User authentication of applications on third-party devices via user devices
US-9628475-B2 · Apr 18, 2017 · US
User managed access scope specific obligation policy for authorization
US9906558B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9906558-B2 |
| Application number | US-201514748300-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 24, 2015 |
| Priority date | Jun 24, 2015 |
| Publication date | Feb 27, 2018 |
| Grant date | Feb 27, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method sends a request for a delegated authorization grant data set, receives a delegated authorization grant data set that defines the delegated authorization grant scope, with respect to a resource. The delegated authorization grant data set includes a scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device. The scope controls access to the resource in a manner limited by the scope of the delegated authorization grant defined by the delegated authorization grant data set.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: sending, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set; receiving, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including: (i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy; modifying the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant; modifying the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy; and controlling access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set; wherein: the request for a first delegated authorization grant data set includes a first obligation correlation token, and the first delegated authorization grant data set includes the first obligation correlation token. 2. The method of claim 1 wherein the sending of the request for the first delegated authorization grant data set occurs at one of the following junctures: (i) before the delegatee seeks initial access to the first resource, (ii) each time the delegatee entity seeks to access the first resource, and (iii) at juncture(s) defined by the first delegation authorization grant. 3. The method of claim 1 wherein the first scope variable value relates to at least one of the following aspects of scope of a delegated authorization grant: (i) whether a password is required; (ii) number of times a password can be used; (iii) time or date limit on access to the first resource; (iv) limit on amount of usage or rate of usage of the first resource; or (v) limit on usage of data derived from access of the resource subject to delegated authorization grant. 4. The method of claim 1 wherein the delegation grant scope user interface is incorporated into a first standard for delegated authorization grants from delegator entities to delegatee entities. 5. The method of claim 4 wherein the first standard is an open source standard. 6. The method of claim 1 further comprising: storing the first delegated authorization grant data set, and the scope specific obligation policy, on the authorization server module. 7. The method of claim 1 further comprising: evaluating, by a policy decision point module, resource owner scope specific obligation policy preferences. 8. The method of claim 1 further comprising: receiving, by an obligation handler agent running on the delegator's device, the request for a first delegated authorization data set. 9. A computer program product comprising a computer readable storage medium that is not a transitory signal per se having stored thereon: first program instructions programmed to send, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set; second program instructions programmed to receive, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including: (i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy; third program instructions programmed to modify the first scope variable value by the delegator entity during a lifetime of the first delegated authorization grant, to produce a modified scope of the first delegated authorization grant; fourth program instruction programmed to modify the scope specific obligation policy during the lifetime of the first delegated authorization grant, to produce a modified scope specific obligation policy; and fifth program instructions programmed to control access to the first resource by the delegatee entity through the communication network in a manner limited by the modified scope of the first delegated authorization grant defined by the first delegated authorization grant data set; wherein: the request for a first delegated authorization grant data set includes a first obligation correlation token, and the first delegated authorization grant data set includes the first obligation correlation token. 10. The product of claim 9 wherein the first program instructions are further programmed to send the request for the first delegated authorization grant data set at one of the following junctures: (i) before the delegatee seeks initial access to the first resource, (ii) each time the delegatee entity seeks to access the first resource, and (iii) at juncture(s) defined by the first delegation authorization grant. 11. The product of claim 9 wherein the first scope variable value relates to at least one of the following aspects of scope of a delegated authorization grant: (i) whether a password is required; (ii) number of times a password can be used; (iii) time or date limit on access to the first resource; (iv) limit on amount of usage or rate of usage of the first resource; or (v) limit on usage of data derived from access of the resource subject to delegated authorization grant. 12. The product of claim 9 wherein the delegation grant scope user interface is incorporated into a first standard for delegated authorization grants from delegator entities to delegatee entities. 13. The product of claim 12 wherein the first standard is an open source standard. 14. A computer system comprising: a processor(s) set; and a computer readable storage medium that is not a transitory signal per se; wherein: the processor set is structured, located, connected or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include: first program instructions programmed to send, from an authorization server module over a communication network to a delegator device, a request for a first delegated authorization grant data set, second program instructions programmed to receive, by the authorization server module over a communication network and from the delegator device, the first delegated authorization grant data set, with the first delegated authorization grant data set defining a scope of a first delegated authorization grant from the delegator device to a delegatee entity with respect to a first resource, with the first delegated authorization grant data set including: (i) a first scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device, and (ii) a scope specific obligation policy, third program instructions programmed to modify the first scope variable value
Assignees
Inventors
Classifications
- H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Entity profiles · CPC title
using one-time-passwords · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9906558B2 cover?
- A method sends a request for a delegated authorization grant data set, receives a delegated authorization grant data set that defines the delegated authorization grant scope, with respect to a resource. The delegated authorization grant data set includes a scope variable value having been selected by a delegator entity through a delegation grant scope user interface on the delegator device. The…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 27 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).