client used by the user wherein, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and the management second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client, the issuance unit issues authority information indicating that the authority of the user has been delegated to the second client without receiving an instruction for authorizing the second client on the service, wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of the second client instructed via the association confirmation screen, and wherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen. - View Dependent Claims (2, 3, 4, 9)
-
-
5. A method executed by an authority delegation system including a server system providing a service accessible from a first client and a second client, and an authentication server system, the method comprising:
-
determining, by an authentication unit, whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client; issuing, by an issuance unit, authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user by the authentication unit, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client; authorizing, by an authorization unit, the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service; managing, by a management unit, an identifier of the user, determined to be the legitimate user by the authentication unit, and an identifier of a client in association with each other; wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, the legitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen, determining, by a first determination unit, whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by the authentication unit; and determining, by a second determining unit, whether the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client used by the user wherein, the issuance unit further issues authority information indicating that the authority of the user has been delegated to the second client without receiving an instruction for authorizing the second client on the service, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and the second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client, wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of the second client instructed via the association confirmation screen, and wherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen. - View Dependent Claims (6, 7, 8)
-
-
10. A non-transitory computer-readable storage medium storing a program for causing a computer to execute a method in an authentication server system capable of communicating with a server system providing a service accessible from a first client and a second client, the method comprising:
-
determining, by a authentication unit, whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client; issuing, by an issuance unit, authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client; authorizing, by an authorization unit, the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service; managing, by a management unit, an identifier of the user determined to be the legitimate user and an identifier of a client in association with each other; wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, the legitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen, determining, by a first determination unit, whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by a authentication unit; and wherein authority information indicating that the authority of the user has been delegated to the second client is issued without receiving an instruction for authorizing the second client on the service, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and a second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client, wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of the second client instructed via the association confirmation screen, and wherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen.
-
-
11. A system including a first client, a second client and an authentication server system capable of communicating with a server system providing a service accessible from the first client and the second client, the system comprising:
-
one or more processors; and at least one memory device storing a program which, when executed by the one or more processors, causes the authentication server system to act as; an authentication unit configured to determine whether a user is a legitimate user based on authentication information input by the user via an authentication screen displayed on the first client; an issuance unit configured to issue authority information indicating that authority of the user has been delegated to the first client in a case where the user, determined to be the legitimate user by the authentication unit, provides an instruction for authorizing, under the authority of the user on the service, the first client via an authorization confirmation screen displayed on the first client; an authorization unit configured to authorize the first client to access the service by the authority of the user based on the authority information transmitted when the first client requests an access to the service; a management unit configured to manage an identifier of the user determined to be the legitimate user by the authentication unit and an identifier of a client in association with each other; wherein the legitimate user is a user who has accessed the authentication server system using the second client and has been authenticated based on authentication information input by the user via an authentication screen displayed on the second client, and, after authentication, the legitimate user issues an instruction to associate the legitimate user with the identifier of the second client via a client association confirmation screen, a first determination unit configured to determine whether the authority information has been issued for any of client identifiers associated with the identifier of the user determined to be the legitimate user by the authentication unit; and a second determination unit configured to determine whether the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client used by the user wherein, in a case where the first determination unit determines that the authority information has been issued for the any of client identifiers and the management second determination unit determines that the identifier of the user determined to be the legitimate user by the authentication unit is associated with the identifier of the second client, the issuance unit issues authority information indicating that the authority of the user has been delegated to the second client without receiving an instruction for authorizing the second client on the service, wherein in a case where the management unit confirms that the second client operated by the user is not associated with the identifier of the user after the user has been determined to be the legitimate user by the authentication unit, the management unit provides an association confirmation screen for inquiring whether to associate the identifier of the user with the identifier of the second client in order to omit an operation for providing the instruction for authorizing the authority of the user on the service to be delegated to the second client, and manages the identifier of the user and the identifier of the second client in association with each other in response to an instruction for associating the identifier of the user with the identifier of the second client instructed via the association confirmation screen, and wherein the management unit manages the identifier of the user, the identifier of the first client, and a type of the first client in association with one another, and in a case where a type of the second client is same as the type of the first client when the identifier of the user is to be associated with the identifier of the second client, the management unit manages the identifier of the user and the identifier of the second client in association with each other without receiving the instruction for associating the identifier of the user with the identifier of the second client via the association confirmation screen.
-
Specification