Dynamically mapping users to groups
US-2015156190-A1 · Jun 4, 2015 · US
Bundled authorization requests
US9699170B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9699170-B2 |
| Application number | US-201414266454-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 30, 2014 |
| Priority date | Sep 29, 2011 |
| Publication date | Jul 4, 2017 |
| Grant date | Jul 4, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: receiving, at an authorization computer system, from a client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server; obtaining, at the authorization computer system, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises: sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and receiving, at the authorization computer system, the first scope of access information from the first resource server; obtaining, at the authorization computer system, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises: sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and receiving, from the second resource server at the authorization computer system, the second scope of access information; generating, at the authorization computer system, a single token that includes the first scope of access information and the second scope of access information; and sending the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token. 2. The computer-implemented method of claim 1 , further comprising: receiving the first policy at the authorization computer system from the first resource server; storing the first policy at the authorization computer system in response to receiving the first policy from the first resource server; receiving the second policy at the authorization computer system from the second resource server; and storing the second policy at the authorization computer system in response to receiving the second policy from the second resource server. 3. The computer-implemented method of claim 2 , wherein obtaining the first scope of access information comprises: applying, at the authorization computer system, the first policy stored at the authorization computer system to the one or more attributes associated with the identity of the client application; and wherein obtaining the second scope of access information comprises: applying, at the authorization computer system, the second policy stored at the authorization computer system to the one or more attributes associated with the identity of the client application. 4. The computer-implemented method of claim 1 , wherein the first service is resource service, and wherein the second service is a communication service. 5. The computer-implemented method of claim 1 , wherein the first scope of access information indicates the client application is permitted to access the first service. 6. The computer-implemented method of claim 1 , wherein the second scope of access information indicates the client application is not permitted to access the second service. 7. The computer-implemented method of claim 1 , further comprising: selecting, at the authorization computer system, from a plurality of resource servers, the first resource server to provide the first service to the client application; and selecting, at the authorization computer system, from the plurality of resource servers, the second resource server to provide the second service to the client application. 8. The computer-implemented method of claim 1 , wherein the first policy indicates a user of the client application is authorized or is not authorized to access a content of the first service provided by the first resource server. 9. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform: receiving, at an authorization computer system, from a client application, a token request for access to a first service that is provided by a first resource server and for access to a second service that is provided by a second resource server that is separate from the first resource server; obtaining, at the authorization computer system, from the first resource server, a first scope of access information for the client application to access the first service identified by the token request, wherein obtaining the first scope of access information comprises: sending an identity of the client application from the authorization computer system to the first resource server, wherein the first resource server determines the first scope of access information by applying a first policy to one or more attributes associated with the identity of the client application; and receiving, at the authorization computer system, the first scope of access information from the first resource server; obtaining, at the authorization computer system, from the second resource server, a second scope of access information for the client application to access the second service identified by the token request, wherein the first scope of access information differs from the second scope of access information, and wherein obtaining the second scope of access information comprises: sending the identity of the client application from the authorization computer system to the second resource server, wherein the second resource server determines the second scope of access information by applying a second policy to the one or more attributes associated with the identity of the client application; and receiving, from the second resource server at the authorization computer system, the second scope of access information; generating, at the authorization computer system, a single token that includes the first scope of access information and the second scope of access information; and sending the single token from the authorization computer system to the client application for accessing the first service based on the first scope of access information included in the single token and for accessing the second service based on the second scope of access information included in the single token. 10. The computer-readable memory of claim 9 , wherein the instructions, when executed by the one of more processors, further cause the one or more processors to perform: receiving the first policy at the authorization computer system from the first resource server; storing the first policy at the authorization computer system in response to receiving the first policy from the first resource server; receiving the second policy at the authorization computer system from the second resource server; and storing the second policy at the authorization computer system in response to receiving the second policy from the second resource server. 11.
Assignees
Inventors
Classifications
Entity profiles · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
using an additional device, e.g. smartcard, SIM or a different communication terminal (cryptographic mechanisms or cryptographic arrangements for entity authentication involving additional secure or trusted devices H04L9/3234) · CPC title
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9699170B2 cover?
- A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating sco…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 04 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).