Security tokens for a multi-tenant identity and data security management cloud service

US 10,341,410 B2
Filed: 03/27/2017
Issued: 07/02/2019
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide cloud-based identity and access management service, the providing comprising:

receiving a request from a client for obtaining an access token for a user to access a resource, the user, the client, and the resource each comprising entities of the cloud-based identity and access management service, wherein the client comprises a software application that has registered with the cloud-based identity and access management service;

determining, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource, wherein each entity of the identity and access management service belongs to one of a plurality of tenancies, and the tenancy of the client, tenancy of the user, and tenancy of the resource are determined from among the plurality of tenancies;

accessing a microservice of the cloud-based identity and access management service based on the request; and

performing an identity management service by the microservice based on the determined tenancies, wherein the identity management service includes generating the access token that identifies the tenancy of the resource, the tenancy of the client, and the tenancy of the user; and

using the generated access token to authenticate the user'"'"'s access to the resource, wherein the user tenancy and resource tenancy are different.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system provides cloud-based identity and access management. The system receives a request from a client for obtaining an access token for a user to access a resource. The system determines, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource. The system accesses a microservice based on the request, and performs an identity management service by the microservice based on the request, where the identity management service includes generating the access token that identifies the tenancy of the resource and the tenancy of the user.

292 Citations

21 Claims

1. A non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, cause the processor to provide cloud-based identity and access management service, the providing comprising:
- receiving a request from a client for obtaining an access token for a user to access a resource, the user, the client, and the resource each comprising entities of the cloud-based identity and access management service, wherein the client comprises a software application that has registered with the cloud-based identity and access management service;
  
  determining, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource, wherein each entity of the identity and access management service belongs to one of a plurality of tenancies, and the tenancy of the client, tenancy of the user, and tenancy of the resource are determined from among the plurality of tenancies;
  
  accessing a microservice of the cloud-based identity and access management service based on the request; and
  
  performing an identity management service by the microservice based on the determined tenancies, wherein the identity management service includes generating the access token that identifies the tenancy of the resource, the tenancy of the client, and the tenancy of the user; and
  
  using the generated access token to authenticate the user'"'"'s access to the resource, wherein the user tenancy and resource tenancy are different.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer readable medium of claim 1, wherein at least two of the tenancy of the client, the tenancy of the user, and the tenancy of the resource are the same tenancy.
  - 3. The computer readable medium of claim 1, wherein the request includes a client assertion token identifying the tenancy of the client and a user assertion token identifying the tenancy of the user.
  - 4. The computer readable medium of claim 1, wherein a header of the request indicates the tenancy of the resource.
  - 5. The computer readable medium of claim 4, wherein the request is a Hypertext Transfer Protocol (HTTP) request that indicates the tenancy of the resource.
  - 6. The computer readable medium of claim 1, wherein the request indicates an authorization standard for authenticating the user and obtaining the access token.
  - 7. The computer readable medium of claim 6, wherein the authorization standard is OAuth.
  - 8. The computer readable medium of claim 7, wherein the client is an OAuth client.
  - 9. The computer readable medium of claim 1, wherein the token is a JavaScript Object Notation (JSON) Web Token (JWT).
  - 10. The computer readable medium of claim 1, wherein data of the tenancy of the client, the tenancy of the user, and the tenancy of the resource are stored in a database, wherein the database and the microservice are configured to scale independently of one another.
  - 11. The computer readable medium of claim 10, wherein the database comprises a distributed data grid.
  - 12. The computer readable medium of claim 1, wherein the client comprises the software application that submitted the request, the determined tenancy for the client comprises a determined tenancy for the software application that submitted the request, and the tenancy of the client, user, and resource are different from one another.
  - 13. The computer readable medium of claim 1, wherein, when registering with the cloud-based identity and access management service, the client is issued a client ID, and the generated access token includes the client ID.
  - 14. The computer readable medium of claim 1, wherein,the cloud-based identity and access management service includes a plurality of microservices, andthe generated access token is used to secure microservice to microservice communication performed using HTTP requests.
  - 15. The computer readable medium of claim 1, wherein the client registration with the cloud-based identity and access management service identifies an authorization protocol used to authenticate the client.

16. A method of providing cloud-based identity and access management service, comprising:
- receiving a request from a client for obtaining an access token for a user to access a resource, the user, the client, and the resource each comprising entities of the cloud-based identity and access management service, wherein the client comprises a software application that has registered with the cloud-based identity and access management service;
  
  determining, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource, wherein each entity of the identity and access management service belongs to one of a plurality of tenancies, and the tenancy of the client, tenancy of the user, and tenancy of the resource are determined from among the plurality of tenancies;
  
  accessing a microservice of the cloud-based identity and access management service based on the request; and
  
  performing an identity management service by the microservice based on the determined tenancies, wherein the identity management service includes generating the access token that identifies the tenancy of the resource, the tenancy of the client, and the tenancy of the user; and
  
  using the generated access token to authenticate the user'"'"'s access to the resource, wherein the user tenancy and resource tenancy are different.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein at least two of the tenancy of the client, the tenancy of the user, and the tenancy of the resource are the same tenancy.
  - 18. The method of claim 16, wherein the request includes a client assertion token identifying the tenancy of the client and a user assertion token identifying the tenancy of the user.
  - 19. The method of claim 16, wherein a header of the request indicates the tenancy of the resource.
  - 20. The method of claim 16, wherein the client comprises the software application that submitted the request, the determined tenancy for the client comprises a determined tenancy for the software application that submitted the request, and the tenancy of the client, user, and resource are different from one another.

21. A system for providing cloud-based identity and access management service, comprising:
- a receiving module that receives a request from a client for obtaining an access token for a user to access a resource, the user, the client, and the resource each comprising entities of the cloud-based identity and access management service, wherein the client comprises a software application that has registered with the cloud-based identity and access management service;
  
  a determining module that determines, based on the request, a tenancy of the client, a tenancy of the user, and a tenancy of the resource, wherein each entity of the identity and access management service belongs to one of a plurality of tenancies, and the tenancy of the client, tenancy of the user, and tenancy of the resource are determined from among the plurality of tenancies;
  
  an accessing module that accesses a microservice of the cloud-based identity and access management service based on the request; and
  
  a performing module of the microservice that, using a hardware processor, performs an identity management service based on the determined tenancies, wherein the identity management service includes generating the access token that identifies the tenancy of the resource, the tenancy of the client, and the tenancy of the user; and
  
  an authentication module that authenticates the user'"'"'s access to the resource, wherein the user tenancy and resource tenancy are different.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Lander, Vadim, Sondhi, Ajay
Primary Examiner(s)
Abedin, Shanto
Assistant Examiner(s)
Stoica, Adrian

Application Number

US15/469,718
Publication Number

US 20170331829A1
Time in Patent Office

827 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/33   using certificates

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/53   using third party service p...

H04L 67/535   Tracking the activity of th...

H04L 67/56   Provisioning of proxy servi...

Security tokens for a multi-tenant identity and data security management cloud service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

292 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Security tokens for a multi-tenant identity and data security management cloud service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

292 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links