JP2016009466A - Web service system, authentication approval device, information processing device, information processing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable secure cooperation between different devices using a Web service without authenticating between devices.SOLUTION: Corresponding to a registry request from an information processing device, an authentication approval server dynamically registers the information processing device as a part of a resource server under the authentication approval server. A client terminal which is approved by the authentication approval server accesses to the information processing device in a similar manner as accessing to the resource server under the authentication approval server.

Description

  The present invention relates to a Web service system, an authentication / authorization apparatus, an information processing apparatus, an information processing method, and a program.

In recent years, services that use cloud services provided on the Internet from various devices such as mobile terminals, digital home appliances, and office equipment have been spreading. In addition, use cases in which a single user holds a plurality of devices and uses various cloud services are increasing. Furthermore, a form in which some processing is performed using a cloud service with an application provided by a mobile terminal, and an application of another device is used from the mobile terminal based on the result of the processing is also widespread. In the above-described form, not only the processing of the cloud service and the device but also the processing cooperation between the device applications is required.
When a single user uses a plurality of devices and there is a function linkage between the devices, the user needs to input authentication information such as an ID and a password for using the cloud service from each device. Furthermore, the user needs to input authentication information such as an ID and a password for cooperation between device applications.
Patent Document 1 describes a single sign-on technique between a plurality of applications in the same terminal. The technique of Patent Document 1 requires a condition that the applications are in the same terminal and a condition that each application is set in advance. By satisfying the above two conditions, the technique of Patent Document 1 omits authentication between applications, shares information for accessing a cloud service, and simplifies authentication between cloud applications.

WO09 / 107219 pamphlet

In cloud service cooperation using multiple devices, it is necessary not only to input authentication information to each device for each device to use the cloud service, but also to input authentication information to link each device application. . Therefore, the user needs to perform a large number of settings in order to use the cooperation function, which is inconvenient. In the method of Patent Document 1, if an application is on the same terminal, it is possible to realize inter-application cooperation by setting in advance the cooperation possible with the application. However, when the applications are operating on different devices, communication between applications cannot be secured by the prior art method, and authentication cannot be omitted. In addition, since pre-setting between applications is necessary, the pre-setting work is also troublesome.
Accordingly, an object of the present invention is to enable secure cooperation between different devices using a Web service without performing authentication between devices.

  Therefore, the Web service system of the present invention is a Web service system including an authentication authorization device, an information processing device, and a terminal device, and the authentication authorization device is capable of communicating via a network. In response to a registration request from a registration unit, a registration unit that registers the information processing apparatus as a subordinate resource, and a first transmission that transmits a resource token corresponding to the registration content in the registration unit to the information processing apparatus And execution of a process corresponding to the processing information in the information processing apparatus is permitted in response to a verification request including a resource token, an authorization token, and processing information from the information processing apparatus registered by the registration means Verifying means for verifying whether or not the information processing apparatus has been configured, and the terminal device requests the information processing apparatus to be able to communicate via a network A second transmission unit that transmits an authorization token acquired from the authentication authorization device to the information processing device, and the information processing device registers the information processing device as a resource under control of the authentication authorization device. In response to a processing request from the terminal device, a registration request means for requesting the authentication authorization device to request a resource token from the authentication authorization device, an authorization token from the terminal device, and a request from the terminal device And processing information of the processed processing is transmitted to the authentication authorization device, and whether or not execution of processing corresponding to the processing information in the information processing device is permitted is verified based on the transmitted information. If the verification request means for requesting the authentication authorization device and the verification result by the authentication authorization device are affirmative, the processing requested by the terminal device is executed. Having an execution unit that, the.

  According to the present invention, it is possible to enable secure cooperation between different devices using a Web service without performing authentication between devices.

It is a figure which shows an example of a system configuration. It is a figure which shows an example of the hardware constitutions of each apparatus. It is a figure which shows an example of the software module structure of each apparatus. 6 is a diagram illustrating an example of processing for registering an image forming apparatus with an authentication authorization server. FIG. It is a figure which shows an example of a screen. It is a figure which shows an example of the utilization process of the resource server by a client terminal. 6 is a diagram illustrating an example of processing for using an image forming apparatus by a client terminal. FIG. It is a flowchart which shows an example of the user information specific process in an authentication authorization server. It is a flowchart of the token verification process in an authentication authorization server. 5 is a flowchart of a user specifying process in the image forming apparatus. It is a figure which shows an example of the screen for the setting in a user specific process.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
<Embodiment>

In this embodiment, it is assumed that a print service is installed on a server on the Internet. In addition, it is assumed that the print service provides a function of receiving print data from a mobile terminal, converting and saving, a function of specifying print data and an image forming apparatus from an arbitrary mobile terminal, and the like.
Hereinafter, a service that provides a function on the Internet, such as the print service, is referred to as a resource service.
In the present embodiment, it is assumed that the print application installed on the image forming apparatus, the print application installed on the portable terminal, and the resource service cooperate. An application that cooperates with a resource service such as the print application is defined as a resource service cooperation application.
The OAuth mechanism is used for authority transfer processing in the present embodiment. In OAuth, information called a token is used as information for proving authority transferred from a user. In the OAuth mechanism, for example, when a mobile terminal uses resources of a resource server, the mobile terminal makes a resource request including a token acquired from the authentication authorization server to the resource server. The resource server and the authentication authorization server determine whether to permit processing of the request based on a token included in information accompanying the request. If the result of the determination is permission, the resource server executes the request process.
Furthermore, in this embodiment, a virtual user on a server corresponding to an image forming apparatus or a portable terminal is set as a device client.
In the following, for example, “verification of A” indicates that the verification result is “A” as “verification result is correct” or “verification result is positive”.

FIG. 1 is a diagram illustrating an example of a system configuration of an information processing system according to the present embodiment. The information processing system is an example of a Web service system.
The WAN 100 is a Wide Area Network, and in this embodiment, a World Wide Web (WWW) system is constructed. The LAN 101 is a local area network that connects each component. The authentication authorization server 110 is an authentication authorization server for realizing user authentication, OAuth mechanism, and the like. The resource server 120 is provided with a printing service. In the present embodiment, each server is installed one by one, but may be configured by a plurality of servers, and may be provided as an authentication / authorization server system including a plurality of servers, for example. The client terminal 150 is a mobile terminal such as a smartphone. A web browser and a resource cooperation application are installed on the smartphone. One or more resource service cooperation applications are installed in the image forming apparatus 140. A user uses a resource service via the resource service cooperation application of the client terminal 150 and the image forming apparatus 140.
The authentication authorization server 110, the resource server 120, the image forming apparatus 140, and the client terminal 150 are connected via the WAN 100 and the LAN 101, respectively. The authentication / authorization server 110, the resource server 120, the image forming apparatus 140, and the client terminal 150 may be configured on separate LANs or on the same LAN. The authentication authorization server 110 and the resource server 120 may be configured on the same server.

FIG. 2 is a diagram illustrating an example of a hardware configuration of the apparatus 200 that abstracts the authentication / authorization server 110, the resource server 120, the image forming apparatus 140, the client terminal 150, and the like. When the apparatus 200 is applied to the authentication / authorization server 110, the resource server 120, and the client terminal 150, the printing unit I / F 250, the scanner unit I / F 251, the printing unit 252, and the scanner unit 253 are not included as hardware configurations.
The CPU 231 executes programs such as OS and applications stored in the program ROM of the ROM 233 or loaded into the RAM 232 from the external memory 241 such as a hard disk (HD). The CPU 231 controls each block connected to the system bus 234. OS is an abbreviation for an operating system that runs on a computer. The processing of each sequence described later with reference to FIGS. 4, 6, and 7 can be realized by the CPU 231 executing a program loaded on the RAM 232. The RAM 232 functions as a main memory, work area, and the like for the CPU 231. The CPU 231 controls input from the operation unit 239 via the operation unit I / F 235. The CPU 231 controls display on the CRT display 240 via a CRT controller (CRTC) 236. The CPU 231 controls data access in the external memory 241 such as a hard disk (HD) that stores various data via the disk controller (DKC) 237. The CPU 231 executes a communication control process with a server computer or other devices connected via the WAN 100 or the LAN 101 by controlling the network controller (NC) 238.

The image forming apparatus 140 holds hardware such as a printing unit 252 and a scanner unit 253. The CPU 231 of the image forming apparatus 140 outputs the print data as output information to the printing unit 252 through the printing unit I / F 250. The CPU 231 of the image forming apparatus 140 acquires the scan data read by the scanner unit 253 via the scanner unit I / F 251.
The CPU 231 of the authentication / authorization server 110 executes processing based on a program stored in the ROM 233 or the external memory 241 of the authentication / authorization server 110, thereby realizing functions, flowcharts, and sequence processing of the authentication / authorization server 110 described later. .
The CPU 231 of the resource server 120 executes processing based on a program stored in the ROM 233 or the external memory 241 of the resource server 120, whereby the functions and sequence processing of the resource server 120 described later are realized.
The CPU 231 of the image forming apparatus 140 executes processing based on a program stored in the ROM 233 or the external memory 241 of the image forming apparatus 140, thereby realizing functions of the image forming apparatus 140 described later and processing of flowcharts and sequences described below. Is done.
The CPU 231 of the client terminal 150 executes processing based on a program stored in the ROM 233 or the external memory 241 of the client terminal 150, thereby realizing a function of the client terminal 150 described later and processing of a sequence described later.

FIG. 3 is a diagram illustrating an example of a software module configuration of each device.
The authentication authorization server 110 has a login UI module 310. The resource server 120 has a resource server module 320.
The client terminal 150 has a Web browser 350 that is a user agent for using the WWW, and a resource service cooperation application for cooperation with the resource server 120.
In the image forming apparatus 140, the CPU 231 controls each application by executing the OS stored in the ROM 233 or the external memory 241. The OS 342 is an operating system. The OS may be a real-time OS or a general-purpose OS such as Linux (registered trademark). The virtual machine 341 is, for example, a Java (registered trademark) VM. The virtual machine 341 is a virtual application execution environment that operates as an application controlled by the CPU 231 via the OS 342. The application management framework 340 includes a function for managing the life cycle of an application to be managed that operates in the application execution environment provided by the virtual machine 341, and an I / F that controls the function. Furthermore, the application management framework 340 has an I / F disclosure function for mediating processing requests between applications. The life cycle indicates an application state such as application installation, activation, stop, and uninstallation. The application management framework 340 in this embodiment will be described as OSGi (registered trademark) defined by the OSGi (Open Services Gateway Initiative) alliance.

The authentication authorization server cooperation client 346, the resource service cooperation application 347, and the local login application 345 are various applications that operate in the application execution environment provided by the virtual machine 341. In addition, the life cycle of the application is managed by the application management framework 340. The application management application 343 receives and executes various application installation operations, start request operations, and the like from the user via the life cycle management control I / F published by the application management framework 340. The image forming apparatus 140 can have an authentication / authorization server cooperation client 346, a resource service cooperation application 347, and a local login application 345 by default. The image forming apparatus 140 can also install the authentication / authorization server cooperation client 346, the resource service cooperation application 347, and the local login application 345 later. The image forming apparatus 140 can perform the installation via the application management application 343 and the application management framework 340. Furthermore, the image forming apparatus 140 includes a Web browser 348 that is a user agent for using the WWW.
The client terminal 150 has a Web browser 350 that is a user agent for using the WWW and a resource service cooperation application 351.

A data table stored in the external memory 241 by the authentication authorization server 110 will be described. The data table may be stored not in the external memory 241 of the authentication / authorization server 110 but in another server configured to be communicable via the LAN 101.
The CPU 231 of the authentication authorization server 110 manages user information by storing it in the user management table. The user management table includes a “user ID” that uniquely identifies the user, a “tenant ID” that uniquely identifies the tenant to which the user belongs, and a “type” that identifies whether the user is a normal user or a virtual user as a device. Including. The tenant is an example of affiliation information. The user management table further includes a “mail address” of the user and a “role” that manages the role of the user on the system. In “Role”, a role indicating a tenant administrator, a role indicating a general person, a role for using a print service, and the like are set. The fact that an administrator is set in “role” is an example that administrator authority is set. The combination of “user ID”, “tenant ID”, and “role” is an example of user authority information. The user management table is an example of user authority data.

The CPU 231 of the authentication authorization server 110 manages tenant information by storing it in the tenant management table. A tenant is a management unit assigned to each customer who has a service usage contract. User management and data management are performed on a tenant basis. The “tenant ID” in the tenant management table is the same as that shown in the user management table, and the “tenant name” is set to, for example, the name of the company with which the tenant is contracted.

The CPU 231 of the authentication authorization server 110 manages device client information by storing it in the client management table. The client management table includes “client ID”, “client name”, “redirect URL”, and “serial number”. The “client ID” is associated with the “user ID” in the user management table and can be referred to each other. “Client name” and “redirect URL” are values used in the OAuth sequence. The “serial number” is a value that can uniquely identify the device client. The authentication authorization server 110 can uniquely identify the connection source image forming apparatus 140 and the client terminal 150 based on the client ID.

The CPU 231 of the authentication authorization server 110 manages the token for OAuth by storing it in the authorization token management table. The authorization token management table includes “authorization token ID”, “type”, “scope”, “expiration date”, “refresh token ID”, “refresh expiration date”, “client ID”, and “user ID”. Details of the processing of the authorization token management table will be described later with reference to FIGS. The CPU 231 of the authentication / authorization server 110 may set each value of the authorization token management table based on an operation performed on the operation unit 239 by the user. “Client ID” is an example of device information. “User ID” is an example of user information. A combination of “scope”, “client ID”, and “user ID” is an example of identification information. “Authorization token ID” is an example of identification information that uniquely identifies identification information. The identification information plus the specific information is an example of registration information.

以上が、認証認可サーバー１１０が外部メモリ２４１にて記憶するデータテーブルに関する説明である。 The CPU 231 of the authentication authorization server 110 manages the scope for OAuth by storing it in the scope management table. The scope management table includes “scope” and “role”. The CPU 231 of the authentication authorization server 110 can acquire the content of the process corresponding to the scope by referring to the value of “role” corresponding to the scope from the scope management table.

The above is the description regarding the data table stored in the external memory 241 by the authentication / authorization server 110.

Next, the data table stored in the external memory 241 by the image forming apparatus 140 and the client terminal 150 will be described.
The CPU 231 of the image forming apparatus 140 and the client terminal 150 manages the users of the image forming apparatus 140 and the client terminal 150 by storing them in the device user management table. For example, when accessing the image forming apparatus 140, the CPU 231 of the image forming apparatus 140 sets the combination of “user ID” and “password” input to the image forming apparatus 140 in the device user management table. If present, perform authentication. Further, the CPU 231 of the image forming apparatus 140 and the client terminal 150 performs access control based on “authority information” in the device user management table. Note that, in the client terminal 150, as in the image forming apparatus 140, a case where a plurality of users are managed, a case where users are not managed, or the like is assumed. If the user is not managed, the “user ID” and “authority information” in the device user management table may not exist. In this embodiment, the authentication method is assumed to be authentication using a user ID and a password. However, different authentication methods such as IC card authentication, biometric authentication such as fingerprint, and pattern lock authentication may be used. When the authentication method is not authentication based on a user ID and a password, information on the authentication method is managed in the device user management table instead of “password”. Further, when user management is not performed at the client terminal 150, a configuration such as no authentication may be used, and the device user management table may not exist. In this embodiment, the authentication method in the image forming apparatus 140 or the client terminal 150 is not limited, and it is only necessary that the user of the device can be uniquely identified in the device.

The CPU 231 of the image forming apparatus 140 and the client terminal 150 manages device client information by storing it in the device client management table. The device client management table includes “client ID”, “secret”, “endpoint URL”, and “redirect URL”. “Client ID” and “secret” correspond to “user ID” and “password”, which are issued in advance by the authentication authorization server 110 and stored in the user management table. Further, the “redirect URL” is the same data as the information registered in the client management table of the authentication authorization server 110. As a method for registering information in the device client management table, for example, the image forming apparatus 140 or the client terminal 150 may register online via the LAN 101 or WAN 100. Further, the CPU 231 of the image forming apparatus 140 and the client terminal 150 may set each value of the device client management table based on an operation on the operation unit 239 by the user. The “end point URL” is the URL of the end point for OAuth published by the authentication authorization server 110.

The CPU 231 of the image forming apparatus 140 and the client terminal 150 manages the token issued by the authentication authorization server 110 by storing it in the device token management table. The device token management table includes “user ID”, “token ID”, “type”, “refresh token ID”, and “authentication authorization server user ID”. Details of processing of the device token management table will be described later with reference to FIGS. In the client terminal 150 that does not manage the user, there is no “user ID” information. When the “user ID” information does not exist, the CPU 231 of the client terminal 150 generally manages the device token management table as information unique to the resource service cooperation application 351.

  The above is the description of the data table stored in the external memory 241 by the image forming apparatus 140 or the client terminal 150.

  Here, a resource registration process for registering the image forming apparatus 140 with the authentication authorization server 110 as a part of the resource server 120 will be described. With the above processing, the image forming apparatus 140 virtually becomes a part of the resource server 120. Accordingly, the client terminal 150 can access the resource service cooperation application 347 of the image forming apparatus 140 in the same manner as the method of accessing the resource server 120.

The sequence of the present embodiment relating to the resource registration process will be described with reference to FIGS.
The sequence is an operation that the user performs only once in the image forming apparatus 140, and resource registration processing is realized using processing similar to the sequence for obtaining a general OAuth authorization token.
FIG. 4 is a diagram illustrating an example of processing for registering the image forming apparatus in the authentication authorization server.
In step S <b> 401, the CPU 231 of the image forming apparatus 140 detects a login operation by the user via the local login application 345 to the image forming apparatus 140 and logs the user into the image forming apparatus 140 based on the operation. In the present embodiment, the CPU 231 of the image forming apparatus 140 verifies the user ID and password input by the user in the device user management table, and performs login processing.
In S <b> 402, for example, when a user whose “user ID” is “User” logs in, the CPU 231 of the image forming apparatus 140 generates a login context including “User” via the local login application 345. The CPU 231 of the image forming apparatus 140 stores the login context in the RAM 232 so that it can be acquired from each application via the application management framework 340.
In step S <b> 403, the CPU 231 of the image forming apparatus 140 accesses a URL for starting resource registration in the authentication authorization server 110 of the authentication authorization server cooperation client 346 based on a user operation on the web browser 348.
When the CPU 231 of the image forming apparatus 140 detects the start of resource registration via the authentication authorization server cooperation client 346, the CPU 231 acquires the URL described in “Endpoint URL” of the device client management table.

In step S <b> 404, the CPU 231 of the image forming apparatus 140 issues a redirect request to the web browser 348 to make an OAuth authorization request for the URL via the authentication authorization server cooperation client 346. Information accompanying the authorization request includes information on “client ID” and “redirect URL” in the device client management table. Further, the information accompanying the authorization request includes “scope” information in which a value of “Resource” is set as information indicating an authority range to be authorized. The authorization request is an example of registration request processing.
In step S <b> 405, the CPU 231 of the image forming apparatus 140 displays the login screen 501 illustrated in FIG. 5A transmitted from the authentication authorization server 110 that has received the authorization request, on the web browser 348.
In step S <b> 406, the CPU 231 of the image forming apparatus 140 accepts input of a user ID and password to the login screen 501 displayed by the user on the web browser 348. The CPU 231 of the image forming apparatus 140 transmits the user ID and the password indicated via the web browser 348 to the authentication authorization server. The CPU 231 of the authentication authorization server 110 verifies whether the combination of the user ID and the password matches information registered in the user management table. If the combination of the user ID and the password matches the information registered in the user management table, the CPU 231 of the authentication authorization server 110 generates authentication information associated with the user ID. The CPU 231 of the authentication authorization server 110 determines whether or not the combination of “client ID” and “redirect URL” included in the authorization request matches information registered in the client management table, and the “scope” is “Resource”. It is verified whether or not.

In S407, the CPU 231 of the authentication authorization server 110 matches the information registered in the client management table with the combination of the “client ID” and the “redirect URL”, and the “scope” is “Resource”. The following processing is executed. That is, the CPU 231 of the authentication authorization server 110 acquires “client name” from the registered information that matches the verification in the client management table, generates the resource registration confirmation screen 502 shown in FIG. To do. Further, the CPU 231 of the authentication authorization server 110 causes the web browser 348 to store the authentication information as cookie information. In FIG. 5B, the client name is displayed on the resource registration confirmation screen 502. However, a detailed description of the client is displayed on the resource registration confirmation screen 502, and the logged-in user information is displayed. Can also be displayed.
In step S <b> 408, the CPU 231 of the image forming apparatus 140 transmits information indicating permission to the authentication authorization server 110 based on a user operation on the resource registration confirmation screen 502 displayed on the web browser 348. More specifically, if the CPU 231 of the image forming apparatus 140 detects that the user has pressed the permission button on the resource registration confirmation screen 502, the CPU 231 permits the authentication authorization server 110 to register the resource of the image forming apparatus 140. The information indicating that is is transmitted.

The CPU 231 of the authentication / authorization server 110 that has received the permission performs a process of issuing an authorization code to the authorization token management table and registering it. The registration process is an example of a process for registering the image forming apparatus 140 as a resource under the authentication and authorization server 110. The CPU 231 of the authentication authorization server 110 sets “ID” of the issued authorization code to “authorization token ID” of the authorization token management table, “authorization code” to “type”, “Resource” to “scope”, “ Register the expiration date of the token in “Expiration Date”. Further, the CPU 231 of the authentication authorization server 110 registers the client ID received at the time of the authorization request as “client ID” and the user ID associated with the authentication information transmitted as a cookie from the Web browser 348 as “user ID”. For example, AT_0000 described in the first line of the authorization token management table is an example of the registered information.
In step S409, the CPU 231 of the authentication / authorization server 110 issues a redirect request to the web browser 348 for the redirect URL to which the authorization token ID of the authorization code is assigned. The CPU 231 of the image forming apparatus 140 transmits the authorization token ID to the authentication authorization server cooperation client 346 via the Web browser 348 based on the redirect request.

In step S <b> 410, the CPU 231 of the image forming apparatus 140 makes a token request to the authentication / authorization server 110 via the authentication / authorization server cooperation client 346. Information accompanying the token request includes the authorization token ID, “client ID”, “secret”, and “redirect URL” of the device client management table.
In S411, the CPU 231 of the authentication authorization server 110 performs the following verification process, and generates a resource token if all the verification process results are correct. The CPU 231 of the authentication authorization server 110 verifies whether or not the combination of the client ID and the client secret received in the token request matches the combination of “user ID” and “password” registered in the user management table. . The CPU 231 of the authentication authorization server 110 verifies whether the authorization token ID received in the token request is registered in the authorization token management table and whether it is within the expiration date. The CPU 231 of the authentication authorization server 110 verifies whether or not the client ID received in the token request matches the “client ID” specified by the “authorization token ID” in the authorization token management table. Further, the CPU 231 of the authentication authorization server 110 verifies whether or not the redirect URL received by the token request matches the “redirect URL” of the client management table. The “redirect URL” may not be managed by the client management table, but may be managed by the authorization token management table by adding a “redirect URL” column to the authorization token management table. When the “redirect URL” is managed in the authorization token management table, the redirect URL corresponding to the authorization code is also registered in the added “redirect URL” column when the authorization code is issued. In the verification, the CPU 231 of the authentication / authorization server 110 may verify whether the redirect URL received in the token request matches the “redirect URL” in the authorization token management table. If all the verification results in S411 are correct, the CPU 231 of the authentication authorization server 110 generates a resource token.

  In S <b> 412, the CPU 231 of the authentication authorization server 110 transmits the authorization token ID of the resource token generated in S <b> 411 to the authentication authorization server cooperation client 346. Further, the CPU 231 of the authentication / authorization server 110 transmits the refresh token ID issued simultaneously with the resource token and the user ID logged in to the authentication / authorization server 110 to the authentication / authorization server cooperation client 346. The CPU 231 of the authentication authorization server 110 registers the ID of the token issued for “authorization token ID” in the authorization token management table, the resource token in “token type”, and “expiration date”. Further, the CPU 231 of the authentication / authorization server 110 registers “client ID” and “user ID” as information inherited from the authorization code in the authorization token management table. Further, the CPU 231 of the authentication / authorization server 110 issues a refresh token for refreshing the resource token, and registers it in “refresh token ID” and “refresh time limit” of the authorization token management table. The refresh process will be described later in S614 to S616 in FIG. AT_0001 described in the second line of the authorization token management table is an example of the registered information.

In step S <b> 413, the CPU 231 of the image forming apparatus 140 acquires the login context of the user who has logged in to the image forming apparatus 140 via the application management framework 340 via the authentication authorization server cooperation client 346. Then, the CPU 231 of the image forming apparatus 140 acquires a device user ID from the login context via the authentication authorization server cooperation client 346.
In step S <b> 414, the CPU 231 of the image forming apparatus 140 registers the device token management table via the authentication / authorization server cooperation client 346. In the registration, the CPU 231 of the image forming apparatus 140 registers the device user ID in “User ID”, the authorization token ID of the resource token in “Authorization token ID”, and the refresh token ID in “Refresh token ID”. Further, in the registration, the CPU 231 of the image forming apparatus 140 registers the user ID logged into the authentication authorization server 110 in “authentication authorization server user ID”.
In step S415, the CPU 231 of the image forming apparatus 140 responds to the Web browser 348 with a screen indicating the completion of resource registration via the authentication authorization server cooperation client 346, and ends the resource registration processing.

Next, processing for accessing the resource server 120 and the resource service cooperation application 347 of the image forming apparatus 140 from the client terminal 150 will be described with reference to FIGS.
FIG. 6 is a diagram illustrating an example of a resource server use process performed by a client terminal.
The sequence in FIG. 6 is a sequence until the client terminal 150 accesses the resource server 120. The sequence is divided into two sequences. The first sequence is a sequence (S601 to S611) for the client terminal 150 to obtain an authorization token for using the resource server 120. The second sequence is a sequence (S612-S625) for accessing the resource server 120 using the authorization token. Note that the two sequences are the same as sequences for a terminal device using a general OAuth mechanism to access the resource server. In the present embodiment, the client terminal 150 is assumed to be a terminal that does not manage users. When the client terminal 150 manages the user and the resource service cooperation application 347 with the same configuration as the image forming apparatus 140, the client terminal 150 acquires an authorization token by the same process as the resource registration process illustrated in FIG.

In S <b> 601, the CPU 231 of the client terminal 150 activates the resource service cooperation application 351 based on an operation by the user. The CPU 231 of the client terminal 150 checks whether or not the authorization token is held in the device token management table via the resource service cooperation application 351. If not, the process proceeds to S602. If the CPU 231 of the client terminal 150 holds the authorization token in the device token management table, the process proceeds to S612.
In S602, the CPU 231 of the client terminal 150 makes an OAuth authorization request. The CPU 231 of the client terminal 150 activates the Web browser 350 via the resource service cooperation application 351. The CPU 231 of the client terminal 150 requests the Web browser 350 to redirect to the “endpoint URL” URL of the device client management table via the resource service cooperation application 351. The CPU 231 of the client terminal 150 can include “client ID” and “redirect URL” information of the device client management table in the authorization request. Further, the CPU 231 of the client terminal 150 can include a scope indicating an authority range to be authorized in the authorization request. For example, the CPU 231 of the client terminal 150 can specify Print as a scope for using the resource server 120.

In S603, the CPU 231 of the authentication authorization server 110 transmits the login screen 501 shown in FIG.
In step S <b> 604, the CPU 231 of the client terminal 150 detects the user ID and password input to the login screen 501 transmitted in step S <b> 603 shown on the web browser 350 by the user. The CPU 231 of the client terminal 150 transmits the user ID and password to the authentication authorization server 110 via the Web browser 350. The CPU 231 of the authentication authorization server 110 verifies whether or not the combination of the user ID and password matches information registered in the user management table, and if it matches, the authentication information associated with the user ID is displayed. Generate and execute the following process. The CPU 231 of the authentication authorization server 110 verifies whether or not the combination of the client ID and the redirect URL in the authorization request matches information registered in the client management table. The CPU 231 of the authentication / authorization server 110 verifies whether the logged-in user has authority to the scope of the authorization request. As a result of the two verifications, if the combination of the client ID and redirect URL of the authorization request matches the information registered in the client management table, and the logged-in user has authority to the scope of the authorization request, Is performed. That is, the CPU 231 of the authentication authorization server 110 proceeds to the process of S605.

In step S <b> 605, the CPU 231 of the authentication / authorization server 110 generates an authorization confirmation screen 503 illustrated in FIG. 5C and transmits it to the web browser 350. The CPU 231 of the authentication authorization server 110 stores the authentication information as cookie information for the Web browser 350. In FIG. 5c, the resource name is displayed on the authorization confirmation screen 503. However, a detailed description of the client is added here, and information on the logged-in user is displayed. You can also
In step S <b> 606, the CPU 231 of the client terminal 150 transmits information indicating authorization permission to the authentication authorization server based on the user's operation on the authorization confirmation screen displayed on the web browser 350. The CPU 231 of the authentication authorization server 110 issues an authorization code to the authorization token management table and registers information corresponding to the authorization code. The information registered in the authorization token management table includes the ID of the authorization code issued to “authorization token ID”, the authorization code to “type”, the print to “scope”, and the expiration date of the token to “expiration date”. Further, the information registered in the authorization token management table includes a client ID received at the time of the authorization request in “client ID”, and a user ID associated with authentication information transmitted as a cookie from the Web browser 350 in “user ID”. including. For example, AT_0002 described in the third line of the authorization token management table is an example of the information registered in the authorization token management table.
In step S <b> 607, the CPU 231 of the authentication authorization server 110 issues a redirect request to the web browser 350 for the redirect URL to which the authorization code ID is assigned as an authorization response.

In step S <b> 608, the CPU 231 of the client terminal 150 makes a token request to the authentication authorization server 110 via the resource service cooperation application 351. The information accompanying the token request includes the authorization token ID of the authorization code acquired by the authorization response, “client ID”, “secret”, and “redirect URL” of the device client management table.
The CPU 231 of the authentication and authorization server 110 that has received the token request performs the following verification, and generates an authorization token if all are correct. The CPU 231 of the authentication authorization server 110 verifies whether the combination of the client ID and the client secret in the token request matches the combination of “user ID” and “password” registered in the user management table. The CPU 231 of the authentication authorization server 110 verifies whether the authorization token ID of the authorization code of the token request is registered in the authorization token management table, and whether the authorization token ID is within the expiration date. Further, the CPU 231 of the authentication / authorization server 110 verifies whether or not the client ID received in the token request matches the “client ID” specified by the “authorization token ID” in the authorization token management table. Further, the CPU 231 of the authentication / authorization server 110 verifies whether or not the redirect URL of the token request matches the “redirect URL” of the client management table. The “redirect URL” may not be managed by the client management table, but may be managed by the authorization token management table by adding a “redirect URL” column to the authorization token management table. When the “redirect URL” is managed in the authorization token management table, the redirect URL corresponding to the authorization code is also registered in the added “redirect URL” column when the authorization code is issued. In the verification, the CPU 231 of the authentication / authorization server 110 may verify whether the redirect URL received in the token request matches the “redirect URL” in the authorization token management table. When all the verifications are correct, the CPU 231 of the authentication authorization server 110 generates an authorization token.

In step S <b> 609, the CPU 231 of the authentication authorization server 110 transmits the authorization token ID of the authorization token, the refresh token ID, and the user ID logged into the authentication authorization server 110 to the resource service cooperation application 351. The CPU 231 of the authentication authorization server 110 registers the authorization token ID in the “authorization token ID”, “authorization token”, and “expiration date” in the “token type” in the authorization token management table. Further, the CPU 231 of the authentication / authorization server 110 registers “client ID” and “user ID” as information inherited from the authorization code. Further, the CPU 231 of the authentication / authorization server 110 issues a refresh token for refreshing the authorization token, and registers it in “refresh token ID” and “refresh time limit”. For example, AT_0003 described in the fourth line of the authorization token management table is an example of the registered information. The refresh process will be described later in S614 to S616 in FIG.
In step S610, the CPU 231 of the client terminal 150 stores the authorization token information in the device token management table via the resource service cooperation application 351. The CPU 231 of the client terminal 150 stores the authorization token ID in “authorization token ID” and the refresh token ID in “refresh token ID” of the device token management table. Further, the CPU 231 of the client terminal 150 stores the user ID logged into the authentication authorization server 110 in “authentication authorization server user ID” of the device token management table.
In step S <b> 611, the CPU 231 of the client terminal 150 displays a screen indicating that the authorization has been completed on the web browser 350 via the resource service cooperation application 351.

Next, a sequence for accessing the resource server 120 by the client terminal 150 using the acquired authorization token will be described.
In S612, the CPU 231 of the client terminal 150 uses the resource service cooperation application 351 based on an operation on the client terminal 150 by the user. The CPU 231 of the client terminal 150 requests the processing to the resource server 120 via the resource service cooperation application 351 in order to realize the processing requested by the user.

The processing of S613-S617 is processing for refreshing the authorization token requested by the client terminal 150 to the authentication authorization server 110 for a new authorization token when the validity period of the authorization token has expired. If the authorization token has not expired, the refresh process may not be performed and the process may proceed to S618.
In step S <b> 613, the CPU 231 of the client terminal 150 acquires the “refresh token ID” of the authorization token from the device token management table via the resource service cooperation application 351.
In S614, the CPU 231 of the client terminal 150 makes a token refresh request to the authentication authorization server 110 via the resource service cooperation application 351. The information accompanying the token refresh request includes the “refresh token ID”, “client ID” and “secret” in the device client management table. When receiving the token refresh request, the CPU 231 of the authentication authorization server 110 executes the following processing. First, the CPU 231 of the authentication authorization server 110 determines whether or not the combination of the client ID and the client secret included in the information accompanying the token refresh request matches the combination of “user ID” and “password” in the user management table. Verify that. As a result of the verification, if they match, the CPU 231 of the authentication authorization server 110 verifies whether the refresh token ID of the token refresh request is registered in the authorization token management table. Further, the CPU 231 of the authentication / authorization server 110 verifies whether the “refresh time limit” corresponding to the refresh token ID in the authorization token management table is within the valid time limit. Further, the CPU 231 of the authentication / authorization server 110 verifies whether the client ID included in the information accompanying the token refresh request matches the “client ID” in the authorization token management table.

In S615, the CPU 231 of the authentication / authorization server 110 issues an authorization token again when all the verifications in S614 are correct. The CPU 231 of the authentication authorization server 110 newly issues an authorization token ID and a refresh token ID and registers them in the authorization token management table. The CPU 231 of the authentication authorization server 110 takes over the values of “token type”, “scope”, and “client ID” corresponding to the refresh token ID received by the token refresh request and registers them in the authorization token management table. Further, the CPU 231 of the authentication authorization server 110 may invalidate the original refresh token ID so that it cannot be refreshed again, more specifically, the expiration date may be forcibly expired. The CPU 231 of the authentication authorization server 110 may take over the “refresh token ID” corresponding to the new authorization token ID without issuing a new refresh token ID.
In S616, the authorization token ID of the authorization token and the refresh token ID are transmitted to the resource service cooperation application 351.
In S617, the CPU 231 of the client terminal 150 overwrites the “token ID” of the device token management table with the authorization token ID of the authorization token issued in S615 via the resource service cooperation application 351. Further, the CPU 231 of the client terminal 150 overwrites the “refresh token ID” in the device token management table with the refresh token ID of the authorization token issued in S615 via the resource service cooperation application 351.

In S <b> 618, the CPU 231 of the client terminal 150 makes a resource request in which the resource server 120 is accompanied by information including the authorization token ID via the resource service cooperation application 351.
In S <b> 619, the CPU 231 of the resource server 120 requests the authentication authorization server 110 to perform token verification of the authorization token ID included in the information accompanying the resource request. The information associated with the request can include a scope, for example, a Print scope. The scope is an example of processing information.
In S620, the authentication authorization server 110 verifies whether the authorization token ID is registered in the authorization token management table, whether it is within the expiration date, and whether the accepted scope is within the scope of the authorization token. To do. Then, the authentication authorization server 110 transmits the verification result to the resource server 120.
In S621, the CPU 231 of the resource server 120 transmits the authorization token ID to the authentication authorization server 110 to request acquisition of token information.

In step S622, the CPU 231 of the authentication / authorization server 110 acquires information corresponding to the authorization token ID from the authorization token management table, and transmits the information to the resource server 120. The information accompanying the transmission includes, for example, information such as “scope”, “client ID”, and “user ID” in the authorization token management table. Furthermore, the information accompanying the transmission includes a “serial number” registered in the client management table specified by the client ID.
In S623, the CPU 231 of the resource server 120 determines whether to permit access to the requested resource based on the information transmitted in S622, and executes the process when permitting.
In S624, the CPU 231 of the resource server 120 transmits the processing result to the resource service cooperation application 351.
In S625, the CPU 231 of the client terminal 150 displays the result to the user via the resource service cooperation application 351.
Through the processing according to the sequence, the client terminal 150 and the image forming apparatus 140 can perform the cooperation process without requiring a new authentication process between the client terminal 150 and the image forming apparatus 140.
The above is a sequence in which the client terminal 150 uses the resource server 120.

Next, a sequence in which the client terminal 150 uses the resource service cooperation application 347 of the image forming apparatus 140 will be described with reference to FIGS.
FIG. 7 is a sequence based on the premise that the client terminal 150 has acquired an authorization token in the processing of S601 to S611 in FIG. Since the authorization token used by the CPU 231 of the client terminal 150 for accessing the resource server 120 can be used as it is for accessing the image forming apparatus 140, authentication processing between the client terminal 150 and the image forming apparatus 140 is not necessary. .

In step S <b> 701, the CPU 231 of the client terminal 150 uses the resource service cooperation application 351 based on an operation on the client terminal 150 by the user. The CPU 231 of the client terminal 150 identifies the image forming apparatus 140 to be accessed based on an operation by the user, and uses the function of the resource service cooperation application 347. As a method for specifying the image forming apparatus 140, there is a method of selecting from a list of image forming apparatuses 140 registered in the client terminal 150 in advance. In addition, if NFC (Near Field Communication) or the like is mounted on the client terminal 150 and the image forming apparatus 140, a method of identifying the image forming apparatus 140 by reading the NFC of the target image forming apparatus 140 at the client terminal 150 may be used. . Further, if hardware such as a camera is mounted on the client terminal 150, the image forming apparatus 140 displays a two-dimensional barcode or the like, and the camera forms the image forming apparatus 140 by reading the two-dimensional barcode or the like. It may be specified. In this embodiment, the specifying method of the image forming apparatus 140 is not limited.
In step S <b> 702, the CPU 231 of the client terminal 150 issues a resource request to the image forming apparatus 140 to be used via the resource service cooperation application 351. The information accompanying the resource request includes the authorization token ID of the authorization token stored in S617 of FIG. Acquisition of the printing performance (color / monochrome or finisher performance) of the image forming apparatus 140, and a print instruction with print settings based on the acquired print information are examples of the resource request.

In step S <b> 703, the CPU 231 of the image forming apparatus 140 performs the following process via the resource service cooperation application 347. In other words, the CPU 231 of the image forming apparatus 140 requests the authentication / authorization server cooperation client 346 to verify the authorization token included in the information accompanying the resource request. Note that the information accompanying the token verification request may include a scope designation. In the present embodiment, it is assumed that the information accompanying the token verification request includes designation of a Print scope.
In step S <b> 704, the CPU 231 of the image forming apparatus 140 makes a token user information request for requesting user information corresponding to the authorization token to the authentication authorization server 110 via the authentication authorization server cooperation client 346. The information accompanying the request includes “client ID” and “secret” of the tenant client management table and an authorization token from the resource service cooperation application 347.
In step S <b> 705, the CPU 231 of the authentication / authorization server 110 performs a user information specifying process for specifying user information corresponding to the authorization token.
Details of the user information specifying process of S705 will be described with reference to the flowchart of FIG.

FIG. 8 is a flowchart showing an example of user information specifying processing in the authentication authorization server 110.
In step S <b> 801, the CPU 231 of the authentication / authorization server 110 determines whether the combination of the client ID and secret of the token user information request matches the combination of “user ID” and “password” registered in the user management table. Verify that.
If it is determined in step S802 that they match, the CPU 231 of the authentication authorization server 110 acquires “client ID” in the client management table and identifies the access source of the resource request in step S702.
In step S803, the CPU 231 of the authentication authorization server 110 verifies the authorization token ID of the token user information request. The CPU 231 of the authentication authorization server 110 verifies whether or not the authorization token ID is valid by verifying whether or not the authorization token ID is registered in the authorization token management table and whether or not it is within the expiration date. .
In step S <b> 804, when the authorization token ID is valid, the CPU 231 of the authentication / authorization server 110 acquires the token issuing user information from the “user ID” corresponding to the authorization token ID in the authorization token management table.
In S805, the CPU 231 of the authentication / authorization server 110 searches for the resource token from the authorization token management table based on the user ID information acquired in S804. The CPU 231 of the authentication authorization server 110 searches for tokens that satisfy all of the following conditions from the tokens registered in the authorization token management table. The conditions are that “type” is a resource token, “scope” is Resource, “client” is the client ID acquired in S802, “user ID” is the user ID acquired in S804, “refresh time limit” is not expired, It is. The CPU 231 of the authentication authorization server 110 proceeds to the process of S806 when a token satisfying the above condition can be retrieved, and proceeds to the process of S807 when a token satisfying the above condition cannot be retrieved.

In S806, the CPU 231 of the authentication and authorization server 110 ends the user information specifying process of FIG. 8 with the user ID of the authorization token issuer acquired in S804 as a return value.
In S807, the CPU 231 of the authentication authorization server 110 searches for the resource token from the authorization token management table based on the information of the administrator user who is the administrator of the user of the authorization token issuer acquired in S804. First, from the user management table, the CPU 231 of the authentication authorization server 110 obtains the “user ID” of the user whose “tenant ID” is the same as the issuer user of the authorization token acquired in S804 and whose “role” is the administrator. Get all. Next, the CPU 231 of the authentication / authorization server 110 searches for tokens that satisfy all of the following conditions from the tokens registered in the authorization token management table. The conditions are that “type” is a resource token, “scope” is Resource, “client” is the client ID acquired in S802, “user ID” is the administrator user ID acquired, and “refresh time limit” is not expired. . If the CPU 231 of the authentication authorization server 110 can search for a token that satisfies all of the above conditions, the process proceeds to S808. If the token that satisfies all of the above conditions cannot be searched, the CPU 231 proceeds to S809.
In step S808, the CPU 231 of the authentication authorization server 110 sets the user ID of the administrator as a return value, and ends the user information specifying process in FIG. If a plurality of tokens are found as a result of the search in S807, the CPU 231 of the authentication authorization server 110 may return one of the plurality of tokens according to a specific rule. For example, the CPU 231 of the authentication authorization server 110 may return the user ID of the token found first. Further, the CPU 231 of the authentication authorization server 110 may return the user ID of the token with the latest refresh period, that is, the newest token.
In step S809, the CPU 231 of the authentication authorization server 110 can perform error processing.
The above is the details of the user information specifying process (S705) of FIG.

Returning to the description of FIG.
In step S <b> 706, the CPU 231 of the authentication / authorization server 110 transmits the user ID acquired in step S <b> 705 to the authentication / authorization server cooperation client 346.
The CPU 231 of the image forming apparatus 140 executes the following processing via the authentication / authorization server cooperation client 346. That is, the CPU 231 of the image forming apparatus 140 acquires, from the device token management table, a token whose “type” is a resource token and whose “authentication authorization server user ID” is the same as the user ID acquired in S706.
In step S <b> 707, the CPU 231 of the image forming apparatus 140 requests the authentication authorization server 110 to refresh the acquired token via the authentication authorization server cooperation client 346.
In step S <b> 708, the CPU 231 of the authentication / authorization server 110 transmits the refreshed resource token to the authentication / authorization server cooperation client 346.
The processes of S707 to S708 are the same as the processes of S614 to S616.
In step S <b> 709, the CPU 231 of the image forming apparatus 140 issues a token verification request to the authentication / authorization server 110 via the authentication / authorization server cooperation client 346 to verify the authorization token. The information accompanying the token verification request includes the resource token, the authorization token requested to be verified from the resource service cooperation application 347 in S703, and the scope.
In S710, the CPU 231 of the authentication / authorization server 110 performs token verification processing.

The details of the token verification processing in S710 performed by the authentication / authorization server 110 will be described with reference to FIG.
FIG. 9 is a flowchart of the token verification process in the authentication authorization server.
In step S901, the CPU 231 of the authentication authorization server 110 verifies the resource token received in step S709. It is verified whether the authorization token ID of the resource token is registered in the authorization token management table and whether it is within the expiration date. More specifically, the CPU 231 of the authentication / authorization server 110 searches for a token corresponding to the authorization token ID among the tokens registered in the authorization token management table. When a token corresponding to the authorization token ID is detected, the CPU 231 of the authentication authorization server 110 verifies that the authorization token ID of the authorization token is registered in the authorization token management table. The CPU 231 of the authentication authorization server 110 refers to the “expiration date” corresponding to the searched token and verifies whether it is within the expiration date. As a result of the verification, if the authorization token ID of the resource token is registered in the authorization token management table and is within the expiration date, the CPU 231 of the authentication authorization server 110 proceeds to the process of S902. As a result of the verification, the CPU 231 of the authentication / authorization server 110 determines that the verification has failed when the authorization token ID of the resource token is not registered in the authorization token management table or is not within the expiration date.

In step S902, the CPU 231 of the authentication / authorization server 110 verifies the authorization token received in step S709. The CPU 231 of the authentication authorization server 110 determines whether the authorization token ID of the authorization token is registered in the authorization token management table, whether it is within the expiration date, and whether the scope of the token verification request matches. Validate. More specifically, the CPU 231 of the authentication / authorization server 110 searches for a token corresponding to the authorization token ID among the tokens registered in the authorization token management table. When a token corresponding to the authorization token ID is detected, the CPU 231 of the authentication authorization server 110 verifies that the authorization token ID of the authorization token is registered in the authorization token management table. The CPU 231 of the authentication authorization server 110 refers to the “expiration date” corresponding to the searched token and verifies whether it is within the expiration date. Further, the CPU 231 of the authentication authorization server 110 verifies whether or not the scope matches based on the scope and the value of “scope” corresponding to the searched token. For example, if the scope and the “scope” value corresponding to the searched token are the same, the CPU 231 of the authentication authorization server 110 verifies that the scope matches. As a result of the verification, the CPU 231 of the authentication authorization server 110 proceeds to the processing of S903 when the authorization token ID of the received resource token is registered in the authorization token management table, is within the validity period, and the scope matches. . As a result of the verification, if the authorization token ID of the received resource token is not registered in the authorization token management table, is not within the expiration date, or does not match the scope, the CPU 231 of the authentication authorization server 110 sets the verification failure. .
In S903, the CPU 231 of the authentication / authorization server 110 checks the issuer user of the resource token and the authorization token. The CPU 231 of the authentication / authorization server 110 acquires and compares the “user ID” of the resource token and the authorization token from the authorization token management table. If the user IDs of the resource token and the authorization token are the same, the CPU 231 of the authentication authorization server 110 proceeds to the process of S904. If the user IDs of the resource token and the authorization token are different, the CPU 231 of the authentication / authorization server 110 proceeds to the process of S905.

In step S904, the CPU 231 of the authentication / authorization server 110 determines that the token verification is successful and ends the token verification process of FIG.
In step S <b> 905, the CPU 231 of the authentication / authorization server 110 verifies whether the “tenant ID” of the resource token user in the user management table matches the “tenant ID” of the user of the authorization token. When it is determined that the two “tenant IDs” match as a result of the verification, the CPU 231 of the authentication authorization server 110 further verifies whether the “role” of the resource token user includes an administrator. As a result of the verification, if the “role” includes an administrator, the CPU 231 proceeds to the process of S906, and if the “role” does not include the administrator, the CPU 231 proceeds to the process of S907.
In S906, the CPU 231 of the authentication authorization server 110 completes the token verification process of FIG.
In step S907, the CPU 231 of the authentication authorization server 110 determines that the token verification has failed and ends the token verification process in FIG.
The details of the token verification process (S710) have been described above.

Returning to the description of FIG.
In S711, the CPU 231 of the authentication / authorization server 110 transmits the verification result of S710 and the user ID of the authorization token to the authentication / authorization server cooperation client 346 as a token verification result.
In step S <b> 712, the CPU 231 of the image forming apparatus 140 executes the user specifying process when the verification result in step S <b> 711 is successful.

In FIG. 10, the details of the user specifying process executed by the CPU 231 of the image forming apparatus 140 via the authentication / authorization server cooperation client 346 in S712 will be described.
FIG. 10 is a flowchart of user specifying processing in the image forming apparatus 140.
In step S <b> 1001, the CPU 231 of the image forming apparatus 140 performs user check processing for comparing the user ID received in step S <b> 711 with the user ID received in step S <b> 706 via the authentication authorization server cooperation client 346. The CPU 231 of the image forming apparatus 140 proceeds to the process of S1002 when the user IDs are the same as a result of the user check process, and proceeds to the process of S1003 when the user IDs are not the same as a result of the user check process.
In step S <b> 1002, the CPU 231 of the image forming apparatus 140 acquires a token whose “authentication authorization server user ID” is the user ID received in step S <b> 706 and “type” is a resource token from the device token management table. The CPU 231 of the image forming apparatus 140 acquires a “user ID” corresponding to the acquired token. By the process of S1002, the user who manages the image forming apparatus 140 can be identified from the users managed by the authentication / authorization server 110.

In step S <b> 1003, the CPU 231 of the image forming apparatus 140 performs user mapping processing according to the setting. In the user mapping process, the user who acquired the authorization token has not registered the resource in the image forming apparatus 140, but the administrator user of the user who acquired the authorization token has registered the resource in the image forming apparatus 140. Process. The CPU 231 of the image forming apparatus 140 acquires the manager as a user associated with the user who has acquired the authorization token as a subject that executes processing requested from the client terminal 150 on the image forming apparatus 140. Details of the setting method and contents will be described later with reference to FIG. In S1003, some user of the image forming apparatus is specified.
In step S <b> 1004, when the CPU 231 of the image forming apparatus 140 specifies the user of the image forming apparatus 140, the CPU 231 performs a login context generation process. The process requested from the client terminal 150 is executed on the image forming apparatus 140 by the user specified in S1003.
The above is the details of the user specifying process performed by the authentication authorization server cooperation client 346 in S712 described in FIG.

Returning to the description of FIG.
In step S <b> 713, the CPU 231 of the image forming apparatus 140 transmits information indicating that the verification result acquired in step S <b> 711 is successful to the resource service cooperation application 347 via the authentication authorization server cooperation client 346. Further, the CPU 231 of the image forming apparatus 140 transmits the login context acquired in S712 to the resource service cooperation application 347. Further, when the verification result in S711 is unsuccessful, the CPU 231 of the image forming apparatus 140 immediately transmits information indicating that the verification result acquired in S711 is unsuccessful to the resource service cooperation application 347.
In step S <b> 714, the CPU 231 of the image forming apparatus 140 performs processing of the resource requested from the client terminal 150 in step S <b> 702 via the resource service cooperation application 347.
In step S <b> 715, the CPU 231 of the image forming apparatus 140 transmits the result of the resource processing in step S <b> 714 to the resource service cooperation application 351 of the client terminal 150.
In S716, the CPU 231 of the client terminal 150 indicates the processing result to the user via the resource service cooperation application 351.

The above-described processing of S1003 in FIG. 10 will be supplemented with reference to FIG.
FIG. 11 is a diagram illustrating an example of a screen for setting in the user specifying process.
A process setting screen 1101 at the time of user unmatch is a screen for the administrator of the image forming apparatus 140 to make settings in the image forming apparatus 140 in advance. The process setting screen 1101 at the time of user unmatch is an example of a setting screen.
A user unmatched process 1102 is an item for setting a process method in S1003, that is, a process when the user IDs do not match in S1001. Items in the user unmatch processing 1102 can be set based on an operation performed by the operator on, for example, the user unmatch processing setting screen 1101 displayed on the user interface unit or the like.
Execute as resource registrant 1103 is an item for selecting a setting for executing processing requested from the client terminal 150 as a user who has registered the resource. More specifically, it means to execute as the user of the resource token used for verification.
Automatic generation and execution 1104 is an item for selecting a setting for newly generating and executing a user in the image forming apparatus 140. The CPU 231 of the image forming apparatus 140 can automatically create a user in the image forming apparatus 140 in association with the user ID of the authentication authorization server acquired in S711. Note that when there is a user that has already been created in association with the user ID of the same authentication and authorization server when the automatic user is created, the user may be used. Therefore, the CPU 231 of the image forming apparatus 140 can reuse the data (such as settings for each user such as a personal address book) created and stored in the image forming apparatus in the process executed last time.

[XX] days later, the setting item of deletion 1105 is an item for setting when the user automatically generated and automatically generated in accordance with the setting of execution 1104 is deleted. If the deletion 1105 is not set after [XX] days, the user remains without being deleted, and if it is set, it can be automatically deleted after the set number of days have passed since the user last used it.
The user mapping 1106 is an item that manages association information between the user of the image forming apparatus 140 and the user of the authentication authorization server. The user mapping 1106 holds user association information automatically generated and automatically generated by execution 1104. The user mapping 1106 can display the user of the authentication authorization server 110 corresponding to the user of the image forming apparatus 140. Further, the CPU 231 of the image forming apparatus 140 can describe an arbitrary user in the user mapping 1106 by an operation performed on the user mapping 1106 by the operator. The CPU 231 of the image forming apparatus 140 detects that the setting 1107 is pressed by the user and registers the described user as a user of an authentication authorization server corresponding to an existing user of the image forming apparatus 140. Can be. Further, the CPU 231 of the image forming apparatus 140 can detect that the setting 1107 is pressed by the user, thereby releasing the mapping information or manually deleting the automatically generated user.
The CPU 231 of the image forming apparatus 140 can also set the following settings when all the settings on the processing setting screen 1101 at the time of user unmatch are not performed. In other words, the CPU 231 of the image forming apparatus 140 can be set so that the user who uses the client terminal 150 and the user registered with the image forming apparatus 140 do not match each other can be used.
As described above, according to the present embodiment, the following effects can be obtained. By registering the image forming apparatus 140 or the like as a part of the resource server in advance by an operator, administrator, or the like, the client terminal 150 does not perform authentication processing with the image forming apparatus 140 or the like. Thus, the image forming apparatus 140 and the like can be securely accessed. Therefore, the client terminal 150 can seamlessly perform cooperation processing between the resource server under the authentication and authorization server and different devices such as the image forming apparatus 140.
The above is the description of this embodiment.

<Other embodiments>
The present invention supplies a program that realizes one or more functions of the above-described embodiments to a system or apparatus via a network or a storage medium, and one or more processors in a computer of the system or apparatus read and execute the program This process can be realized. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

110 authentication authorization server, 120 resource server, 140 image forming apparatus, 150 client terminal, 231 CPU

Claims (19)

A web service system including an authentication authorization device, an information processing device, and a terminal device,
The authentication authorization device is:
In response to a registration request from the information processing apparatus capable of communicating via a network, registration means for registering the information processing apparatus as a subordinate resource;
First transmission means for transmitting a resource token corresponding to the content of registration in the registration means to the information processing apparatus;
Whether execution of processing corresponding to the processing information in the information processing device is permitted in response to a verification request including a resource token, an authorization token, and processing information from the information processing device registered by the registration unit Verification means for verifying whether or not,
Have
The terminal device
A second transmission unit configured to transmit an authorization token acquired from the authentication authorization device to the information processing device when performing a processing request to the information processing device capable of communicating via a network;
The information processing apparatus includes:
Registration request means for requesting the authentication authorization device to register the information processing device as a resource under the authentication authorization device;
In response to a processing request from the terminal device, a resource token from the authentication authorization device, an authorization token from the terminal device, and processing information of the processing requested from the terminal device are transmitted to the authentication authorization device. Verification request means for requesting the authentication authorization device to verify whether or not execution of processing corresponding to the processing information in the information processing device is permitted based on the transmitted information;
If the result of the verification by the authentication authorization device is affirmative, execution means for executing the processing requested by the terminal device;
A web service system. The registration means uniquely identifies the identification information in identification information including user information of a user who made the registration request, device information of the information processing device, and authority information indicating that the user is under the authentication and authorization device. Registering the information processing apparatus as a subordinate resource by storing the registration information to which the specific information to be added is stored in the storage means,
The first transmission means transmits the specific information as a resource token to the information processing apparatus,
The verification means determines whether the authority information of the identification information corresponding to the resource token from the information processing apparatus is a resource under the authentication authorization apparatus, or the identification information corresponding to the authorization token from the information processing apparatus The authority information is verified as to whether or not processing corresponding to the processing information requested by the terminal device to the information processing device is permitted, and if both of the verification results are positive, the resource The Web service system according to claim 1, wherein user information of identification information corresponding to a token and user information of identification information corresponding to the authorization token are verified.   The second transmission unit is configured to uniquely identify user information for requesting the processing, device information of the terminal device, and authority information corresponding to the user information and device information. The Web service system according to claim 2, wherein the acquired specific information is transmitted to the information processing apparatus as an authorization token. The registration request means transmits user information of a user who makes a registration request and device information of the information processing device, and registers the information processing device as a resource under control of the authentication authorization device based on the transmitted information. Request,
In response to a processing request from the terminal device, the verification request unit includes an authorization token acquired from the authentication authorization device, a resource token acquired from the terminal device, and processing information of a process requested from the terminal device. The Web service system according to claim 3, wherein the Web service system requests to verify whether execution of the processing in the information processing apparatus according to the request is permitted by transmitting to an authentication authorization apparatus. The authentication authorization device is:
It further has an acquisition means for acquiring user authority data holding user authority information in which user information, user affiliation information and user authority information are associated with each other,
If the user information of the identification information corresponding to the resource token and the user information of the identification information corresponding to the authorization token are not the same, the verification means is the user authority data in the user authority data acquired by the acquisition means Whether the affiliation information of the user authority information corresponding to the resource token and the affiliation information of the user authority information corresponding to the authorization token in the user authority data are the same, the user authority of the user authority information corresponding to the resource token 5. The Web service system according to claim 4, wherein whether or not the information has administrator authority is verified, and if both of the verification results are positive, the result of the verification means is positive. The information processing apparatus includes:
When the user information related to the authorization token and the user information related to the resource token transmitted from the authentication authorization device are not the same, a specifying unit for specifying a user who executes processing;
Further comprising
6. The Web service system according to claim 1, wherein the execution unit executes a process requested by the user specified by the specifying unit from the terminal device.   The web service system according to claim 6, wherein the specifying unit displays a setting screen on a user interface, prompts an operator to perform an operation through the setting screen, and specifies a user who executes processing based on the operation. In response to a registration request from an information processing apparatus that can communicate via a network, a registration unit that registers the information processing apparatus as a subordinate resource;
Transmitting means for transmitting a resource token corresponding to the content of registration in the registration means to the information processing apparatus;
Whether execution of processing corresponding to the processing information in the information processing device is permitted in response to a verification request including a resource token, an authorization token, and processing information from the information processing device registered by the registration unit Verification means for verifying whether or not,
An authentication authorization device having The registration means uniquely identifies the identification information in identification information including user information of a user who made the registration request, device information of the information processing device, and authority information indicating that the user is under the authentication and authorization device. Registering the information processing apparatus as a subordinate resource by storing the registration information to which the specific information to be added is stored in the storage means,
The transmission means transmits the specific information as a resource token to the information processing apparatus,
The verification means determines whether the authority information of the identification information corresponding to the resource token from the information processing apparatus is a resource under the authentication authorization apparatus, or the identification information corresponding to the authorization token from the information processing apparatus The resource token is verified as to whether or not the processing corresponding to the processing information requested to the information processing device by the terminal device is permitted. If both of the verification results are positive, the resource token 9. The authentication / authorization apparatus according to claim 8, wherein user information of the identification information corresponding to the authentication information and user information of the identification information corresponding to the authorization token are verified. It further has an acquisition means for acquiring user authority data holding user authority information in which user information, user affiliation information and user authority information are associated with each other,
If the user information of the identification information corresponding to the resource token and the user information of the identification information corresponding to the authorization token are not the same, the verification means is the user authority data in the user authority data acquired by the acquisition means Whether the affiliation information of the user authority information corresponding to the resource token and the affiliation information of the user authority information corresponding to the authorization token in the user authority data are the same, the user authority of the user authority information corresponding to the resource token The authentication authorization apparatus according to claim 9, wherein whether or not the information has administrator authority is verified, and if both of the verification results are positive, the result of the verification means is positive. Registration request means for requesting the authentication authorization device to register the information processing device as a resource under the control of the authentication authorization device capable of communicating via a network;
In response to a processing request from a terminal device communicable via a network, the authentication authorization includes a resource token from the authentication authorization device, an authorization token from the terminal device, and processing information of a process requested from the terminal device. Verification that transmits to the apparatus and requests the authentication authorization apparatus to perform verification based on the transmitted information whether or not execution of the process corresponding to the processing information in the information processing apparatus is permitted Request means;
If the result of the verification by the authentication authorization device is affirmative, execution means for executing the processing requested by the terminal device;
An information processing apparatus. The registration request means transmits user information of a user who makes a registration request and device information of the information processing device, and registers the information processing device as a resource under control of the authentication authorization device based on the transmitted information. Request to the authentication authorization device,
In response to a processing request from the terminal device, the verification requesting unit includes an authorization token from the authentication authorization device, a resource token from the terminal device, and processing information of the processing requested from the terminal device. The information processing apparatus according to claim 11, wherein the information processing apparatus sends a request to the apparatus to verify whether or not the execution of the processing in the information processing apparatus is permitted. When the user information related to the authorization token and the user information related to the resource token transmitted from the authentication authorization device are not the same, a specifying unit for specifying a user who executes processing;
Further comprising
The information processing apparatus according to claim 11, wherein the execution unit executes a process requested by the user specified by the specifying unit from the terminal device.   The information processing apparatus according to claim 11, wherein the information processing apparatus is an image forming apparatus that forms an image. An information processing method in a Web service system including an authentication authorization device, an information processing device, and a terminal device,
A registration request step for requesting the authentication authorization device to register the information processing device as a resource under control of the authentication authorization device capable of communicating via a network;
A registration step in which the authentication authorization device registers the information processing device as a subordinate resource in response to a registration request from the information processing device;
A first transmission step of transmitting a resource token corresponding to the content of the registration to the information processing apparatus;
A second transmission step of transmitting an authorization token acquired from the authentication authorization device to the information processing device when the terminal device requests processing to the information processing device capable of communication via a network;
In response to a processing request from the terminal device, the information processing device sends a resource token from the authentication authorization device, an authorization token from the terminal device, and processing information requested by the terminal device to the authentication authorization. Verification that transmits to the apparatus and requests the authentication authorization apparatus to perform verification based on the transmitted information whether or not execution of the process corresponding to the processing information in the information processing apparatus is permitted A request step;
In response to the verification request including the resource token, the authorization token, and the processing information from the information processing device registered in the registration step, the authentication authorization device performs processing corresponding to the processing information in the information processing device. A verification step for verifying whether execution is permitted;
The information processing apparatus, if the result of the verification by the authentication authorization apparatus is affirmative, an execution step of executing a process requested by the terminal apparatus;
An information processing method including: An information processing method executed by the authentication authorization device,
A registration step of registering the information processing apparatus as a subordinate resource in response to a registration request from the information processing apparatus capable of communicating via a network;
A transmission step of transmitting a resource token corresponding to the content of the registration to the information processing apparatus;
Whether execution of processing corresponding to the processing information in the information processing device is permitted in response to a verification request including a resource token, an authorization token, and processing information from the information processing device registered in the registration step A verification step to verify whether or not,
An information processing method including: An information processing method executed by an information processing apparatus,
A registration request step for requesting the authentication authorization device to register the information processing device as a resource under the control of the authentication authorization device capable of communicating via a network;
In response to a processing request from a terminal device communicable via a network, the authentication authorization includes a resource token from the authentication authorization device, an authorization token from the terminal device, and processing information of a process requested from the terminal device. Verification that transmits to the apparatus and requests the authentication authorization apparatus to perform verification based on the transmitted information whether or not execution of the process corresponding to the processing information in the information processing apparatus is permitted A request step;
If the result of the verification by the authentication authorization device is affirmative, an execution step of executing processing requested from the terminal device;
An information processing method including: On the computer,
A registration step of registering the information processing apparatus as a subordinate resource in response to a registration request from the information processing apparatus capable of communicating via a network;
A transmission step of transmitting a resource token corresponding to the content of the registration to the information processing apparatus;
Whether execution of processing corresponding to the processing information in the information processing device is permitted in response to a verification request including a resource token, an authorization token, and processing information from the information processing device registered in the registration step A verification step to verify whether or not,
A program for running On the computer,
A registration request step for requesting the authentication / authorization apparatus to register the computer as a resource under the control of the authentication / authorization apparatus that can communicate via a network;
In response to a processing request from a terminal device communicable via a network, the authentication authorization includes a resource token from the authentication authorization device, an authorization token from the terminal device, and processing information of a process requested from the terminal device. A verification requesting step for transmitting to the apparatus and requesting the authentication authorization apparatus to perform verification based on the transmitted information whether or not execution of processing corresponding to the processing information in the computer is permitted When,
If the result of the verification by the authentication authorization device is affirmative, an execution step of executing processing requested from the terminal device;
A program for running

Images