JP2014102561A - Communication device, communication system, information processing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable a communication device to easily and safely transfer its access right to another communication device.SOLUTION: A communication device comprises: acquisition means which acquires token acquisition information for acquiring a token that indicates an access right to a resource of which access right is managed by authorization service, from the authorization service; determination means which determines whether communication with another device is temporary communication; and transmission means which transmits the token acquisition information acquired by the acquisition means to the other device when the determination means determines that the communication with the other device is not temporary communication.

Description

  The present invention relates to a communication device, a communication system, an information processing method, and a program.

In recent years, there are mobile phones and digital cameras having a function of accessing external services such as content sharing services and communication services on the Internet. By using these communication devices, a user can upload captured image content to a photo sharing service or send a message to a friend. Normally, these external services manage access authority to resources such as contents and files on the external services in cooperation with the authorization service.
In authorization services, the use of the OAuth protocol for the purpose of managing access rights is increasing. In OAuth, the communication apparatus first acquires an access token indicating an access right to a desired resource and a refresh token for updating the access token from the authorization service. Thereafter, when requesting acquisition of a desired resource from an external service, the communication device also presents the access token acquired from the authorization service. The external service transmits the requested resource to the communication device only when the access token is valid. If the access token expires, the communication device can update the access token by presenting the refresh token to the authorization service.

On the other hand, when a user's access authority is delegated to a third party using an authentication ticket and the third party succeeds in user authentication for the authorization service, the third party can use the delegated access authority. Has been proposed (see Patent Document 1).
By using these methods, the user can share and enjoy the resource with the family and friends by delegating the access authority to the resource of the user of the external service to the family and friends.

JP 2006-221506 A

  However, in the conventional technology, it is impossible to change the validity period of access authority delegation and the range of access authority in accordance with the communication connection relationship between the user communication apparatus and the friend communication apparatus. Therefore, even if the communication connection with the friend's communication device is temporary and the user's access authority is to be temporarily transferred to the friend, the user must explicitly specify the expiration date and the range of access authority. As a result, user convenience has been impaired. In addition, there is a possibility that the user mistakenly designates the permanent delegation of access authority, resulting in a security risk.

  The present invention has been made in view of such problems, and an object of the present invention is to make it possible to delegate access authority to other communication devices easily and safely.

  Therefore, the present invention provides communication between an acquisition unit for acquiring token acquisition information used when acquiring a token indicating an access right for a resource whose access right is managed by the authorization service, and communication with another device from the authorization service. Determining means for determining whether or not communication with the other apparatus is not temporary by the determining means, the token acquisition information acquired by the acquiring means is used as the other apparatus. And transmitting means for transmitting to.

  According to the present invention, it is possible to delegate access authority to other communication devices easily and safely.

It is a figure which shows an example of the system configuration | structure of a communication system. It is a figure which shows an example of the hardware constitutions of a 1st communication apparatus. It is a figure which shows an example of a functional module structure of a 1st communication apparatus. It is a figure which shows an example of the data structure of a radio | wireless parameter. FIG. 10 is a sequence diagram illustrating an example of information processing when the first communication device establishes a wireless communication connection with the second communication device. It is a sequence diagram which shows an example of the information processing at the time of a 1st communication apparatus transmitting a 2nd access token to a 2nd communication apparatus. It is a sequence diagram which shows an example of the information processing at the time of a 1st communication apparatus transmitting a 1st access token to a 2nd communication apparatus. It is a sequence diagram which shows an example of the information processing at the time of a 2nd communication apparatus acquiring a 1st resource. It is a sequence diagram which shows an example of the information processing at the time of a 1st communication apparatus invalidating a 1st access token. It is a flowchart which shows the procedure of the operation | movement which a 1st communication apparatus transmits an access token or an authorization code. It is a flowchart which shows the procedure of the operation | movement in which a 2nd communication apparatus acquires a resource. It is a flowchart which shows the procedure of the operation | movement in which a 1st communication apparatus invalidates an access token. 3 is a diagram illustrating an example of an authorization request that the first communication device transmits to the authorization service 50. FIG. 4 is a diagram illustrating an example of an authorization response received by the first communication device from an authorization service 50. FIG. 3 is a diagram illustrating an example of an access token request transmitted from the first communication apparatus to an authorization service 50. FIG. 4 is a diagram illustrating an example of an access token response received from the authorization service 50 by the first communication device. FIG. It is a figure which shows the example of the access token update request which a 2nd communication apparatus transmits to the authorization service. 6 is a diagram illustrating an example of an access token update response received from the authorization service 50 by the second communication device. FIG. 4 is a diagram illustrating an example of an access token invalid request transmitted from the first communication device to an authorization service 50. FIG. 6 is a diagram illustrating an example of an access token invalid response received from the authorization service 50 by the first communication device. FIG.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

<First Embodiment>
FIG. 1 is a diagram illustrating an example of a system configuration of a communication system.
The first communication device 10 has a display function, an operation function, and a wireless LAN (Local Area Network) communication function conforming to IEEE 802.11. More specific examples of the first communication device 10 are a digital camera, a digital video camera, a mobile phone, a smartphone, a PC, a notebook PC, and the like. In the present embodiment, the wireless LAN communication function is used. However, the present invention is not limited to this, and other wireless communication standards such as Bluetooth (registered trademark), ZigBee (registered trademark), and RFID may be used.
The second communication device 20 is the same as the first communication device 10.

In the present embodiment, the first communication device 10 and the second communication device 20 communicate with each other. Although the communication method is not particularly limited, in the present embodiment, the first communication device 10 and the second communication device 20 are connected via a P2P group in accordance with Wi-Fi Direct. In place of Wi-Fi Direct, WPS (Wi-Fi Protected Setup), WPSE (WPS Extension), ad hoc connection, or the like can be used.
The wireless AP 30 is a wireless access point that relays wireless LAN communication in the first communication device 10 and the second communication device 20.
The network 40 is a network to which the wireless AP 30, the authorization service 50, and the external service 60 are connected. More specific examples of the network 40 are a wired LAN, a wireless LAN, a WAN (Wide Area Network), the Internet, and the like.
The authorization service 50 manages the access authority to the first resource on the external service 60 in accordance with OAuth 2.0. In this embodiment, OAuth 2.0 is used. However, the present invention is not limited to this, and an authorization standard such as OAuth 1.0, OpenID Connect, or a unique authorization method may be used.
The external service 60 manages the first resource owned by the first user who uses the first communication device 10.

Next, components of the communication system will be described in detail.
FIG. 2 is a diagram illustrating an example of a hardware configuration of the first communication device 10. Note that since the second communication device 20 has the same configuration as the first communication device 10, only the first communication device 10 will be described below.
The first communication device 10 includes a CPU (Central Processing Unit) 201, a ROM (Read Only Memory) 202, a RAM (Random Access Memory) 203, and an auxiliary storage device 204. The first communication device 10 includes a display unit 205, an operation unit 206, a communication unit 207, and an antenna 208.
The CPU 201 controls the entire first communication device 10.
The ROM 202 stores programs and parameters that do not need to be changed.
The RAM 203 temporarily stores programs and data supplied from the auxiliary storage device 204 or the like.

The auxiliary storage device 204 stores programs, setting data such as wireless parameters, and content data such as images and moving images. For example, examples of the auxiliary storage device 204 include a memory card and a hard disk.
The display unit 205 displays a GUI (Graphical User Interface) for the first user to operate the first communication device 10. The display unit 205 displays the authorization approval screen acquired from the authorization service 50.
The operation unit 206 is an input interface for the first user to operate the first communication device 10.
The communication unit 207 controls the antenna 208 to communicate with the wireless AP 30 or the second communication device 20.
When the CPU 201 executes processing based on a program stored in the ROM 202 or the auxiliary storage device 204, processing relating to the configuration of functional modules, a flowchart, and a sequence described later is realized.

FIG. 3 is a diagram illustrating an example of a functional module configuration of the first communication device 10. Note that since the second communication device 20 has the same configuration as the first communication device 10, only the first communication device 10 will be described below.
The first communication device 10 includes a control unit 301, a communication control unit 302, a display control unit 303, an operation control unit 304, a storage control unit 305, a wireless parameter management unit 306, a communication determination unit 307, An authority management unit 308 and an authorization code acquisition unit 309 are provided. In addition, the first communication device 10 includes an authorization code transmission unit 310, a transmission determination unit 311, a token acquisition unit 312, a token transmission unit 313, an invalidity determination unit 314, a token invalidation unit 315, and a token update unit. 316 and a resource acquisition unit 317.
The control unit 301 controls the entire individual functional modules included in the first communication device 10.
The communication control unit 302 controls the communication unit 207 and performs communication control with the wireless AP 30 or the second communication device 20. In the present embodiment, the communication control unit 302 performs communication control with the second communication device 20 according to a Wi-Fi Direct push button method.

The display control unit 303 controls the display unit 205 to perform GUI display control in the first communication device 10. In addition, the display control unit 303 performs display control of the authorization approval screen acquired from the authorization service 50.
The operation control unit 304 controls the operation unit 206 to perform operation input control from the first user in the first communication device 10.
The storage control unit 305 controls the auxiliary storage device 204 and stores image content data and moving image content data.
The wireless parameter management unit 306 manages the wireless parameter 11 used for wireless communication in the communication control unit 302. The wireless parameter management unit 306 manages, as wireless parameters, SSID 401, an encryption method 402, an encryption key 403, and Wi-Fi Direct information 404 shown in FIG. 4 to be described later as information necessary for Wi-Fi Direct. The wireless parameter management unit 306 stores the wireless parameter 11 acquired from the second communication device 20 using the storage control unit 305 during wireless communication with the second communication device 20.

The communication determination unit 307 determines whether wireless communication with the second communication device 20 is temporary. In the present embodiment, that wireless communication is temporary means that processing from connection to disconnection in the wireless communication between the first communication device 10 and the second communication device 20 is performed only once or several times. Or do it only for a limited time. On the other hand, in the present embodiment, the fact that wireless communication is not temporary means that processing from connection to disconnection in wireless communication between the first communication device 10 and the second communication device 20 is not limited in number. It is assumed to be carried out or to be carried out without limiting time.
Further, the communication determination unit 307 refers to the group form described in the Wi-Fi Direct information 404, and when the group form is temporary, wireless communication with the second communication device 20 is temporary. Judge. On the other hand, the communication determination unit 307 determines that the wireless communication with the second communication device 20 is not temporary when the group form is permanent.
The communication determination unit 307 further determines whether or not to continue the wireless communication with the second communication device 20 after determining that the wireless communication with the second communication device 20 is not temporary. In the present embodiment, the communication determination unit 307 performs wireless communication with the second communication device 20 when the wireless parameter management unit 306 deletes the wireless parameter 11 used for wireless communication with the second communication device 20. Is determined not to continue.

The authority management unit 308 receives from the second communication apparatus 20 a request for delegating access authority to the first resource on the external service 60. Conversely, the authority management unit 308 requests the second communication apparatus 20 to delegate authority to access the second resource on the external service 60.
The authorization code acquisition unit 309 requests the authorization service 50 to authorize access authority for the first resource. In the present embodiment, the authorization code acquisition unit 309 transmits an authorization request based on OAuth 2.0 to the authorization service 50. Then, the authorization code acquisition unit 309 receives an authorization response based on OAuth 2.0 from the authorization service 50 as a response to the authorization request. The authorization response includes an authorization code necessary for obtaining an access token and a refresh token. The authorization code is an example of token acquisition information.
The access token is information indicating the access authority for the first resource. An access token is an example of a token.
The refresh token is information necessary for updating the access token when the access token expires. The refresh token is an example of token acquisition information.
In the authorization request to the authorization service 50, the authorization code acquisition unit 309 specifies a client identifier indicating the communication device registered in the authorization service 50 as a parameter. In the present embodiment, when the authorization code acquisition unit 309 specifies the first client identifier indicating the first communication device 10 and requests the first authorization, the authorization code acquisition unit 309 receives the authorization service 50 from the authorization service 50. Obtain a first authorization code. Similarly, when the authorization code acquisition unit 309 specifies the second client identifier indicating the second communication device 20 and requests the second authorization, the authorization code acquisition unit 309 receives the second request from the authorization service 50. Get the authorization code.

The authorization code transmission unit 310 transmits the authorization code acquired by the authorization code acquisition unit 309 to the second communication device 20.
The transmission determination unit 311 determines whether to transmit an access token, a refresh token, or an authorization code to the second communication device 20. In the present embodiment, when the transmission determining unit 311 determines that the wireless communication with the second communication device 20 is temporary by the communication determining unit 307, the transmission determining unit 311 makes a first access to the second communication device 20. It is determined that a token is transmitted. On the other hand, when the communication determining unit 307 determines that the wireless communication with the second communication device 20 is not temporary, the transmission determining unit 311 transmits the second authorization code to the second communication device 20. Judge that.
Not limited to this, the transmission determination unit 311 gives the second access token and the second refresh token to the second communication device 20 when the wireless communication with the second communication device 20 is not temporary. You may judge that it transmits.

The token acquisition unit 312 acquires an access token and a refresh token from the authorization service 50. In the present embodiment, the token acquisition unit 312 transmits an access token request based on OAuth 2.0 to the authorization service 50. The token acquisition unit 312 receives an access token response based on OAuth 2.0 from the authorization service 50 as a response to the access token request. The access token response includes an access token, a refresh token, a token type, and an access token expiration date.
Further, when transmitting the access token request, the token acquiring unit 312 specifies the authorization code acquired by the authorization code acquiring unit 309 and the client identifier specified when acquiring the authorization code as parameters. In the access token request, when the token acquisition unit 312 specifies the first authorization code, the token acquisition unit 312 acquires the first access token and the first refresh token from the authorization service 50. Similarly, when the token acquisition unit 312 specifies the second authorization code, the token acquisition unit 312 acquires the second access token and the second refresh token from the authorization service 50. In the present embodiment, it is assumed that the first access token and the second access token have the same expiration date and range of access authority.

The token transmission unit 313 transmits the access token acquired by the token acquisition unit 312 and / or the refresh token to the second communication device 20.
The invalidity determination unit 314 determines whether to invalidate the access token, the refresh token, or the authorization code. In this embodiment, when the communication determination unit 307 determines that the wireless communication with the second communication device 20 is not continued, the invalidity determination unit 314 invalidates the access token, the refresh token, or the authorization code. Judge that.
The token invalidation unit 315 requests the authorization service 50 to invalidate the access token or the refresh token. In the present embodiment, the token invalidation unit 315 transmits an access token invalidation request based on OAuth 2.0 to the authorization service 50.
Further, the token invalidation unit 315 designates the same client identifier designated by the authorization code acquisition unit 309 or the token acquisition unit 312 when invalidating the access token or the refresh token.
In this embodiment, the token invalidation unit 315 invalidates the access token or the refresh token for the authorization service 50. However, the present invention is not limited to this, and the authorization code may be invalidated.

When the access token expires, the token update unit 316 acquires the updated access token from the authorization service 50 based on the corresponding refresh token. In the present embodiment, the token update unit 316 transmits an access token update request based on OAuth 2.0 to the authorization service 50. When transmitting the access token update request, the token update unit 316 passes the refresh token as a parameter. Then, the token update unit 316 receives an access token update response based on OAuth 2.0 as a response to the access token update request from the authorization service 50. The access token update response includes the updated access token, refresh token, token type, and access token expiration date.
Note that when updating the access token, the token update unit 316 specifies the same client identifier specified when the token acquisition unit 312 acquires the access token.
The resource acquisition unit 317 acquires the first resource from the external service 60. In the present embodiment, the resource acquisition unit 317 specifies the first access token or the second access token when transmitting the acquisition request for the first resource to the external service 60.

FIG. 4 is a diagram illustrating an example of a data configuration of the wireless parameter 11.
The SSID 401 is an identifier related to wireless communication indicating the first communication device 10, the second communication device 20, or the wireless AP 30.
The encryption method 402 is information indicating an encrypted communication method.
The encryption key 403 is key information for performing encrypted communication.
The Wi-Fi Direct information 404 is information necessary for wireless communication connection by Wi-Fi Direct. More specifically, the group type type (temporary or permanent), P2P group ID, or the like.

FIG. 5 is a sequence diagram illustrating an example of information processing when the first communication device 10 establishes wireless communication connection with the second communication device 20. Note that the wireless parameter 11 in FIG. 5 is actually stored in the auxiliary storage device 204 in the first communication device 10.
In M501, the first communication apparatus 10 uses the operation control unit 304 to detect a Wi-Fi Direct push button method wireless connection start instruction by the user.
In M502, the second communication device 20 uses the operation control unit 304 to detect a Wi-Fi Direct push button method wireless connection start instruction by the user.
In M503, the first communication device 10 uses the communication control unit 302 to find the second communication device 20.
In M504, the first communication device 10 exchanges the wireless parameter 11 by Wi-Fi Direct with the second communication device 20 by the communication control unit 302.
In M505, the first communication device 10 establishes a wireless communication connection by Wi-Fi Direct with the second communication device 20 using the wireless parameter 11 acquired from the second communication device 20 by the communication control unit 302. To do.
In M506, the first communication device 10 stores the wireless parameter 11 acquired from the second communication device 20 by the wireless parameter management unit 306.

FIG. 6 is a sequence diagram illustrating an example of information processing when the first communication device 10 transmits the second access token to the second communication device 20. In the present embodiment, FIG. 6 assumes a case where the wireless communication between the first communication device 10 and the second communication device 20 is not temporary.
In M <b> 601, the second communication device 20 requests the first communication device 10 to delegate access authority to the first resource on the external service 60 by the authority management unit 308.
In M602, the first communication device 10 uses the transmission determination unit 311 to determine whether to transmit the first access token or the second authorization code to the second communication device 20. In the present embodiment, the transmission determination unit 311 determines that wireless communication with the second communication device 20 is not temporary, and determines that the second authorization code is transmitted to the second communication device 20.
In M603, the first communication device 10 designates the second client identifier to the authorization service 50 by the authorization code acquisition unit 309 and sets the second access authority to the first resource on the external service 60. Request authorization.

In M604, the authorization service 50 requests the second authorization approval from the first communication device 10.
In M605, the first communication device 10 permits the second authorization approval to the authorization service 50.
In M606, the authorization service 50 transmits the second authorization code to the first communication device 10.
In M607, the first communication device 10 transmits the second authorization code acquired from the authorization service 50 in M606 to the second communication device 20 by the authorization code transmission unit 310. On the other hand, the second communication device 20 receives the second authorization code from the first communication device 10 by the authorization code acquisition unit 309.
In M608, the second communication apparatus 20 requests the second access token by specifying the second authorization code and the second client identifier to the authorization service 50 by the token acquisition unit 312.
In M609, the authorization service 50 transmits the second access token and the second refresh token based on the second authorization code to the second communication device 20.

FIG. 7 is a sequence diagram illustrating an example of information processing when the first communication device 10 transmits the first access token to the second communication device 20. In the present embodiment, FIG. 7 assumes a case where the wireless communication between the first communication device 10 and the second communication device 20 is temporary.
In M <b> 701, the second communication device 20 requests the first communication device 10 to delegate the authority to access the first resource on the external service 60 by the authority management unit 308.
In M702, the first communication device 10 uses the transmission determination unit 311 to determine whether to transmit the first access token or the second authorization code to the second communication device 20. In the present embodiment, the transmission determination unit 311 determines that wireless communication with the second communication device 20 is temporary, and determines that the first access token is transmitted to the second communication device 20. .
In M703, the first communication device 10 designates the first client identifier to the authorization service 50 by the authorization code acquisition unit 309, and the first access authority to the first resource on the external service 60 is designated. Request authorization.

In M704, the authorization service 50 requests the first authorization approval from the first communication device 10.
In M705, the first communication device 10 permits the first authorization approval to the authorization service 50.
In M706, the authorization service 50 transmits the first authorization code to the first communication device 10.
In M707, the first communication device 10 requests the first access token by specifying the first authorization code and the first client identifier to the authorization service 50 by the token acquisition unit 312.
In M708, the authorization service 50 transmits the first access token and the first refresh token based on the first authorization code to the first communication apparatus 10.
In M709, the first communication device 10 transmits the first access token acquired from the authorization service 50 in M708 to the second communication device 20 by the token transmission unit 313. On the other hand, the second communication device 20 receives the first access token from the first communication device 10 by the token acquisition unit 312.

FIG. 8 is a sequence diagram illustrating an example of information processing when the second communication device 20 acquires the first resource. In the present embodiment, it is assumed that the second communication device 20 in FIG. 8 has acquired the second access token and the second refresh token as shown in FIG. Furthermore, it is assumed that the second access token in FIG. 8 has expired.
In M801, the second communication device 20 uses the resource acquisition unit 317 to specify the second access token to the external service 60 and request acquisition of the first resource.
In M802, the external service 60 notifies the second communication device 20 that the expiration date of the second access token has expired.

In M803, the second communication device 20 requests the authorization service 50 to update the second access token by specifying the second refresh token and the second client identifier with the token update unit 316. To do.
In M804, the authorization service 50 transmits the updated second access token and refresh token to the second communication device 20.
In M805, the second communication device 20 uses the resource acquisition unit 317 to request the external service 60 to specify the updated second access token and request acquisition of the first resource.
In M806, the external service 60 transmits the first resource to the second communication device 20.

FIG. 9 is a sequence diagram illustrating an example of information processing when the first communication device 10 invalidates the first access token. In the present embodiment, it is assumed that the first communication device 10 in FIG. 9 transmits the first access token to the second communication device 20 as shown in FIG.
In M901, the first communication apparatus 10 detects an instruction to delete the wireless parameter 11 acquired from the second communication apparatus 20 by the user using the operation control unit 304.
In M902, the first communication device 10 deletes the wireless parameter 11 by the wireless parameter management unit 306.
In M903, the first communication apparatus 10 uses the invalidity determination unit 314 to invalidate the first access token transmitted to the second communication apparatus 20 or the second access token based on the second authorization code. Judge whether or not. In this embodiment, since the wireless parameter 11 is deleted in M902, the communication determination unit 307 determines that the wireless communication with the second communication device 20 is not continued. Therefore, the invalidity determination unit 314 determines to invalidate the first access token or the second access token.

In M904, the first communication device 10 determines whether or not the second authorization code is transmitted to the second communication device 20 by the invalidity determination unit 314. In the present embodiment, the first communication device 10 determines that the second authorization code has not been transmitted to the second communication device 20.
In M905, the first communication device 10 uses the token invalidation unit 315 to request the authorization service 50 to designate the first client identifier and request invalidation of the first access token.
In M906, the authorization service 50 transmits the result of the invalidation request for the first access token to the first communication apparatus 10.

FIG. 10 is a flowchart illustrating a procedure of an operation in which the first communication device 10 transmits an access token or an authorization code.
In step S <b> 1101, the authority management unit 308 determines whether an access authority authority delegation request for the first resource on the external service 60 has been received from the second communication apparatus 20. When the authority delegation request is received (S1101; YES), the authority management unit 308 advances the process to step S1102. On the other hand, when the authority delegation request has not been received (S1101; NO), the authority management unit 308 ends the process.
In step S1202, the communication determination unit 307 determines whether wireless communication with the second communication device 20 is temporary. If it is determined to be temporary (S1102; YES), the transmission determination unit 311 determines to transmit the first access token to the second communication device 20, and the process proceeds to step S1103. On the other hand, if it is determined that it is not temporary (S1102; NO), the transmission determining unit 311 determines to transmit the second authorization code to the second communication device 20, and the process proceeds to step S1108.

In step S <b> 1103, the authorization code acquisition unit 309 requests the authorization service 50 for the first authorization of the access authority for the first resource on the external service 60 by designating the first client identifier.
In step S 1104, the authorization code acquisition unit 309 permits the first authorization approval in response to the first authorization approval request from the authorization service 50.
In step S <b> 1105, the authorization code acquisition unit 309 acquires the first authorization code from the authorization service 50.
In step S <b> 1106, the token acquisition unit 312 requests the first access token from the authorization service 50 by specifying the first authorization code and the first client identifier. Then, the token acquisition unit 312 acquires the first access token and the first refresh token from the authorization service 50.
In step S1107, the token transmission unit 313 transmits the first access token to the second communication device 20, and ends the process.

In step S <b> 1108, the authorization code acquisition unit 309 requests the authorization service 50 for the second authorization of the access authority for the first resource on the external service 60 by designating the second client identifier.
In step S 1109, the authorization code acquisition unit 309 permits the second authorization approval in response to the second authorization approval request from the authorization service 50.
In step S1110, the authorization code acquisition unit 309 acquires the second authorization code from the authorization service 50.
In step S <b> 1111, the authorization code transmission unit 310 transmits the second authorization code to the second communication device 20 and ends the process.

FIG. 11 is a flowchart illustrating a procedure of an operation in which the second communication device 20 acquires a resource.
In step S <b> 1201, the resource acquisition unit 317 requests the first resource acquisition to the external service 60 by specifying an access token that is owned. In the present embodiment, the access token owned by the second communication device 20 is either the first access token or the second access token.
In step S <b> 1202, the resource acquisition unit 317 determines whether the first resource has been acquired from the external service 60. When the resource can be acquired (S1202; YES), the resource acquisition unit 317 determines that the resource acquisition is successful and ends the process. On the other hand, if the resource could not be acquired (S1202; NO), the resource acquisition unit 317 advances the process to step S1203.
In step S1203, the token update unit 316 determines whether or not the access token owned by the token has expired. In the present embodiment, the token update unit 316 determines whether there is information indicating that the access token has expired in the response from the external service 60 in the first resource acquisition in step S1201. . When the access token expires (S1203; YES), the token update unit 316 advances the process to step S1204. On the other hand, when the validity period of the access token has not expired (S1203; NO), the token update unit 316 (or the resource acquisition unit 317) ends the process, assuming that the resource acquisition has failed.

In step S1204, the token update unit 316 determines whether or not it holds a refresh token for updating the access token determined to have expired in step S1203. When the refresh token is held (step S1204; YES), the token update unit 316 advances the process to step S1205. On the other hand, when the refresh token is not held (S1204; NO), the token update unit 316 (or the resource acquisition unit 317) determines that the resource acquisition has failed and ends the process.
In step S1205, the token update unit 316 requests the authorization service 50 to update the access token that has expired by specifying the refresh token and the client identifier.
In step S <b> 1206, the token update unit 316 determines whether an updated access token has been acquired from the authorization service 50. When the updated access token can be acquired (S1206; YES), the token update unit 316 returns the process of step S1201 to acquire the first resource from the external service 60 again. On the other hand, when the updated access token cannot be acquired (S1206; NO), the token update unit 316 (or the resource acquisition unit 317) terminates the process, assuming that the resource acquisition has failed.

FIG. 12 is a flowchart illustrating a procedure of an operation in which the first communication device 10 invalidates an access token.
In step S <b> 1301, the communication determination unit 307 determines whether or not the wireless parameter 11 acquired from the second communication apparatus 20 has been deleted by the wireless parameter management unit 306. When the wireless parameter is deleted (S1301; YES), the communication determination unit 307 determines that the wireless communication with the second communication device 20 is not continued, and the process proceeds to step S1302. On the other hand, when the wireless parameter has not been deleted (S1301; NO), the communication determination unit 307 determines that the wireless communication with the second communication device 20 is to be continued, and ends the process.

In step S <b> 1302, the invalidity determination unit 314 determines whether or not the second authorization code has been transmitted to the second communication device 20. When the second authorization code is transmitted (step S1302; YES), the invalidity determination unit 314 determines that the second access token and the second refresh token are invalidated, and the process proceeds to step S1304. On the other hand, if the second authorization code has not been transmitted (step S1302; NO), the invalidity determination unit 314 determines to invalidate the first access token, and the process proceeds to step S1303.
In step S1303, the token invalidation unit 315 requests the authorization service 50 to designate the first client identifier, requests invalidation of the first access token, and ends the process.
In step S1304, the token invalidation unit 315 requests the authorization service 50 to designate the second client identifier and invalidate the second access token and the second refresh token, and ends the processing. .

FIG. 13A is a diagram illustrating an example of an authorization request that the first communication device 10 transmits to the authorization service 50.
The authorization request 1400 is an HTTP request message indicating an authorization request based on OAuth 2.0.
The authorization request header 1401 is an HTTP request header in the authorization request 1400. The parameter response_type indicates the type of the authorization response corresponding to the authorization request, and the parameter value code indicates the authorization code. The parameter client_id indicates a client identifier.
FIG. 13B is a diagram illustrating an example of an authorization response received from the authorization service 50 by the first communication device 10.
The authorization response 1500 is an HTTP response message indicating an authorization response based on OAuth 2.0.
The authorization response header 1501 is an HTTP response header in the authorization response 1500. The parameter code indicates an authorization code. The parameter value indicates the actual authorization code value.

FIG. 14A is a diagram illustrating an example of an access token request transmitted from the first communication device 10 to the authorization service 50.
The access token request 1600 is an HTTP request message indicating an access token request based on OAuth 2.0.
The access token request header 1601 is an HTTP request header in the access token request 1600. The scheme Basic in the header Authorization indicates that the access token request is HTTP basic authentication. In this embodiment, a client identifier to be specified in the access token request is used as the user ID for HTTP basic authentication.
The access token request body 1602 is an HTTP request body in the access token request 1600. The parameter grant_type indicates an authorization grant type, and the parameter value authorization_code indicates an access token request based on an authorization code. The parameter code indicates an authorization code. The parameter value indicates the actual authorization code value.

FIG. 14B is a diagram illustrating an example of an access token response that the first communication device 10 receives from the authorization service 50.
An access token response 1700 is an HTTP response message indicating an access token response based on OAuth 2.0.
An access token response header 1701 is an HTTP response header in the access token response 1700.
An access token response body 1702 is an HTTP response body in the access token response 1700. The parameter access_token indicates an access token. The parameter value indicates the actual access token value. The parameter token_type indicates the type of access token. The parameter expires_in indicates the expiration date of the access token. The parameter value indicates the actual expiration value in seconds. A parameter refresh_token indicates a refresh token. The parameter value indicates the actual refresh token value.

FIG. 15A is a diagram illustrating an example of an access token update request transmitted from the second communication device 20 to the authorization service 50.
The access token update request 1800 is an HTTP request message indicating an access token update request based on OAuth 2.0.
The access token update request header 1801 is an HTTP request header in the access token update request 1800. The scheme Basic in the header Authorization indicates that the access token request is HTTP basic authentication. In this embodiment, a client identifier to be specified in the access token update request is used as the user ID for HTTP basic authentication.
The access token update request body 1802 is an HTTP request body in the access token update request 1800. The parameter grant_type indicates the authorization grant type. The parameter value refresh_token indicates an access token update request based on the refresh token. A parameter refresh_token indicates a refresh token. The parameter value indicates an actual refresh token value to be updated.

FIG. 15B is a diagram illustrating an example of an access token update response received from the authorization service 50 by the second communication device 20.
The access token update response 1900 is an HTTP response message indicating an access token update response based on OAuth 2.0.
The access token update response header 1901 is an HTTP response header in the access token update response 1900.
An access token update response body 1902 is an HTTP response body in the access token update response 1900. The parameter access_token indicates an access token. The parameter value indicates the actual access token value. The parameter token_type indicates the type of access token. The parameter expires_in indicates the expiration date of the access token. The parameter value indicates the actual expiration value in seconds. A parameter refresh_token indicates a refresh token. The parameter value indicates the actual refresh token value.

FIG. 16A is a diagram illustrating an example of an access token invalid request transmitted from the first communication device 10 to the authorization service 50.
The access token invalid request 2000 is an HTTP request message indicating an access token invalid request based on OAuth 2.0.
The access token invalid request header 2001 is an HTTP request header in the access token invalid request 2000. The scheme Basic in the header Authorization indicates that the access token request is HTTP basic authentication. In this embodiment, a client identifier to be specified in the access token invalidation request is used as the user ID for HTTP basic authentication.
The access token invalid request body 2002 is an HTTP request body in the access token invalid request 2000. The parameter type indicates an access token. The parameter value indicates an actual access token value to be invalidated.

FIG. 16B is a diagram illustrating an example of an access token invalid response received from the authorization service 50 by the first communication device 10.
The access token invalid response 2100 is an HTTP response message indicating an access token invalid response based on OAuth 2.0.
The access token invalid response header 2101 is an HTTP response header in the access token invalid response 2100.

As described above, the first communication device 10 determines whether the wireless communication connection with the second communication device 20 is temporary or not in response to the authority delegation request from the second communication device 20. To do. If the wireless communication connection is temporary, the first communication device 10 does not transmit the second authorization code, which is one of the token acquisition information, to the second communication device 20, and the first communication device 10 Send only access tokens.
The second communication device 20 cannot obtain the second refresh token from the authorization service 50 without the second authorization code. Without the second refresh token, the second communication device 20 cannot update the access token when the access token expires. If the access token expires, the second communication device 20 cannot acquire the first resource on the external service 60. As a result, the first communication device 10 can temporarily delegate access authority to the second communication device 20.
As a result, the first communication device 10 can simplify complicated operations associated with delegation of access authority such as explicit expiration date and designation of access authority range by the user, and user convenience is improved. . Furthermore, the first communication device 10 can prevent a permanent access authority delegation that is not temporary due to a user's operation mistake from being specified, thereby reducing security risks.

On the other hand, if the wireless communication connection is not temporary, the first communication device 10 transmits a second authorization code to the second communication device 20. The second communication device 20 acquires the second authorization code from the first communication device 10, and then, from the authorization service 50, based on the second authorization code, the second access token and the second Get a refresh token. If the second communication device 20 holds the second refresh token, the second communication token 20 can update the second access token even when the expiration date of the second access token expires. As a result, the first communication device 10 can delegate permanent access authority that is not temporary to the second communication device 20.
As a result, the first communication device 10 can simplify complicated operations associated with delegation of access authority such as explicit expiration date and authority range designation by the user, and user convenience is improved.
Further, in the present embodiment, the first access token and the second access token have the same expiration date and the range of access authority. However, the present invention is not limited to this, and the expiration dates may be different. For example, the expiration date of the first access token may be shorter than that of the second access token. Further, the range of access authority of the first access token may be narrower than that of the second access token. As a result, the first communication device 10 can delegate more limited access authority to the second communication device 20, further improving user convenience and further reducing security risks. .

Normally, the content of the second authorization request in OAuth 2.0 is included in the authority delegation request received from the second communication device 20 in step S1101. The first communication device 10 transmits the second authorization request as it is to the authorization service 50 using a technique such as HTTP redirect. That is, the second authorization request is the content desired by the second communication device 20 and is convenient for the second communication device 20, and therefore may give a wider access authority than necessary. There is.
On the other hand, in this embodiment, when the wireless communication with the second communication device 20 is temporary in step S1102, the transmission determination unit 311 performs the first access to the second communication device 20. Determines to send a token. In step S1103, the authorization code acquisition unit 309 requests the authorization service 50 to designate the first client identifier and request the first authorization of the access authority to the first resource on the external service 60. . That is, since the content of the first authorization request is determined by the first communication device 10, it is possible to designate the access authority within the necessary and sufficient minimum range, further improving user convenience and improving security. Risk is further reduced.

Furthermore, the following two restrictions recommended in OAuth 2.0 are assumed for the authorization service 50 in the present embodiment.
First, in the authorization request to the authorization service 50, access token acquisition, and access token update, the client identifiers to be specified must all be the same. For example, when a second authorization request is made by designating the second client identifier to the authorization service 50, the second client identifier is obtained even when the second access token is acquired and the second access token is updated. Must be specified.
Second, client authentication related to a specified client identifier is required in access token acquisition and access token update for the authorization service 50. Therefore, even if the first communication device 10 specifies the second client identifier and requests the authorization service 50 to acquire the second access token, the client authentication fails and the second access token Can not get. Conversely, even if the second communication device 20 acquires the first authorization code from the first communication device 10, it cannot acquire the first access token from the authorization service 50.
In contrast, when the wireless communication with the second communication device 20 is temporary, the first communication device 10 acquires and transmits the first access token by itself in steps S1106 to S1107. On the other hand, when the wireless communication is not temporary, the first communication device 10 transmits the second authorization code as it is in order to cause the second communication device 20 to update the second access token. Thereby, the first communication device 10 can improve the interoperability with the authorization service 50.

On the other hand, for the authorization service 50 without the above restriction, the first communication device 10 directly acquires the second access token and the second refresh token instead of the second communication device 20. May be. In this case, in step S <b> 1111, the token transmission unit 313 transmits the second access token and the second refresh token to the second communication device 20. Thereby, the processing load of the second communication device 20 can be reduced.
Further, for example, when the wireless communication with the second communication device 20 is not temporary in step S1102, the transmission determination unit 311 transmits the second authorization code to the second communication device 20. Suppose. At this time, since the second communication device 20 can acquire the second refresh token from the authorization service 50 based on the second authorization code, the second communication apparatus 20 has a permanent access right to the first resource. become. After that, the user of the first communication device 10 considered that the wireless communication with the second communication device 20 will not be performed in the future, and the wireless parameter 11 used in the wireless communication with the second communication device 20 was deleted. And
At this time, in this embodiment, when the wireless parameter management unit 306 deletes the wireless parameter 11 acquired from the second communication device 20, the communication determination unit 307 performs wireless communication with the second communication device 20. Judged not to continue. Then, the invalidity determination unit 314 determines that the access token that has been delegated to the second communication device 20 is invalidated, and requests the authorization service 50 to invalidate the access token.
As a result, the first communication device 10 can simplify a complicated operation associated with the invalidation of the access authority by the user, and the convenience for the user is improved. Further, the first communication device 10 can prevent the access authority from being delegated forever due to the user's forgotten operation, and also reduces the security risk.

Furthermore, in the present embodiment, the communication determination unit 307 determines whether or not wireless communication with the second communication device 20 is temporary. It may be determined whether or not. For example, public wireless communication, proximity wireless communication, NFC (Near Field Communication), wired communication, remote communication, remote access, and the like may be used.
Similarly, the communication determination unit 307 determines that the wireless communication with the second communication device 20 is not continued when the wireless parameter 11 acquired from the second communication device 20 is deleted, but is not limited thereto. . For example, information used for communication connection with the second communication device 20 such as communication parameters and communication information may be used.

<Other embodiments>
The present invention can also be realized by executing the following processing. That is, software (program) that realizes the functions of the above-described embodiments is supplied to a system or apparatus via a network or various storage media, and a computer (or CPU, MPU, etc.) of the system or apparatus reads the program. It is a process to be executed.

As mentioned above, in each embodiment mentioned above, when the communication connection between communication apparatuses is temporary, the 1st communication apparatus does not transmit token acquisition information to the 2nd communication apparatus. On the other hand, when the communication connection is not temporary, that is, in the case of a permanent communication connection, the first communication device transmits token acquisition information to the second communication device.
As a result, it is possible to simplify complicated user operations associated with delegation of access authority, and the convenience of the user is improved. Furthermore, security risks associated with user operation errors are reduced.

  The preferred embodiments of the present invention have been described in detail above, but the present invention is not limited to such specific embodiments, and various modifications can be made within the scope of the gist of the present invention described in the claims.・ Change is possible.

306 Wireless parameter management unit, 307 communication determination unit, 308 authority management unit, 309 authorization code acquisition unit, 310 authorization code transmission unit, 311 transmission determination unit, 312 token acquisition unit, 313 token transmission unit, 314 invalidity determination unit, 315 token Invalid part, 316 token update part, 317 resource acquisition part

Claims (10)

An acquisition means for acquiring token acquisition information used when acquiring a token indicating an access authority for a resource whose access authority is managed by the authorization service, from an authorization service;
Determining means for determining whether or not communication with another device is temporary;
A transmission means for transmitting the token acquisition information acquired by the acquisition means to the other apparatus when the determination means determines that communication with the other apparatus is not temporary;
A communication device. When the determination unit determines that communication with the other device is temporary, the determination unit further includes a token acquisition unit that acquires the token using the token acquisition information acquired by the acquisition unit;
2. The transmission unit according to claim 1, wherein the transmission unit transmits the token acquired by the token acquisition unit to the other device when the determination unit determines that communication with the other device is temporary. Communication device.   The determination means determines whether or not the group form in the wireless communication connection with the other apparatus is temporary. If the group form is temporary, the communication with the other apparatus is temporary. The communication device according to claim 1, wherein the communication device is determined to be present.   The communication according to any one of claims 1 to 3, further comprising request means for requesting the authorization service to invalidate the token or the token acquisition information when communication with the other device is not continued. apparatus.   The request unit determines that communication with the other device is not continued when a wireless parameter related to a wireless communication connection with the other device is deleted, and the token or the token is determined for the authorization service. The communication apparatus according to claim 4, wherein invalidation of acquired information is requested. A communication system including a first communication device and a second communication device,
The first communication device is:
An acquisition means for acquiring token acquisition information used when acquiring a token indicating an access authority for a resource whose access authority is managed by the authorization service, from an authorization service;
Determining means for determining whether communication with the second communication device is temporary;
A transmission unit that transmits the token acquisition information acquired by the acquisition unit to the second communication device when the determination unit determines that communication with the second communication device is not temporary;
Have
The second communication device is:
Upon receiving the token acquisition information from the first communication device, token acquisition means for acquiring the token from the authorization service using the token acquisition information;
Access means for accessing the resource using the token obtained by the token obtaining means;
A communication system. The first communication device is:
If the determination unit determines that communication with the second device is temporary, the determination unit further includes a token acquisition unit that acquires the token using the token acquisition information acquired by the acquisition unit;
The transmission means transmits the token acquired by the token acquisition means to the second apparatus when the determination means determines that communication with the second apparatus is temporary,
The communication system according to claim 6, wherein the token acquisition unit acquires the token when the token is transmitted from the first communication device. An information processing method executed by a communication device,
An acquisition step of acquiring token acquisition information used when acquiring a token indicating an access authority for a resource whose access authority is managed by the authorization service from the authorization service;
A determination step of determining whether or not communication with another device is temporary;
If the determination step determines that communication with the other device is not temporary, a transmission step of transmitting the token acquisition information acquired by the acquisition step to the other device;
An information processing method including: An information processing method in a communication system including a first communication device and a second communication device,
An acquisition step in which the first communication device acquires token acquisition information used when acquiring a token indicating an access authority to a resource whose access authority is managed by the authorization service from the authorization service;
A determination step in which the first communication device determines whether or not communication with the second communication device is temporary;
When the first communication device determines that the communication with the second communication device is not temporary in the determination step, the token acquisition information acquired in the acquisition step is transmitted to the second communication device. A sending step to send;
When the second communication device receives the token acquisition information from the first communication device, the token acquisition step of acquiring the token from the authorization service using the token acquisition information;
An access step in which the second communication device accesses the resource using the token acquired in the token acquisition step;
An information processing method including: On the computer,
An acquisition step of acquiring token acquisition information used when acquiring a token indicating an access authority for a resource whose access authority is managed by the authorization service from the authorization service;
A determination step of determining whether or not communication with another device is temporary;
If the determination step determines that communication with the other device is not temporary, a transmission step of transmitting the token acquisition information acquired by the acquisition step to the other device;
A program for running

Images