Bundled authorization requests
US-2015089569-A1 · Mar 26, 2015 · US
Cross-region trust for a multi-tenant identity cloud service
US11528262B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11528262-B2 |
| Application number | US-202117149163-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jan 14, 2021 |
| Priority date | Mar 27, 2018 |
| Publication date | Dec 13, 2022 |
| Grant date | Dec 13, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments of a multi-tenant cloud system include a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. The first data center receives a request from a first client of the first plurality of registered clients to access a resource of the second data center and validates the request from the first client and issues a global access token. The second data center receives the request with the global access token. A cloud gate at the second data center, based on the global access token, validates the request and provides the resource to the first client.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of accessing resources in a multi-tenant cloud system, the method comprising: receiving a request for a second resource from a first client at a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, the first data center associated with first resources and the first plurality of registered clients including the first client; determining at the first data center that the second resource is not one of the first resources; issuing a global access token at the first data center, the global access token comprising an OAuth access token with additional token claims comprising a client tenant name, a location identifier and a flag indicating that the OAuth access token is the global access token; wherein the global access token is configured to be received at a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area, the second data center associated with second resources, different than the first resources and including the second resource, and wherein the first client is registered in the first data center and is not registered in the second data center; wherein in response to receiving the global access token, the second data center is adapted to validate the request and provide the second resource to the first client. 2. The method of claim 1 , wherein the first resources are accessed by invoking a Representational State Transfer (REST) application programming interfaces (API) that is associated with each of the first resources and the second resources are accessed by invoking the REST API that is associated with each of the second resources. 3. The method of claim 2 , the second data center providing the second resource to the first client by invoking the REST API associated with the second resource, wherein the REST APIs associated with the first data center are invokable by the first client without the global access token, and the REST API associated with the second resource is not invokable by the first client without the global access token. 4. The method of claim 1 , wherein the issuing the global access token comprises signing the global access token with a global signing key that is stored at the first data center and the second data center. 5. The method of claim 1 , wherein the issuing the global access token comprises signing the global access token with an signing key retrieved from a central authority using a first authentication key that is stored only at the first data center. 6. The method of claim 1 , wherein the issuing the global access token comprises determining if the first client has a global role. 7. The method of claim 1 , the second data center validating the request at a cloud gate and after validating the request the token is consumed by an authorization filter. 8. The method of claim 1 , wherein the global access token comprises a JavaScript Object Notation (JSON) format. 9. The method of claim 1 , wherein the first data center and the second data center are located on a same control plane. 10. A non-transitory computer-readable medium storing instructions which, when executed by at least one of a plurality of processors, cause the processor to access resources in a multi-tenant cloud system, the accessing comprising: receiving a request for a second resource from a first client at a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, the first data center associated with first resources and the first plurality of registered clients including the first client; determining at the first data center that the second resource is not one of the first resources; issuing a global access token at the first data center, the global access token comprising an OAuth access token with additional token claims comprising a client tenant name, a location identifier and a flag indicating that the OAuth access token is the global access token; wherein the global access token is configured to be received at a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area, the second data center associated with second resources, different than the first resources and including the second resource, and wherein the first client is registered in the first data center and is not registered in the second data center; wherein in response to receiving the global access token, the second data center is adapted to validate the request and provide the second resource to the first client. 11. The computer-readable medium of claim 10 , wherein the first resources are accessed by invoking a Representational State Transfer (REST) application programming interfaces (API) that is associated with each of the first resources and the second resources are accessed by invoking the REST API that is associated with each of the second resources. 12. The computer-readable medium of claim 11 , the second data center providing the second resource to the first client by invoking the REST API associated with the second resource, wherein the REST APIs associated with the first data center are invokable by the first client without the global access token, and the REST API associated with the second resource is not invokable by the first client without the global access token. 13. The computer-readable medium of claim 10 , wherein the issuing the global access token comprises signing the global access token with a global signing key that is stored at the first data center and the second data center. 14. The computer-readable medium of claim 10 , wherein the issuing the global access token comprises signing the global access token with an signing key retrieved from a central authority using a first authentication key that is stored only at the first data center. 15. The computer-readable medium of claim 10 , wherein the issuing the global access token comprises determining if the first client has a global role. 16. The computer-readable medium of claim 10 , the second data center validating the request at a cloud gate and after validating the request the token is consumed by an authorization filter. 17. The computer-readable medium of claim 10 , wherein the global access token comprises a JavaScript Object Notation (JSON) format. 18. The computer-readable medium of claim 10 , wherein the first data center and the second data center are located on a same control plane. 19. A multi-tenant cloud system comprising: a first data center comprising at least one first hardware processor and adapted to authenticate a first plurality of registered clients and located in a first geographic area, the first data center associated with first resources and the first plurality of registered clients including a first client; a second data center comprising at least one second hardware processor and adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area, the second data center associated with second resources, different than the first resources; the first data center adapted to receive a request for a second resource from the first client and to determine that the second resource is not one of the first resources, the second resources including the second resource and the first client is registered
Assignees
Inventors
Classifications
Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration · CPC title
for controlling access to devices or network resources · CPC title
- H04L63/08Primary
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11528262B2 cover?
- Embodiments of a multi-tenant cloud system include a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. The first data center receives a request f…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/08. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 13 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).