Relying party platform/framework for access management infrastructures
US-9043886-B2 · May 26, 2015 · US
Multiple resource servers interacting with single OAuth server
US9450963B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9450963-B2 |
| Application number | US-201514878412-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 8, 2015 |
| Priority date | Sep 20, 2013 |
| Publication date | Sep 20, 2016 |
| Grant date | Sep 20, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, at an authorization computing system, a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains; identifying, at the authorization computing system, a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain; determining, at the authorization computing system and based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers; upon determining that the client application is not permitted to access the resource server in the context of the identity domain, denying, at the authorization computing system, the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and upon determining that the client application is permitted to access the resource server in the context of the identity domain, accessing, at the authorization computing system, the resource server to obtain scope information for the resource server; and generating, at the authorization computing system, based on the scope information obtained from the resource server, a token for the client application to access the resource server. 2. The method of claim 1 , wherein the authorization computing system is included in an OAuth authorization server. 3. The method of claim 1 , further comprising: receiving, at the authorization computing system, an authentication request to authenticate the client application; and upon receiving the authentication request, selecting, from a plurality of client plug-ins, a client plug-in that is mapped to the identity domain and sending the authentication request to the client-plug in. 4. The method of claim 1 , further comprising: identifying based on the request, a service requested by the client application; and determining, based on the service, the resource server to be accessed by the client application for the service. 5. The method of claim 1 , further comprising: determining using the service profile, a callback uniform resource locator (URL) corresponding to the resource server, wherein accessing the resource server is performed using the callback URL, and wherein the resource server determines the scope information based on an authorization policy associated with the identity domain. 6. The method of claim 1 , wherein the scope information indicates one or more operations that are permitted for a service accessing a resource provided by the resource server, and wherein the service is indicated in the request. 7. The method of claim 1 , wherein the service profile indicates one or more services that the client application is permitted to access, and wherein the one or more services are provided by the resource server. 8. The method of claim 7 , further comprising: determining using the service profile, that a service indicated in the request by the client application is not included in the one or more services that the client application is permitted to access; and denying the request based on determining that the service not included in the one or more services. 9. A computing system comprising: one or more hardware processors; and a memory operatively coupled to the one or more hardware processors, the memory storing a set of instructions that, when executed by the one or more hardware processors, causes the one or more hardware processors to: receive a request to access a resource server from a client application that executes in a context of an identity domain of a plurality of identity domains; identify a service profile that is applicable only to the identity domain of the plurality of identity domains, wherein the service profile includes information identifying a set of resource servers that the client application is permitted to access in the context of the identity domain; determine, based on the set of resource servers identified by the information in the service profile, whether the client application is permitted to access the resource server in the context of the identity domain, wherein the client application is permitted access to the resource server upon determining that the resource server is included in the set of resource servers; upon determining that the client application is not permitted to access the resource server in the context of the identity domain, deny the request to access the resource server, wherein denying the request to access the resource server includes blocking communication from the client application to the resource server in the context of the identity domain; and upon determining that the client application is permitted to access the resource server in the context of the identity domain, access the resource server to obtain scope information for the resource server; and generate, based on the scope information obtained from the resource server, a token for the client application to access the resource server. 10. The computing system of claim 9 , wherein the one or more hardware processors and the memory are included in an OAuth authorization server. 11. The computing system of claim 9 , wherein the set of instructions, when executed by the one or more hardware processors, further causes the one or more hardware processors to: receive an authentication request to authenticate the client application; and upon receiving the authentication request, select, from a plurality of client plug-ins, a client plug-in that is mapped to the identity domain and send the authentication request to the client-plug in. 12. The computing system of claim 9 , wherein the set of instructions, when executed by the one or more hardware processors, further causes the one or more hardware processors to: identify, based on the request, a service requested by the client application; and determine, based on the service, the resource server to be accessed by the client application for the service. 13. The computing system of claim 9 , wherein the set of instructions, when executed by the one or more hardware processors, further causes the one or more hardware processors to: determine, using the service profile, a callback uniform resource locator (URL) corresponding to the resource server, wherein accessing the resource server is performed using the callback URL, and wherein the resource server determines the scope information based on an authorization policy associated with the identity domain. 14. The computing system of claim 9 , wherein the scope information indicates one or more operations that are permitted for a service accessing a resource provided by the resource server, and wherein the service is indicated in the request. 15. The computing system of claim 9 , wherein the service profile indicates one or more services that the client application is permitted to access, and wherein the one or more services are provided by the resource server. 16. The computing system of claim 15 , wherein the set of instructions, when executed by the
Assignees
Inventors
Classifications
for controlling access to devices or network resources · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
using an additional device, e.g. smartcard, SIM or a different communication terminal (cryptographic mechanisms or cryptographic arrangements for entity authentication involving additional secure or trusted devices H04L9/3234) · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9450963B2 cover?
- A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating sco…
- Who is the assignee on this patent?
- Oracle Int Corp, Oraclle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 20 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).