Method and apparatus for sharing server resources using a local group
US-2015365399-A1 · Dec 17, 2015 · US
Token scope reduction
US10104084B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10104084-B2 |
| Application number | US-201514942195-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 16, 2015 |
| Priority date | Jul 30, 2015 |
| Publication date | Oct 16, 2018 |
| Grant date | Oct 16, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are provided for augmenting the capabilities of the standard OAuth2 authorization framework in such a way as to allow clients to consume the services of multiple resource servers residing in disjoint security domains while requiring only a single one-time user authentication. An access token that provides access to resource services distributed across a plurality of security domains is partitioned into a plurality of reduced-scope access tokens. Each reduced-scope access token is limited to a subset of authorization scopes of the access token, providing access to a resource service in a particular security domain based upon the subset.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: requesting, by a client device, an authorization code from an authentication server for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains; receiving, at the client device, the authorization code from the authentication server; sending, to the authentication server, a request for an access token, the request including the authorization code; receiving at the client device the access token, based on the authorization code, from the authentication server, wherein the access token provides access to resource services distributed across a plurality of security domains; deriving, by the client device, a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains; responsive to providing the first subset and the access token to the authentication server, receiving, at the client device, a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; utilizing, by the client device, the first reduced-scope access token to access the at least one resource service in the first security domain; and responsive to receiving the first reduced-scope access token, transmitting, by the client device, a request to the authorization server for scopes associated with the first reduced-scope access token. 2. The computer-implemented method of claim 1 comprising: deriving a second subset of authorization scopes of the access token, wherein the second subset is limited to a second security domain of the plurality of security domains; responsive to providing the second subset and the access token to the authentication server, receiving a second reduced-scope access token, wherein the second reduced-scope access token provides access to at least one resource service in the second security domain; and utilizing the second reduced-scope access token to access the at least one resource service in the second security domain. 3. The computer-implemented method of claim 1 , further comprising: receiving the access token in response to user authentication; and receiving the first reduced-scope access token without additional user authentication. 4. The computer-implemented method of claim 1 , wherein the first reduced-scope access token has a same principal and expiration time as the access token. 5. The computer-implemented method of claim 1 , further comprising: discarding, by the client device, the access token when one or more requested reduced-scope access tokens have been received. 6. A computer-implemented method comprising: receiving, at an authorization server, a request for an authorization code for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains; sending, to the client, the authorization code; receiving, at the authorization server, a request for an access token, the request including the authorization code; generating, at the authorization server, the access token based on the authorization code, wherein the access token provides access to resource services distributed across a plurality of security domains; sending the access token to the client; receiving, at the authorization server, a request from the client for a first reduced-scope access token, wherein an authorization scope of the first reduced-scope access token is limited to a first subset of authorization scopes of the access token; generating, by the authorization server, the first reduced-scope access token based on the first subset of authorization scopes, wherein the first reduced-scope access token provides access to at least one resource service in a first security domain of the plurality of security domains; sending, to the client, the first reduced-scope access token to the client; and receiving, from the client, a request for scopes associated with the first reduced-scope access token. 7. The computer-implemented method of claim 6 , further comprising: receiving another request from the client for a second reduced-scope access token, wherein the authorization scope of the second reduced-scope access token is limited to a second subset of the authorization scopes of the access token; generating the second reduced-scope access token based on the second subset of the authorization scopes, wherein the second reduced-scope access token provides access to at least one resource service in a second security domain of the plurality of security domains; and sending the second reduced-scope access token to the client. 8. The computer-implemented method of claim 6 , further comprising: generating the access token in response to user authentication; and generating the first reduced-scope access token based on the access token without additional user authentication. 9. The computer-implemented method of claim 6 , wherein the first reduced-scope access token has a same principal and expiration time as the access token. 10. The computer-implemented method of claim 6 , further comprising: receiving from a resource server, a request for the first subset of the authorization scopes for the first reduced-scope access token; and sending the first subset of the authorization scopes to the resource server. 11. An apparatus comprising: a network interface unit configured to enable communications over a network; and at least one processor configured to: request an authorization code from an authentication server for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains; receive the authorization code from the authentication server; send, to the authentication server, a request for an access token, the request including the authorization code; receive the access token, based on the authorization code, from the authentication server, wherein the access token provides access to resource services distributed across a plurality of security domains; derive a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains; responsive to providing the first subset and the access token to the authentication server, receive a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; utilize the first reduced-scope access token to access the at least one resource service in the first security domain; and responsive to receiving the first reduced-scope access token, transmit a request to the authorization server for scopes associated with the first reduced-scope access token. 12. The apparatus of claim 11 , wherein the processor is further configured to: derive a second subset of authorization scopes of the access token, wherein the second subset is limited to a second security domain of the plurality of security domains; responsive to providing the second subset and the access token to the authentication server, receive a second reduced-scope access token, wherein the second reduced-scope access token provides access to at least one resource service in the second security domain; and utilize the second reduced-scope access token to access the at least one resource service in the second security domain. 13. The apparatus of claim 11 , wherein the processor is further configured to: receive the access
Assignees
Inventors
Classifications
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
- H04L63/10Primary
for controlling access to devices or network resources · CPC title
using certificates · CPC title
providing single-sign-on or federations · CPC title
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10104084B2 cover?
- Techniques are provided for augmenting the capabilities of the standard OAuth2 authorization framework in such a way as to allow clients to consume the services of multiple resource servers residing in disjoint security domains while requiring only a single one-time user authentication. An access token that provides access to resource services distributed across a plurality of security domains …
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/10. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 16 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).