JP2016177795A - Access authorization apparatus, access authorization method, program and communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To properly switch access to a resource presented by an object apparatus.SOLUTION: An access authorization apparatus has a communication part, a state determination part, an access substitution part and a determination part. The communication part communicates with an object apparatus connected to a network and a communication apparatus capable of using a resource presented by the object apparatus. The state determination part acquires information for identifying a status of connection of the communication apparatus to the network from at least one of the communication apparatus and the object apparatus to determine the connection status on the basis of the information. The access substitution part transmits a request for using the resource presented by the object apparatus to the object apparatus. The determination part determines whether the communication apparatus transmits the request for using the resource presented by the object apparatus to the object apparatus or the access substitution part transmits said request to the object apparatus.SELECTED DRAWING: Figure 1

Description

  Embodiments described herein relate generally to an access authorization device, an access authorization method, a program, and a communication system.

  A device in a home network such as a home appliance authorizes access to a REST API (Representative State Transfer Programming Interface) (hereinafter referred to as a private API) provided to an application installed in a smartphone or the like. The method is known. Access authorization is the determination of whether or not a specific application can access.

  On the other hand, in a system in which a device is connected to an external server such as the Internet and the device can be monitored and controlled via an external server, the external server publishes a REST API similar to a private API, and passes through this REST API. A method for controlling the device is known. The API released by the external server is hereinafter referred to as a public API.

  In the case where the two APIs (private API and public API) coexist, the user has an advantage of switching between the two. For example, when using in a home, it is not necessary to leave a control log on the server by switching to a private API. In addition, there is a possibility that legal switching is required. However, there is no known method for seamlessly switching between both while authorizing access only to legitimate applications.

Japanese Patent Application Laid-Open No. 2014-6798

  An object of the embodiment of the present invention is to appropriately switch a method of accessing a resource provided by a target device.

  As an embodiment of the present invention, an access authorization device includes a communication unit, a state determination unit, an access proxy unit, and a determination unit. The communication unit communicates with a target device connected to a network and a communication device that can use resources provided by the target device. The state determination unit acquires information for specifying a connection state between the communication device and the network from at least one of the communication device and the target device, and determines the connection state based on the information. The access proxy unit transmits a request for using a resource provided by the target device to the target device. The determination unit determines whether the communication device transmits a resource use request provided by the target device to the target device or the access proxy unit transmits to the target device based on the connection state.

1 is a configuration diagram of a communication system according to a first embodiment. The figure which shows the example of the information memorize | stored in the token memory | storage part. The figure which shows the example of the information memorize | stored in the object apparatus information storage part. The figure which shows the example of the communication sequence which concerns on 1st Embodiment. The figure which shows the example of the communication sequence following FIG. The figure which shows the flowchart of a token issue process. The figure which shows the other structural example of the communication system which concerns on 1st Embodiment. The figure which shows the other structural example of the communication system which concerns on 1st Embodiment. The figure which shows the other structural example of the communication system which concerns on 1st Embodiment. The block diagram of the communication system in connection with 2nd Embodiment. The figure which shows the example of a confirmation screen. The figure which shows the structural example of the communication system which concerns on 3rd Embodiment. The figure which shows the structural example of the object apparatus information storage part which concerns on 3rd Embodiment. The figure which shows the example of the operation | movement sequence which concerns on 3rd Embodiment. The figure which shows the example of the operation | movement sequence which concerns on 3rd Embodiment. The figure which shows the example of the operation | movement sequence which concerns on 3rd Embodiment. The figure which shows the other structural example of the communication system which concerns on 4th Embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First embodiment)
The present embodiment is characterized in that when the user moves from outside the house to the house, the API to be used is automatically switched from the public API to the private API. Hereinafter, this embodiment will be described in detail.

  FIG. 1 is a configuration diagram of a communication system according to the first embodiment of the present invention. This communication system includes an access authorization device 101, a communication device 201, a target device 301, a relay device 401, a first network 501, and a second network 601.

  The first network 501 is a wide area communication network. In the present embodiment, specifically, the Internet is assumed. However, other networks including a closed network such as NGN (Next Generation Network) may be used.

  The second network 601 is a local communication network. In this embodiment, specifically, a home network is assumed. The physical medium may be wired (Ethernet (registered trademark) or the like) or wireless (WiFi, Bluetooth (registered trademark), Zigbee (registered trademark), or the like). The upper communication protocol is assumed to be IP (Internet Protocol), but any communication protocol may be used as long as the communication sequence of the present embodiment is similarly executed.

  The relay device 401 is a router that connects the first network 501 and the second network 601. In the present embodiment, it is assumed that the router is a broadband router having a NAT (Network Address Translation) function for connecting a home network and the Internet.

  The communication device 201 is a device such as a smartphone, a tablet, or a PC used by an end user. In the present embodiment, it is assumed that the communication device 201 is a smartphone. A user carries and uses a smartphone regardless of whether the user is outside or inside the house. A target to which the access authorization device 101 grants an application is an application having a program that operates on a smartphone as a component. In FIG. 1, the communication device 201 is depicted as being connected to the first network 501 and the second network 601, but is connected to the first network 501 but not connected to the second network 601. There are various connection states such as a state in which the network is not connected to the first network 501 but is connected to the second network 601, and a state in which the network is connected to both networks.

  The target device 301 is a device such as a home appliance or a sensor having a communication function. In the present embodiment, a digital television connected to a home network under a broadband router is assumed. The target device 301 publishes a REST API (Representative State Transfer Application Programming Interface) on the second network 601, that is, the home network. Hereinafter, this REST API may be referred to as a private API. In the present embodiment, it is assumed that the target device 301 publishes a private API as an API that can be accessed using HTTP (Hyper Text Transfer Protocol).

  When the communication apparatus 201 is connected to the target device 301 via the second network 601, a desired resource can be used by transmitting an HTTP request to the private API of the target device 301 via the second network 601. . For example, an HTTP message example (hereinafter referred to as message A) using a private API for making a recording reservation for a television program is described below. Using the HTTP POST method, a channel, date and time, etc. are designated in the HTTP request body. In this example, the desired resource is a recording reservation (reserved_programs) of the television (target device 301).

[Message A]

  An example of an HTTP message (hereinafter referred to as message B) using a private API for changing the TV channel is shown below. Using the HTTP PUT method, a channel is specified in the request body. In this example, the desired resource that the communication device 201 intends to use is the status of the television (target device 301).

[Message B]

  The above is only one form of an implementation method, and parameters and URLs are not limited to the above examples.

The access authorization device 101 is a server device connected to the first network 501.
The access authorization device 101 is assumed to have a general computer configuration including a CPU, memory, and storage, but may be realized as a virtual server on a cloud system. In the present embodiment, specifically, it is assumed that a software program installed on the server device realizes the function of the access authorization device 101 according to the present embodiment. This software program is OAuth2.0, OpenID Connect
It is assumed that an authorization server function conforming to a standard for realizing access authorization on the Internet such as 1.0 is provided.

  The access authorization device 101 includes a communication unit 111, a token issuing unit 112, an authorization target determination unit (determination unit) 113, a state determination unit 114, a token verification unit 115, an access proxy unit 116, a token storage unit 117, and a target device information storage unit. 118.

  The communication unit 111 communicates with the communication device 201 and the target device 301 via the first network 501. Communication with the target device 301 is performed via the relay device 401.

The access proxy unit 116 includes a public API, and the public API is disclosed to the first network 501. As described above, specifically, in this embodiment, it is assumed that the public API provides an API accessible by HTTP, similar to the private API.
For example, when the domain of the access authorization device 101 is api.publiccontroller.example.com and the identifier of the target device 301 is “xyz”, this corresponds to the private API of the target device 301 (see the messages A and B described above). The URL of the public API to be expressed can be expressed as follows.

  The token issuing unit 112 receives a request for permission to access the resource of the target device 301 from the communication device 201, and performs authentication of the communication device 201 and authentication and authorization of a resource access authority. If these authentications and authorizations are successful, the token issuing unit 112 issues access permission information (access token) to the communication device 201. There are access tokens for access to the private API and access to the public API, and which one is issued is determined according to the results of the authorization object determination unit 113 and the state determination unit 114 described later. When the communication device 201 receives an access token issued to the public API or private API, the communication device 201 can access the resource of the target device 301. In the case of a private API, the resource is directly accessed to the target device 301, and in the case of a public API, the access is performed by the access authorization device 101. This function is a basic function of the authorization server of OAuth 2.0. The access authorization request and authentication and authorization based on the access authorization request are realized by HTTPS communication according to this standard specification.

The token storage unit 117 stores the access token issued by the token issuing unit 112 in association with one or more API information used when accessing the resource (see FIG. 2 described later). The API information is an example of information related to the API. Other examples include an API path (part of API information) shown in FIG. 3 to be described later.
The API information can distinguish a private API and a public API from its own description. The API information includes a URL used for resource access, for example. Further, the token storage unit 117 stores the accessible target device ID and the user UID in association with the access token. An access token expiration date is also set. The refresh token is issued at the same time as the access token, and its usage will be described later.

  A specific implementation form of the token storage unit 117 itself may be a simple hash structure on a volatile memory, a KVS (Key Value Store), or a relational database management system stored in a non-volatile storage. It may be. As long as the related authorization object information can be referred from the access token, the implementation method is not limited.

  When receiving a resource use request to the public API from the communication apparatus 201, the token verification unit 115 verifies whether the access token included in the access request is a valid access token that has been issued. In addition, when a token issuance request is received from the communication apparatus 201 and the refresh token is included in the token issuance request, it is verified whether the refresh token has been issued and is valid. The access token verification request is received from the target device 301, and it is verified whether the access token included in the verification request is a valid refresh token that has been issued. Similar to the token issuing unit 112, the verification request and the verification based thereon are realized by HTTPS communication.

  The target device information storage unit 118 includes information (access information) used to access the target device 301, a target device ID (device identifier) that uniquely identifies the target device 301, and a private API path. The access information includes the external IP address of the target device 301 and the port number. The external IP address is the IP address of the target device 301 grasped by the access authorization device 101 when communicating with the target device 301, and is usually a global IP address assigned to the port on the first network 501 side of the relay device 401 Matches. Note that the IP address of this embodiment may be an IPv4 address or an IPv6 address. Moreover, you may use types of addresses other than an IP address.

Depending on the communication method between the access authorization device 101 and the target device 301, various variations of the access information can be considered. For example, a method for maintaining a communication connection from the target device 301 to the access authorization device 101 (WebSocket or HTTP Long)
In the case of Polling or the like, communication socket information may be added. The realization form of the storage unit itself can be various forms as with the token storage unit 117.

  In the present embodiment, it is assumed that the target device 301 continues to maintain a communication connection with the access authorization apparatus 101 using the method (WebSocket, HTTP Long Polling, etc.). In this situation, it is also possible to start communication (TCP communication or the like) from the access authorization device 101 to the target device 301 via the relay device 401.

The state determination unit 114 determines the connection state of the communication device 201 when a request (token issue request, resource use request, etc.) from the communication device 201 is received. Specifically, it is determined whether or not the communication device 201 is connected to the second network 601. As a specific determination method, the state determination unit 114 refers to the external IP address of the target device 301 in the target device information storage unit 118, and this matches the transmission source IP address of the request received by the access authorization device 101. It is determined whether or not it is connected to the second network 601 depending on whether or not it is performed. If the external IP address of the target device 301 matches the source IP address, it is determined that the target device 301 is connected to the second network 601, and if it does not match, the target device 301 is not connected to the second network 601 (that is, the first IP address). Connected to the network 501). The transmission source IP address of the request is an example of information for specifying a connection state (whether the communication device 201 is connected or is connectable) with the second network 601.
An IP address range is set for the target device, and the source IP address is connected to the second network depending on whether or not the source IP address is included in the range (such as a range of IP addresses that can be taken by a plurality of target devices). It may be determined whether or not.
When connected to the second network 601, it can be said that the access is from the home because the user can be regarded as being at home. When it is not connected to the second network 601, that is, when it is connected to the first network 501, it can be considered that the user is outside the home, and thus it can be said that the access is from outside the home. In the following, access to the access authorization device 101 via the second network 601 is access from inside the home, and access to the access authorization device 101 via the first network 501 is not access from the home without going through the second network. Sometimes expressed. The state determination unit 114 generates state information indicating the connection state of the communication device 201 based on the determination result. The status information indicates whether the access of the access authorization apparatus 101 of the communication apparatus 201 is from inside the house or from outside the house.

  Here, it is determined whether or not the communication device 201 is connected to the second network 601, but it is determined whether or not the communication device 201 is connected to the first network 501 but is connectable to the second network 601. May be. For example, if the user exists in the home and can connect to the second network 601 at any time, but is currently connected to the first network 501, it can be determined that the user can connect to the second network 601. In order to determine whether the connection is possible, it may be determined whether the communication device 201 is within a certain distance range with respect to the target device 301. For example, it is assumed that the communication device 201 is equipped with a GPS, and the installation position information of the target device 301 is acquired in advance. In this case, GPS position information may be acquired from the communication device 201, and the acquired position information may be compared with the installation position information to determine whether the second network 601 can be connected. Alternatively, when the target device 301 is equipped with GPS, it is possible to connect to the second network 601 by acquiring the GPS location information of the target device 301 and comparing it with the location information of the target device 301. It may be determined whether the state is correct. In a connectable state, processing according to the connected state (in the case of access from home) may be performed. When the private API is accessed, the communication apparatus 201 may automatically switch the connection destination from the first network 501 to the second network 601. The GPS position information is an example of information for specifying a connection state of the communication device 201 with the second network 601.

  The authorization target determination unit 113 uses the state information generated by the state determination unit 114 to determine which of the private API and public API is permitted as an access target. The object to which the authorization object determination unit 113 gives authorization is for an application installed in the communication apparatus 201. As an example, when the status information indicates access from inside the house, a private API is determined. The object accessed by the application of the communication apparatus 201 is the private API or the public API, and it is determined which access is granted. When the private API is determined, this means that the communication device 201 directly accesses the private API of the target device 301 (that is, the communication device 201 transmits a resource use request to the target device 301). In the case of a public API, the access proxy unit 116 receives access to the public API from the communication apparatus 201, and the access proxy unit 116 transmits a resource use request to the target device 301. It is assumed that a method for the access proxy unit 116 to use the resource of the target device 301 is determined in advance. A dedicated API may be prepared, or data including the URL of the private API may be transmitted to the target device, and the target device may internally interpret and execute the URL of the private API included in the data. .

  The operation of this communication system will be described below based on specific examples. Before the description, an assumed scenario of user behavior and preconditions of the communication system will be described.

<Assumed scenario>
A user operates a TV remote control application (hereinafter referred to as a client) installed in a smartphone (communication device 201) from outside the house to make a program recording reservation for the home TV (target device 301). Subsequently, after returning home, the user turns on the TV with the TV remote control application and switches the channel. At this time, the server (access authorization device 101) that provides the TV remote control service on the Web is used so that the public API is used when the user is outside the home and the private API is used when the user is inside the home. The API to be automatically switched is controlled. With this control, the communication apparatus 201 accesses the public API when the user makes a program recording reservation, and accesses the private API when switching the channel. Such API switching is automatically executed in response to movement from outside the house to the house.

<Prerequisites>
The remote control application (client) on the smartphone (communication device 201) conforms to the OAuth standard, and the client identifier (client_id) and client secret information (client_secret) issued from the server (access authorization device 101) that provides the TV remote control service ). In this issuance, the client developer applies to the access authorization device 101 (administrator) for registration of a client that accesses (acquires and changes) a specific resource, and passes through the approval of the administrator of the access authorization device 101. Executed. Registration, permission, and issuance are generally performed automatically electronically, but this issuance method is not defined in this embodiment. In this embodiment, the specific resources are the status (status) of the television (target device 301) and the recording reservation (reserved_programs).
The client_id and client_secret (not shown) are registered on the access authorization apparatus 101 side for client authentication.
The target device information storage unit 118 of the access authorization apparatus 101 stores the external IP address of the target device 301 and the identification information (device identifier: device_id) of the target device 301 (see FIG. 3). In this embodiment, this registration method is not defined. It may be manually registered in the database, or the target device 301 (television) may communicate with the access authorization device 101 and automatically register.
The user of the communication device 201 is the owner of the target device 301 and has created a user account (user_id, user_password) in advance on a server (access authorization device 101) that provides a TV remote control service. The user ID (user_id) is registered in the token storage unit 117 in association with the token (see FIG. 2).
On the access authorization device 101, the user and the target device 301 (television) owned by the user are associated with each other. There are various ways of realizing this association method, but this embodiment does not define the method. In the token storage unit 117, the association between the user and the target device 301 is registered by the association between the user ID (user_id) and the target device ID (device_id).

<Communication sequence of this embodiment>
FIG. 4 shows a communication sequence performed between the target device 301, the communication device 201, and the access authorization device 101 in the communication system according to the present embodiment. FIG. 5 shows a communication sequence following FIG. Each numeral in FIGS. 4 and 5 represents a step number.

[Step 1] A user starts up a client on the communication apparatus 201 and makes a recording reservation (resource use) for a desired program. At this time, since the client has not yet acquired an access token, an authorization screen is displayed to the user, and the permission screen indicates that the client requests the use of resources of the target device 301, and a permission button and a cancel button. indicate. Information for distinguishing whether the user is inside or outside the house (connected to the first network 501 or the second network 601) may be displayed on the permission screen.

[Step 2] The user presses the authorization button in the permission screen. In this embodiment, the client generates the authorization screen. However, a method may be adopted in which an authorization request is transmitted to the access authorization apparatus 101 and the access authorization apparatus 101 responds with the authorization screen. In this case, the permission screen returned from the access authorization device 101 is displayed on the communication device 201.

[Step 3] Upon receiving permission from the user, the client transmits an access token issue request (resource permission request) to the token issuing unit 112 of the access authorization apparatus 101. At this time, the access token issuance request includes client_id, client_secret, user_id, user_password, and authorization range information (authorization target information) that is information related to the requested API, as an implementation form. The authorization range information includes 192.168.11.19/v1/status and 192.168.11.19/v1/reserved_program as an example. When “192.168.11.19/v1/” is known by the access authorization device, the authorization range information may include status and reserved_program.

  For the user_id and user_password, the communication device 201 may display an input screen (or the user authorization screen in step 1) to the user and use the input value, or may be stored in the communication device 201 in advance. Alternatively, this may be used.

  The authorization range information may be stored in advance on the access authorization apparatus 101 side in association with the client identifier (client_id) without being included in the access token issue request. Note that an access token issuance request including client_id, client_secret, user_id, and user_password conforms to an authorization method (grant type) called OAuth 2.0 resource owner password credential grant. In this embodiment, only a sequence according to this grant type is described, but a sequence according to other grant types (authorization code, implicit grant, or client credential grant) may be used.

(Step 4) The token issuing unit 112 authenticates that the client is a regular client based on client_id and client_secret included in the access token issue request. A regular client is a client that has been registered and approved in advance in the access authorization apparatus 101.

(Step 5) The token issuing unit 112 authenticates that the user is a regular user based on user_id and user_password. An authorized user is a user who has been registered and approved in advance in the access authorization device 101. In the access authorization device 101, the user and the target device 301 are registered in advance in association with each other, and therefore the user's possession target device 301 is determined as a result of authentication. Here, the user-owned target device 301 is a television (device_id = xyz).

(Step 6) The state determination unit 114 acquires the transmission source IP address of the access token issue request, and uses this transmission source IP address as the IP address (see FIG. 3) corresponding to the television in the target device information storage unit 118. Compare. The IP address corresponding to the television can be determined by specifying the device (television) associated with the user in the token storage unit and specifying the IP address of the television from the target device information storage unit 118. If they are different, it is determined that the user's access is an out-of-home access, and if they are the same, the access is in-home. Here, it is determined that the access is outside the home.

(Step 7) The authorization target determining unit 113 uses the public API (api.tvcontroller.example.com/v1/devices) based on the determination result of the state determination unit 114 and the target device 301 (device_id = xyz) associated with the user. / xyz / status and api.tvcontroller.example.com/v1/devices/xyz/reserved_program) are determined as authorization targets. Specifically, in the information stored in the token storage unit 117 in FIG. 2, out of the public API and private API associated with the user (which is alice in this example) and the target device 301 (xyz), A public API is determined from the determination result. In the information of FIG. 2, the public API and the private API may be distinguished from the description of the permission target information (API information) itself (for example, if the permission target information includes a private IP address, it is determined as a private API). Etc.) Or, identification information for distinguishing between public API and private API may be separately added, and this may be performed based on this identification information.

(Step 8) Based on the determination by the authorization object determining unit 113, the token issuing unit 112 issues an access token for public API, and transmits an access token response including the issued access token to the client. The issued access token is stored in the token storage unit 117 (column of “access token” in the first row in FIG. 2). In the present embodiment, the token issuing unit 112 provides an expiration date (“expiration date” column in the first row in FIG. 2) for the issued access token, and further uses a refresh token (FIG. 2) “Refresh token” column in the first row)). This refresh token is also included in the access token response sent to the client. Note that public API information may be included in the access token response, or the public API information may be grasped in advance on the client side.

  The refresh token may have a longer expiration date than the access token. When the access token expires or the token verification fails due to a change in the state of the communication device 201 (in-home or out-of-home), which will be described later, the client presents this refresh token and performs a new access Request issuance of a token. By using the refresh token, there is an advantage that it is not necessary to start the process again from the user authentication or the like. In addition, as described in Step 18 described later, a form that does not use a refresh token is also possible.

(Step 9) The client obtains an access token and a refresh token for public API included in the access token response received from the access authorization apparatus 101. The client transmits a recording reservation request (resource use request) including an access token to the public API (access proxy unit 116). Specifically, the above-described message A is transmitted to the public API URL https://api.tvcontroller.example.com/v1/devices/xyz/reserved_programs. In the example of the message A described above, the notation such as an access token is omitted.

(Step 10)
The access proxy unit 116 receives a recording reservation request including an access token for public API. At this time, the token verification unit 115 refers to the token storage unit 117 to confirm that the access token included in the recording reservation request is a valid one issued for public API. That is, it is confirmed that the access token included in the recording reservation request exists in the token storage unit 117 and is within the expiration date.

(Step 11) Similarly to step 6, the state determination unit 114 corresponds to the transmission IP address of the recording reservation request corresponding to the television in the target device information storage unit 118 (for example, specified from “xyz” of the public API URL). It is determined whether the access is out-of-home access or out-of-home access by comparing with the IP address (see FIG. 3). Here, since both do not match, it is determined that the access is outside the home. Based on the determination result of the state determination unit 114, the token verification unit 115 determines that the access token included in the recording reservation request is valid for the recording reservation request from outside the home.

(Step 12) The access proxy unit 116 transmits a recording reservation request, which is a resource use request, to the target device 301. The transmitted recording reservation request is received by the target device 301 via the first network 501, the relay device 401, and the second network 502.

(Step 13) The target device 301 receives the recording reservation request from the access authorization apparatus 101, and executes the recording reservation based on the recording reservation request. When the target device 301 executes the recording reservation, the target device 301 transmits a recording reservation completion report to the access authorization apparatus 101. The access authorization device 101 receives a recording reservation completion report from the target device 301. The access proxy unit 116 returns a response (public API access response) indicating that the requested recording reservation has been completed to the communication apparatus 201.

(Step 14) The user moves from outside the house to the house, and uses the client installed in the communication device 201 to switch the TV channel. At this time, it is assumed that communication is switched from mobile carrier communication (3G or LTE) used outside the house to WiFi in the house. That is, it is assumed that the connection destination of the communication apparatus 201 is switched from the first network 501 to the second network 601.

(Step 15) The client transmits a channel switching request (resource use request) including an access token for the public API to the public API of the access proxy unit 116. Specifically, the above-described message B is transmitted to the public API URL https://api.tvcontroller.example.com/v1/devices/xyz/status. In the example of the message B described above, the notation such as an access token is omitted.

(Step 16) The access proxy unit 116 receives a channel switching request including an access token. At this time, the token verification unit 115 confirms that the access token is a valid one issued for the public API with reference to the token storage unit 117 as in Step 10.

(Step 17) As in step 11, the state determination unit 114 corresponds to the transmission source IP address of the channel switching request for the television in the target device information storage unit 118 (for example, specified from “xyz” of the public API URL). It is determined whether the access is out-of-home access or out-of-home access by comparing with the IP address (see FIG. 3). Here, since both coincide, it is determined that the access is in-home. The token verification unit 115 determines an authorization error based on the determination result of the state determination unit 114. In response to this, the access proxy unit 116 rejects access from the home (second network 601 under the relay device 401) to the public API, and transmits an authorization error response.

(Step 18) Upon receiving the authorization error response, the client installed in the communication apparatus 201 generates an access token issue request and transmits it to the token issuing unit 112. This access token issue request includes the refresh token issued in Step 8. As a variation, there is a method in which a refresh token is not used and a new access token issuance request is transmitted again as in step 3.

(Step 19) The token verification unit 115 acquires the refresh token included in the token issuance request, and confirms whether the acquired refresh token is registered in the token storage unit 117 (at this time, 2 in FIG. 2). The access token and refresh token on the line need not be registered). Since it is registered, it is determined that the refresh token is a valid refresh token. At this time, the ID of the target device 301 for which a refresh token is issued, that is, device_id (= xyz) is acquired from the token storage unit 117.

(Step 20) As in step 17, the state determination unit 114 compares the transmission source IP address of the token issuance request with the IP address (see FIG. 3) corresponding to the television (xyz) in the target device information storage unit 118. Thus, it is determined whether the access is out-of-home access or out-of-home access. Here, since both coincide, it is determined that the access is in-home.

(Step 21) Based on the determination result of the state determination unit 114 and the target device 301 (device_id = xyz) associated with the user, the authorization target determination unit 113 uses the private API (192.168.11.19/ v1 / status, reserved_program) is determined as an access authorization target of the communication apparatus 201.

(Step 22) The token issuing unit 112 issues an access token for private API based on the determination by the authorization target determining unit 113. The issued access token is stored in the token storage unit 117 (column of “access token” in the second row in FIG. 2). At this time, a refresh token having the same value as the refresh token for public API is stored in the token storage unit 117 as a refresh token for the access token for private API (column “refresh token” in the second row in FIG. 2). Further, the token issuing unit 112 acquires private API information (authorization target information) in the token storage unit 117 in FIG. 2, and generates an access token response including an access token, private API information, and the like. The token issuing unit transmits an access token response to the communication device 201. Note that the value of the refresh token may be different from the refresh token for public API.

(Step 23) The client installed in the communication device 201 acquires the access token and private API information included in the access token response, and the channel switching request (resource) including the acquired access token in the private API of the target device 301. Use request) (ie, execute private API access). When the communication device 201 knows the private API information in advance, it is not necessary to include the private API information in the access token response transmitted from the access authorization device 101. In this case, the access authorization apparatus 101 may be configured not to grasp the private API information.

(Step 24) The private API of the target device 301 receives a channel switching request including an access token. The private API of the target device 301 acquires an access token included in the channel switching request, generates a token verification request including the access token, and transmits the token verification request to the access authorization apparatus 101.

(Step 25) The communication unit 111 of the access authorization device 101 receives the token verification request transmitted from the target device 301. The token verification unit 115 refers to the token storage unit 117 to confirm that the access token included in the token verification request is a valid one issued for the private API of the target device 301. Since the same value as the access token is stored in the token storage unit 117 for the target device 301 and is within the expiration date, it can be determined to be valid. The token verification unit 115 recognizes that the transmission source of the token verification request is the target device 301 (device_id = xyz) by including “xyz” of the target device ID in the token verification request and detecting this. May be. Alternatively, when the connection between the target device 301 and the access authorization device 101 is maintained using Websocket, it is determined that the source device of the request transmitted via the connection is always the target device 301 (device_id = xyz). You may make it a mechanism to do. You may judge by methods other than what was described here.

(Step 26) The state determination unit 114 compares the transmission source IP address of the token verification request with the IP address (see FIG. 3) corresponding to the television (xyz) in the target device information storage unit 118, so that the communication device It is determined whether the access 201 (that is, user access) is out-of-home access or out-of-home access. Here, since both coincide, it is determined that the access is in-home. The transmission source IP address included in the token verification request is an example of information for specifying the connection state of the communication apparatus 201 with the second network 601. The token verification unit 115 determines from the determination result (in-home access) of the state determination unit 114 that the access from the client to the target device 301 is a legitimate access (that is, the user is authenticated and authorized by the access authorization device 101). And determines that it is going to access the private API of the target device 301 in the home), and transmits a response indicating the verification result to the target device 301.

(Step 27) From the verification result of the access authorization device 101, the target device 301 determines that the channel switching instructed by the private API access from the communication device 201 may be executed, and executes the channel switching. The target device 301 transmits a response (private API access response) indicating that channel switching has been executed to the communication device 201.

  FIG. 6 is a flowchart of processing performed when the access authorization device 101 receives a token issue request from the communication device 201. 4 and FIG. 5, the token issuance request is received from the communication apparatus 201 in steps 3 and 18.

  When the token issue request is received, it is determined whether the token issue request includes a refresh token (step 31).

  If the refresh token is not included, client authentication (step 32) and user authentication (step 33) are performed. Details of client authentication and user authentication are as described above. If any authentication fails, an authentication error response is transmitted to the communication apparatus 201 and the process is terminated (step 39). When both authentications are successful, the state of the communication device 201 is determined (determination whether the user is in the house or outside the house) (step 34). The details of the determination method are as described above. According to the result of the state determination, it is determined which of the public API and the private API is to be subject to access authorization (step 35), and an access token corresponding to the determined API is generated (step 36). The generated access token is stored in the token storage unit 117 in association with the API information, the target device 301 and the user (step 37).

  On the other hand, if the token issuance request includes a refresh token, the refresh token is verified (step 38). That is, it is determined whether the refresh token is effectively registered in the token storage unit 117. If it is registered effectively, the state of the communication device 201 is determined in step 34, and thereafter, the above-described steps 35 to 37 are performed. If the refresh token is not registered in the token storage unit 117 or has been registered but the expiration date has expired, an authentication error response is transmitted to the communication apparatus 201 and the process is terminated (step 39).

  In the present embodiment, the case where there is one target device in the house is shown, but the same can be implemented when there are a plurality of target devices. At this time, an access token for public API and private API may be issued for each target device, or the same access token may be used by a plurality of target devices.

  In this embodiment, the relay device 401 exists separately from the communication device 201, but the communication device 201 has a relay function, and the target device 301 uses the relay function of the communication device 201 to connect to the access authorization device 101. You may communicate. Also in this case, it can be said that the communication apparatus 201 is connected to the same network as the target device 301.

  In this embodiment, it is assumed that the access authorization device always maintains a communication connection between the target device 301 and Websocket, but the communication device 201 is connected to the second network 602 (or is in a connectable state). The communication connection with the target device 301 may be disconnected. When it is determined that the communication device 201 is not connected to the second network 602 (or is in a state where connection is not possible), the communication connection with the target device 301 may be set again.

  As described above, according to the present embodiment, the access token issuance (steps 4 to 8 and 19 to 22), the resource access using the access token (9 to 12 and 15 to 17), and the access token verification (25 to 26). In FIG. 5, processing is performed according to the state of the communication device 201 (external or in-home). Specifically, it is possible to force the client to use a public API when the user is outside the home and to use a private API whenever the user is at home. At this time, the user does not need to reauthorize each time the API is switched, and the API to be used is switched while the user does not know. Since the user uses the server (access authorization device 101) on the Internet (first network 501) only when performing API access from outside the house, the communication log remaining on the server can be minimized and possible. By using direct communication in the home network (second network 601) as much as possible, communication delay required for resource use can be shortened.

  Hereinafter, variations of the present embodiment will be described.

<Variation of communication sequence (1)>
In steps 18 to 22 in FIG. 5, the access token is reissued, but a sequence in which the access token is not reissued is also possible. The sequence changes in this case will be described below.

  On the authorization screen in step 1 of FIG. 4, the user is requested to authorize access tokens for both inside and outside the house.

  By issuing a token in step 8, an access token for both private API and public API is issued. The access token to be issued is valid for both the authorization object information in the first and second lines in FIG.

  In step 17, a redirect response to the private API is transmitted to the communication device 201 without making an error response. This redirect response includes private API information. The communication apparatus 201 that has received the redirect response executes the operation of Step 23 in FIG. 5 based on the private API information included in the redirect response. As a result, the operations in steps 18 to 22 become unnecessary.

<Variation of communication sequence (2)>
In the sequence of FIG. 4 and FIG. 5, processing is performed in the order of token verification (token validity verification) and state determination (step 10-11, step 16-17, step 19-20, step 25-26). However, this is an implementation-dependent part, and the state determination may be performed first.

<Variation of communication sequence (3)>
A sequence in the case where the user moves from the inside of the house to the outside of the house after the step 27 in FIG.

(Step 28) The user moves from inside the house to outside the house. At this time, the communication apparatus 201 switches communication from WiFi to mobile wide area communication such as 3G to LTE. That is, the communication apparatus 201 switches the communication connection destination from the second network 601 to the first network 501.

(Step 29) Similar to step 23, the client transmits a recording reservation request to the private API of the target device 301 using the home access token.

(Step 30) Access to the private API fails. That is, since the communication apparatus 201 is connected to the first network 501, communication for accessing the private API of the target device 301 in the second network 601 fails (timeout). For this reason, the client of the communication device 201 transmits a token issue request to the token issue unit 112 of the access authorization device 101 via the first network 501. This token issuance request includes a refresh token for private API.

After (step 31), contrary to the case of moving from outside the house to the house, a process of switching the access token for home use to the access token for home use is performed. The content of the processing may be basically performed sequentially in the same manner as in steps 19-22. The previously issued public API access token is discarded, and the public API access token is newly issued again. However, it is possible to continue using the access token for the previous public API as it is. At this time, the expiration date may be extended or the expiration date may not be changed.

<Variation of communication sequence (4)>
Similar to the communication sequence variation (3), after step 27 in FIG. 5, a sequence in which the user moves from the house to the house and makes a separate recording reservation is shown as steps 32 to 37 below.

(Step 32) The user moves from inside the house to outside the house. At this time, the communication apparatus 201 switches communication from WiFi to mobile wide area communication such as 3G to LTE. That is, the communication apparatus 201 switches the communication connection destination from the second network 601 to the first network 501.

(Step 33) As in step 18, the client transmits an access token issuance request to the token issuing unit 112 using the refresh token. As described in Step 3, a new access token issue request may be used. In any case, while the variation (3) makes a token issuance request triggered by an access failure, in this variation, every time (every time the client starts, every time the client IP address changes, every time a resource usage request occurs Etc.) An access token issuance request is made and no access failure to the private API is triggered.

(Step 34) Similar to step 19, the token verification unit 115 acquires the refresh token included in the token issuance request, and checks whether the acquired refresh token is registered in the token storage unit 117. As a result, the corresponding device_id (= xyz) is acquired.

(Step 35) As in step 6, the state determination unit 114 determines whether the access is out-of-home access or out-of-home access. Here, it is determined that the access is outside the home.

(Step 36) Similar to step 7, the authorization target determining unit 113 uses the public API installed in the target device 301 based on the determination result of the state determination unit 114 and the target device 301 (device_id = xyz) associated with the user. Is determined as an access authorization target of the communication apparatus 201.

(Step 37) Similar to step 22, the token issuing unit 112 issues an access token for public API based on the determination by the authorization target determining unit 113. The issued access token is stored in the token storage unit 117. Further, the token issuing unit 112 acquires the public API information (authorization target information) in the token storage unit 117 in FIG. 2, and generates an access token response including the access token, the public API information, and the like. The token issuing unit 112 transmits an access token response to the communication device 201. The value of the refresh token may be different from the refresh token for private API.

<Variation of communication sequence (5)>
As with variations (3) and (4), after step 27 in FIG. 5, a sequence variation in the case where the user moves from the house to the house and makes a separate recording reservation is shown. In variation (3), an example in which a client tries to access a private API has been shown. However, in this variation, the client has a function of searching for a device having a private API, and this is performed each time (every client starts up, the client Every time the IP address is changed, every time a resource use request occurs, etc.). Specifically, a device having a private API is searched using a peripheral device search function such as multicast DNS, UPnP, ECHONET Lite, etc. (The protocol is not limited to these three. There are many examples where equivalent functions are defined in the target protocol, and they may be used). Device information (device identification information (IP address etc.) or private API with a private API) of a device to be discovered is included as related information when an access token is issued from an access authorization device (private_api_path in FIG. 5), target device information There may be a case where the access authorization device is separately provided with an API that provides the password, a case preset in the client, and a case where the user manually sets the client. When the target device is not found, the client transmits a token issuance request to the token issuance unit 112 of the access authorization device 101 as in the variation (3).

<Configuration variation (1)>
FIG. 7 shows another configuration example of the communication system according to the present embodiment. The access proxy unit 116 and the target device information storage unit 118 of FIG. 1 are removed from the access authorization device 101 and are arranged separately as an access proxy device (control proxy device) 131. The access proxy device 131 is connected to the first network 501 and includes a communication unit 119 that communicates with the access authorization device 121, the communication device 201, and the target device 301.

  As another configuration example, a configuration in which the storage units such as the token storage unit 117 or the target device information storage unit 118 are all separated as separate and independent devices is also common. In addition, each element which comprises an access authorization apparatus may be arrange | positioned as another apparatus with various combinations, and the cooperation between each function may be mounted by communication between apparatuses.

<Configuration variation (2)>
FIG. 8 shows another configuration example of the communication system according to the present embodiment. Although there is no change in the overall system configuration, an authorization object providing unit 119 is added. FIG. 5 shows an example in which the private API information (private_api_path) is included in the response to the token issuance request, but this variation has a configuration in which the function for providing this private API information is separated from the token issuing unit 112. ing. In this configuration, after issuing the access token, the client separately accesses the authorization object providing unit 119 on the access authorization device. The authorization object providing unit 119 returns the authorization object information (API information) in the token storage unit 117 after verifying the access token.

<Configuration variation (3)>
FIG. 9 shows another configuration example of the communication system according to the present embodiment. The difference from FIG. 1 is that the communication device 201 is connected to one or more target devices via the gateway device 701. The gateway device and one or more target devices are connected via a third network 801 (in a communicable state). Hereinafter, each component will be described.

  The third network 801 may be a local network such as Bluetooth, wireless LAN, or Zigbee, or is wired such as HDMI (registered trademark) or USB, and directly or via a hub, the gateway device 701 and the target device. It may be what connects. Further, the third network 801 may be the same network as the second network 601.

  The target devices 301 and 302 in this variation may be provided with a private API as described in the above embodiment, but may not be provided. Although not provided in this embodiment, it is assumed that a communication function for accepting resource use by the gateway device 701 is provided. Specifically, it is assumed that the device conforms to a protocol for controlling the device on some home network such as an ECHONET Lite-compatible home appliance.

The gateway device 701 has an interface connected to the second network 601 and an interface connected to the third network 801. The gateway device 701 is a device that is interposed between the communication device 201 and the target devices 301 and 302 and relays resource use requests and responses. For example, it may be a router device such as a broadband router, a device having a general computer configuration such as a PC or a smartphone, or a smart meter. That is, the gateway device 701 may be the same as the relay device 401 or may be the same as the communication device 201. Here, it is assumed that it is a broadband router.
The gateway device 701 has a private API and controls the target devices 301 and 302 connected via the third network 801. That is, the gateway device 701 includes an access proxy unit similar to the access proxy unit 116 of the access authorization device 101, and a registration unit that registers the connected target device in the access authorization device 101. Further, the gateway device 701 has a function according to the target device information storage unit 118, that is, conversion information for specifying the target device to use the resource from the request from the communication device 201 received by the access proxy unit on the gateway device 701. I have. When the API identifier includes a device identifier, for example, the gateway device 701 has a function of converting the URL into a command (for example, ECHONET Lite request) to the control target device.

この場合、一方プライベートＡＰＩは、例えば以下のようになる。

In this variation, the API has a data structure that assumes that the gateway device 701 has a private API. As an example, a configuration in which the configuration of the public API is as follows can be considered.

In this case, the private API is as follows, for example.

Correspondingly, the table structure of the target device information storage unit 118 may have two layers. That is, a table storing gateway identifiers and base URLs (private and public URLs), and a table composed of target device information including the gateway identifiers to which the devices belong (in this case, the device identification information is an access authorization device). The identifier may be an identifier of a level that can be uniquely identified within the gateway device).
Alternatively, it may be configured in one layer, and each target device information may be configured to hold the gateway identification information to which it belongs and the URL information (authorization target information in FIG. 2) as a base.
Thereby, the access authorization apparatus 101 can specify the private API of an appropriate gateway apparatus at the same time as specifying the target device. This variation makes it possible to seamlessly switch between the cloud API and the gateway device private API.

(Second Embodiment)
This embodiment is characterized by the addition of several functions such as inquiring the user whether to switch from public API usage to private API usage based on the user's policy settings when the user moves from outside the home. And Hereinafter, this embodiment will be described in detail.

  FIG. 10 shows a communication system according to the second embodiment. The configuration of the access authorization device is different from that of the first embodiment. In the access authorization apparatus 121 of this embodiment, a policy storage unit 143, a target device registration unit 142, and an access control unit 141 are newly added.

  The policy storage unit 143 stores policy information related to API switching (or token switching). As an example, the policy information includes a setting as to whether or not to inquire the user about API switching (or token switching). As another example, there may be a policy that includes a setting indicating that the public API is always used even in the home.

The target device registration unit 142 receives a registration request or update request from the target device 301, and stores or updates information in the target device information storage unit 118 according to the request. In the present embodiment, the target device 301 issues an update request when the IP address or host name of the target device 301 or both of them are changed. A private API path based on an IP address or a host name is registered in the target device information storage unit 118 (see FIG. 3), and the private API path is also updated when the IP address or the host name is changed. It is assumed that a mechanism for generating a private API path from an IP address or a host name is determined in advance.
Alternatively, the target device 301 may generate a private API path based on the changed IP address or host name, and transmit an update request including the private API path to the access authorization device 151. In this case, the private API path included in the update request may be registered in the target device information storage unit 118.
The same applies to a registration request. The target device registration unit 142 may generate a private API path from the IP address or host name, or the target device 301 generates a private API path based on the IP address or host name. A registration request including this may be transmitted to the access authorization device 151.
If the private API path is changed or registered, the authorization object information (API information) for the private API in the token storage unit 117 in FIG. 2 is also based on the changed private API path. Shall be updated.
The target device registration unit 142 may be provided in the access authorization device of FIG. 1, FIG. 7, FIG. 8, or FIG.

  When the token issuing unit 112 issues an access token for a private API, the access control unit 141 transmits a private API validation request to the access target device 301. Alternatively, when invalidating the access token to the private API, a request for invalidating the private API is transmitted to the target device 301.

  Upon receiving an activation request from the access control unit 141, the target device 301 makes the private API of the target device 301 accessible from the home network (second network 601). When the target device 301 receives an invalidation request from the access control unit 141, the target device 301 prevents the target device 301 from accessing the private API from the home network (second network 601). Specifically, the target device 301 starts or stops a server function that accepts access from a client installed in the communication apparatus 201.

  Alternatively, the access control unit 141 may be simply configured to give an activation or invalidation trigger, and the target device 301 may determine whether to actually activate or deactivate. The access control unit 141 may transmit update firmware that validates the private API to the target device when the private API is issued for the first time.

  The communication sequence according to the second embodiment is shown below. Here, only the difference from the communication sequence (FIGS. 4 and 5) according to the first embodiment will be described.

  Prior to step 1 in FIG. 4, the target device 301 registers target device information such as an IP address in the target device information storage unit 118 via the target device registration unit 142 of the access authorization device 151 as an initial registration process. . At this time, the access authorization device 151 needs to authenticate the target device 301. Further, it is necessary to associate the user with the target device 301. There are various implementations for both authentication and association.

  For example, by registering secret information for device authentication in advance in the target device 301 and transmitting it to the access authorization device 151, only the valid target device 301 can register the target device information in the access authorization device 151. Like that. Further, the user registers the information on the owned device together with the secret information of the target device 301 in the access authorization device 151. As a simple realization method, secret information is pasted on the casing of the target device 301, and the user manually registers it via the registration screen of the access authorization device 151. The example described here is an example, and various other methods are possible.

  Note that the target device 301 transmits a request for updating the target device information to the access authorization device 151 each time it detects a change in device information such as an IP address change as well as during the initial registration process. The target device registration unit 142 of the access authorization device 151 updates information related to the target device 301 in the target device information storage unit 118 based on the update request.

  Policy information including a setting for whether to display an API switching (token switching) confirmation screen when the policy information selection interface is displayed on the authorization screen in Step 1 of FIG. May be displayed to be selectable to the user. Other types of policy information may also be displayed so that the user can select any policy information. Of course, the user does not have to select any policy information, and in this case, the operation is the same as in the first embodiment.

  In step 2 of FIG. 4, the user selects the policy information displayed on the authorization screen.

  In step 3 of FIG. 4, the policy information selected by the user is included in the token issue request transmitted from the communication device to the access authorization device 151.

  In step 8 of FIG. 4, policy information is registered in association with an access token for public API when a token is issued. In the above example, the policy information setting is associated with the user authorization performed in step 2, but the policy information may be configured to be independent of the user authorization in step 2.

  Between step 17 and step 18 in FIG. 5, as step 17A, the communication apparatus 201 displays a confirmation screen for API switching (token switching). For example, a confirmation screen for allowing the user to select whether to continue using the public API or switch to the private API is displayed. An example of the confirmation screen is shown in FIG. Here, it is assumed that the user has selected to switch to the private API.

  Between step 21 and step 22 in FIG. 5, as step 21 </ b> A, the access control unit 141 of the access authorization device 151 transmits a private API validation request to the target device 301. In response to the activation request, the target device 301 makes the private API accessible from the home network. Specifically, the target device 301 activates a server function (HTTP server) accessed by a client mounted on the communication device 201. Conversely, when switching from the private API to the public API, the access control unit 141 may be configured to make an invalidation request to the target device 301. In this case, the target device 301 stops the operation of the server function. When switching from the private API to the public API, a confirmation screen shown in FIG. 11B may be displayed to allow the user to select whether to allow the switching.

  If the IP address of the target device 301 has been changed in step 22, an access token for a new private API that follows this can be issued.

  As described above, according to the present embodiment, the user can control switching between the public API and the private API based on more flexible policy settings. Further, it is possible to avoid a case where the client fails to access the private API due to the change of the IP address of the target device 301. Also, by enabling the private API only when necessary, it is possible to increase the security of resource use on the home network.

(Third embodiment)
In the first and second embodiments, there is only one private API that accesses the target device of the home network, but there may be a plurality of private APIs. For example, the gateway device (see FIG. 9) may include a plurality of private APIs. At this time, the access authorization device (server) 101 does not know which of the private APIs the communication device 201 is allowed to use, so that the client (application) on the communication device 201 can operate (access) the target device. . This will be described with reference to FIG.

  FIG. 12 shows an example of a communication system according to this embodiment. The gateway device 901 describes a private API (described as private API-1) accessible from the interface on the second network 601 side and a private API (private API-2) accessible from the interface on the third network 801 side. ). In the second embodiment, the communication apparatus 201 is connected to the second network 601, but in FIG. 9, it is connected to the third network 801. A case where the communication apparatus 201 is connected to the second network 601 is indicated by a broken line. The network address on the second network 601 side of the gateway device 901 is different from the network address on the third network 801 side. For example, the network address on the second network 601 side is 192.168.0.0/24, and the network address on the third network 801 side is 192.168.126.0/24.

  When the communication device 201 is connected to the third network 801, the client on the communication device 201 can operate the target device (301 or 302) via the gateway device 901 by accessing the private API-2. It is. The client cannot operate the target device when accessing the private API-1. On the other hand, when the communication device 201 is connected to the second network 601, the client on the communication device 201 can operate the target device via the gateway device 901 by accessing the private API-1. However, the client cannot operate the target device when accessing the private API-2.

  If the access authorization device 101 can grasp whether the communication device 201 is connected to the second network 601 or the third network 801, it is possible to notify the communication device 201 of appropriate private API information accordingly. . However, the access authorization device 101 may not be able to determine which network the communication device 201 is connected to. For example, due to the NAT function of the relay device 401, the transmission source address of the transmission packet from the device under the relay device 401 is unified to the global IP address of the relay device 401. In the access authorization device 101, the local network ( 601 and 801) cannot be determined.

Therefore, in this embodiment, the access authorization device 101 notifies the communication device 201 of a plurality of private API information of the gateway device. The communication device 201 specifies available private API information among a plurality of private API information, and accesses the target device (operates the target device) via the gateway device using the specified private API information. A configuration example of the target device information storage unit according to the present embodiment is shown in FIG. Two private API paths of the gateway device having the device identifier “hwg1” are registered. The API path registration form is the form in which the IP address is arranged between “ https: // ” and “/ V1” in FIG. 13 (and FIG. 3 described above). However, a form in which “/ V1” is omitted may be used, or other forms may be used.

  Hereinafter, an operation example of this embodiment will be described. In addition, the description which overlaps with the description performed using FIG. 9 is abbreviate | omitted suitably.

  First, as an initial setting, an operation example until the communication apparatus 201 receives an access token is shown.

  A client (application) operating on the communication device 201 such as a smartphone transmits a token issue request to the access authorization device 101 in order to use a specific function (such as recording reservation) in the target device (step 3 in FIG. 4). ).

  The access authorization apparatus 101 that has received the token issuance request performs client authentication and user authentication (steps 5 and 6). A screen for requesting user authorization may be displayed on the communication device 201 together with user authentication. In this case, for example, the token issue request may be transferred (redirected) to the authentication authorization URL. The user inputs his / her authentication information and permission to use the specific function by the client. If either authentication or authorization is not performed correctly, the access authorization apparatus 101 notifies the client that a token cannot be issued.

  If authentication and authorization are performed correctly, a public or private access token is sent to the client according to the state determination of the communication device (whether the communication device 201 exists in the house or outside the house). publish. Alternatively, in addition to the access token, a refresh token may be issued, or a single access token serving both roles may be issued.

  The following API access procedure when the communication apparatus 201 (client) exists outside the home and an access token for public access is issued will be described.

  The client that has received the access token performs public API access such as recording reservation to the access authorization apparatus 101 based on the public API information (step 9 in FIG. 4). Prior to this, in order to confirm that the client exists outside the home, the client may request an access authorization device or the like to determine the state of the client (whether it exists inside or outside the home). .

  The access authorization device that has received public API access verifies the validity of the access token and determines the state of the communication device 201 (client) (whether it exists in the house or outside the house) (steps 10 and 11). . When the access token is valid and the communication device 201 exists outside the home, the access authorization device executes control such as recording reservation for the target device (recording device or the like). Specifically, the access proxy unit 116 receives access to the public API from the communication device 201, and the access proxy unit 116 transmits a resource use request to the gateway device 901 (steps 12 and 13). It is assumed that a method for the access proxy unit 116 to use the gateway device 901 is determined in advance. A dedicated API may be prepared, or data including the URL of the private API is transmitted to the gateway device 901. The gateway device 901 internally interprets and executes the URL of the private API included in the data. Also good. On the other hand, if the access token is not valid, or if it is determined that the communication device 201 exists in the home, the client responds that public API access cannot be permitted (continues to step 16, step 17, and step 17 in FIG. 5). (See “Authorization error response” sequence).

  In the verification of the validity of the access token, if it is determined that the access token is not valid, the access authorization device may notify the client of access information (such as a token issuance request method) to the device itself. good.

  It is assumed that the user of the communication apparatus 201 (client) moves from outside the house to the house while holding the communication apparatus 201. That is, it is assumed that the communication device 201 is changed from a state outside the home to a state where the communication device 201 is present inside the home. In this case, it is assumed that the client on the communication apparatus 201 performs public API access such as recording reservation to the access authorization apparatus 101 based on the public API information (step 9 in FIG. 4). In the state determination of the communication device 201, the access authorization device 101 determines that the communication device 201 exists in the home, and responds to the client that public API access cannot be permitted (Step 16, Step 17, and FIG. 5). (See “Authorization error response” sequence following step 17). Thereby, the client knows that the communication apparatus 201 has moved from outside the house to the house. Alternatively, as described above, the client may request status determination from the access authorization device or the like in order to confirm whether the communication device 201 is in the out-of-home state or in-home state.

  The client on the communication device 201 transmits a token issuance request (for example, including a refresh token) to the access authorization device 101 (step 18 in FIG. 5), and the access authorization device 101 verifies the refresh token and performs state determination. . Here, it is determined that the verification is successful and the communication device 201 exists in the home. Then, the access authorization device 101 determines authorization object information (API information) to be provided to the communication device 201. Here, as described above, a plurality of private APIs exist for the device identifier (device_id) of the gateway device 901. In the example of FIG. 9 of the first embodiment, there is one private API path, but there are a plurality of private API paths in this embodiment. Note that there is API information (see FIG. 2) for each function (“status” or “reserved_program”) for each API path.

  The access authorization apparatus 101 transmits a list including a plurality of API information corresponding to functions requested by the client (such as recording). Instead of a list of a plurality of API information, a list including a plurality of API paths may be transmitted. In this case, it is assumed that the terminal can add a character string corresponding to the function to the end of the API path to generate the same API information. The API path corresponds to a part of API information (for example, a part that specifies a function from API information) (see FIGS. 2 and 3). The access authorization device may not know which communication interface 201 is connected to the same network as the plurality of interfaces included in the gateway device 901, and specifies one of the plurality of API information. I can't. For this reason, the access authorization apparatus 101 provides a list of all private API paths (or all private API information related to functions requested by the client) provided in the gateway apparatus. Note that when the client as described above requests a state determination, a list of private API paths may be provided from the access authorization apparatus 101 to the client.

  A client that has received a list of a plurality of private API information (or a list of private API paths) needs to determine which private API information to use. There are several ways to do this.

(First Method) Each API path is selected in order, and a message requesting a reply of device_id is transmitted to the selected API path. If the selected API path is an unavailable API path, no response is received. If the selected API path is different from the expected API path, the returned device_id is different from the device_id (expected value) of the device that the device wants to access (for example, multiple subnets exist and the same for each subnet) There may be a situation where there is a gateway device of an IP address). If the returned device_id matches the expected value, the selected API path is correct. After the correct API path is known, API access is executed based on the private API information including the correct API path (step 23 in FIG. 5). At this time, the gateway device 901 requests the access authorization device 101 to verify the token sent from the client by API access (step 24 in FIG. 5). At this time, token introspection endpoint provided in the access authorization device may be used.

(Second Method) The client receives the server certificate (asymmetric) and / or the pre-shared key (PSK, symmetric) or both from the access authorization apparatus 101 together with the list of API information. The access authorization device also stores a server certificate or a pre-shared key in advance in advance in association with the device_id of the gateway device. The client determines the correct API path by using an authentication function such as TLS (Transport Layer Security) or DTLS (Datagram Transport Layer Security). If authentication is attempted using an API path that cannot be used in the network, no response is received from the gateway device 901 (IP layer communication fails). If an API path different from the expected API path is used, authentication fails. That is, communication at the IP layer succeeds, but authentication such as TLS fails. The operation after the correct API path is known is the same as the first method.

  The API path to be used may be determined using a method other than the first method and the second method.

  FIG. 14 shows a sequence example of an operation when acquiring a plurality of API paths from the access authorization device and specifying an API path to be used. The gateway device notifies the access authorization device of a plurality of API paths that the gateway device has (step 71). The access authorization device registers the notified plurality of API paths and returns a response (step 72). Note that the destination address of the response packet is, for example, a global IP address (for example, “133.196.29.2”), but the NAT function of the router 401 changes the destination address to a local IP address. After being converted, the packet reaches the gateway device. There is a configuration in which not only the IP address but also the destination port number is converted.

  Assume that the client on the communication device requests the access authorization device to respond with a list including a plurality of API paths provided in the gateway device in a situation where the client exists in the home (step 73).

  The access authorization device identifies a gateway device registered in association with the user of the client (or identifies a gateway device registered in association with the transmission source address of the packet), and a plurality of the gateway devices identified Specify the API path of.

  Here, the access authorization device identifies two gateway devices (hgw1 and hgw2 in the figure), and for each, two API paths (an API path of the WAN side interface and an API path of the LAN side interface) ). The API path here is a private API path.

  The access authorization device sends a message including one gateway device identifier “hgw1” and its two API paths, and another gateway device identifier “hgw2” and the two API paths to the client on the communication device. (Step 74).

  The destination address of the response packet is, for example, a global IP address (for example, “133.196.29.2”), but the NAT function of the router 401 converts the destination address into a local IP address. The packet reaches the communication device (client). There is a configuration in which not only the IP address but also the destination port number is converted.

  The client on the communication device first identifies one gateway device (here, hgw1), selects one of a plurality of API paths provided in the identified gateway device, and transmits a message requesting a response of device_id. (Step 75). However, since the selected API path cannot be used in the WAN side network of the gateway device, a response to the message is not transmitted (timeout occurs). The communication device selects the other API path and transmits a message requesting a response of device_id (step 76). In response to the message, the access authorization device returns a response including its own identifier “hgw1” (step 77). Since the identifier included in the response matches the identifier expected by the client, the target device under control of the gateway device is controlled by performing private API access to the gateway device using API information based on the API path ( Step 78).

  FIG. 15 shows another sequence example of the operation when acquiring a plurality of API paths from the access authorization device and specifying one API path to be used. The first steps 71 and 72 are the same as in FIG.

  In step 81 following step 72, the client on the communication device transmits a message for inquiring about the state of the device (whether it exists in the house or outside the house). The access authorization device determines that the communication device exists in the home by performing the state determination. In addition, the access authorization device specifies one of hgw1 as a gateway device that can exist in the house (here, only one gateway device happens to be the access authorization device for the user or the source IP address). Suppose it was registered). The access authorization device responds to the client on the communication device with a message including the identifier “hgw1” of the gateway device and the two API paths (step 82). The subsequent steps 75 to 78 are the same as those in FIG.

  FIG. 16 shows an example of the operation when it is determined in the sequence of FIG. 15 that the communication device is outside the home. Steps 71, 72, and 81 are the same as those in FIG.

  As step 85 following step 81, the access authorization device transmits a message notifying that the communication device exists outside the home. The client on the communication device performs public API access to the access authorization device based on the public API information (steps 86 and 87). If an access token for public access has not been issued yet, a token issuance request is made first.

  In the above-described sequence of FIG. 14, when an inspection is performed on each API path (step 75 and step 76) while the communication device is outside the home, the client is connected to the communication device until each API path times out. I don't know that is outside the house. When the timeout expires, the client can switch to outside access. On the other hand, in the sequences of FIGS. 15 and 16, since the client requests the access authorization device to determine the state, the client can operate after knowing in advance whether it is in the house or outside the house. Therefore, the sequences of FIGS. 15 and 16 have an advantage that it is possible to prevent a delay in operation when the user is away from home.

(Fourth embodiment)
It is assumed that the first network 501 has a function of CGN (Carrier Grade NAT) or LSN (Large Scale NAT) (hereinafter referred to as CGN / LSN). In this case, there is a situation where the client cannot access any of all the private API paths notified from the access authorization device, even though it is determined by the access authorization device that the communication device exists in the house. There is a case.

  FIG. 17 shows a configuration example of a communication system according to the present embodiment. The communication system of FIG. 17 is based on the configuration of FIG. The first network 501 has a CGN / LSN function. The relay device 1101 and the third network 1102 are arranged in a different house from the relay device 401, the second network, and the target device 301. The communication device 1103 is a communication device such as a smartphone. The third network 1102 is, for example, a home network (local network). However, as in the case of the second network 601, another type of network may be used. The relay device 1101 is a broadband router having a NAT function. In the figure, the communication device 1103 is connected to the third network 1102. The communication device 1103 is connected to the first network 501 via the relay device 101. However, the communication device 1103 can be directly connected to the first network 501.

  Consider a case in which the target device 301 connected to the second network 601 is controlled when the communication device 1103 is connected to the third network 1102. The client on the communication device 1103 transmits a token issuance request for private API access (step 18 in FIG. 5) to the access authorization device 151 via the relay device 1101. The access authorization device performs token verification and state determination, and determines that the communication device 1103 exists in the home.

  When the first network 501 has a CGN / LSN function, a local IP address may be assigned to any of the WAN side interfaces (interfaces on the first network 501 side) of the relay device 1101 and the relay device 401, respectively. In this case, both the source IP address of the packet transmitted from the home of the relay device 401 and the source IP address of the packet transmitted from the home of the relay device 1101 are converted into the same global IP address by the CGN / LSN. And transmitted to the access authorization device 151. Therefore, the access authorization device 151 cannot distinguish whether the communication device 1103 is connected to the third network 1102 or the second network 601 when performing the state determination based on the IP address. For this reason, the access authorization device determines that the communication device 1103 exists in the home of the relay device 401, and transmits a response including the private API path (or private API information) of the target device 301 to the communication device 1103. Here, it is assumed that there is no target device that can be accessed by the API in the third network 1102.

  Even if the client on the communication device 1103 tries to access the target device 301 using the notified private API information, the client cannot access the target device 301 because it does not exist in the same house (local network) as the target device 301. For example, when an error message indicating that a packet cannot be transferred from the router in the first network 501 is returned, a timeout occurs, or the private API path of the target device 301 is expressed using a domain name or the like, the IP address May not be able to be retrieved from DNS. In order to solve this problem, the following methods are conceivable. In the present embodiment, any one of these methods is executed.

  (First Method) The client on the communication device 1103 makes a request for status determination or a token issuance request (step 18 in FIG. 5) to the access authorization device after a certain period of time after an error occurs. In a network having a CGN / LSN function, the location where NAT is applied may change over time. In this case, a packet from the relay device 1101 (which has only a local IP address) is converted into a packet from the global IP address # 1, and a packet from the relay device 401 is converted into a packet from the global IP address # 2. (At some time both global IP addresses were # 1). . As a result, the target device information storage unit 118 and the like of the access authorization device are updated, and the result of the state determination can be changed. For example, it is determined that the communication device 1103 exists outside the relay device 401. As a result, the communication device 1103 is determined to exist outside the home by the access authorization device, and a public API path (or public API information) is sent to the communication device 1103. The communication device 1103 operates the target device 301 via the access authorization device 151 based on public API information.

  (Second Method) The communication device 1103 transmits to the access authorization device 151 a message with a flag indicating that the target device 301 cannot be accessed with the private API information notified from the access authorization device 151. When the message with this flag set is received, the access authorization device omits the state determination. At this time, a log indicating that the state determination is omitted may be taken. When the state determination is omitted, the access authorization device 151 may notify the communication device 1103 of public API information for the target device 301 or issue an access token for public access.

  (Third Method) The communication device 1103 transmits a message including an error content (response packet or the like) when access with private API information has failed to the access authorization device 151. The access authorization device records the error content included in the message in a storage device such as a memory device. The error contents reported in the past and other information are collated to determine whether the error contents are plausible (a known likelihood determination may be performed). If the likelihood is equal to or greater than a certain value, the state determination may be omitted and the same processing as described above may be performed.

  In addition, each apparatus of the access authorization apparatus of each embodiment, a communication apparatus, and object apparatus is realizable also by using a general purpose computer apparatus as basic hardware, for example. That is, it can be realized by causing a processor mounted on the computer apparatus to execute a program. At this time, each device can be realized by installing the above program in the computer device in advance, or can be stored in various storage media or distributed through the network, and the program can be installed in the computer device as appropriate. This can be realized. Each storage unit in each apparatus appropriately uses a memory, a hard disk or a storage medium such as a CD-R, a CD-RW, a DVD-RAM, a DVD-R, or the like incorporated in or externally attached to the computer apparatus. Can be realized.

  The present invention is not limited to the above-described embodiments as they are, and the constituent elements can be modified and embodied without departing from the spirit in the implementation stage. Various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some constituent elements can be deleted from all the constituent elements shown in the embodiments, and elements over different embodiments can be appropriately combined.

101: Access authorization device 201: Communication device 301: Target device 302: Target device 401: Relay device 501: First network 601: Second network 701: Gateway device 801: Third network
111: Communication unit 112: Token issuance unit 113: Authorization target determination unit 114: State determination unit 115: Token verification unit 116: Access proxy unit 117: Token storage unit 118: Target device information storage unit 119: Authorization target provision unit 141: Access control unit 142: target device registration unit 143: policy storage unit

Claims (24)

A communication unit that communicates with a target device connected to a network, and a communication device that can use resources provided by the target device;
A state determination unit that acquires information for specifying a connection state between the communication device and the network from at least one of the communication device and the target device, and determines the connection state based on the information;
An access proxy unit that transmits a request to use the resource provided by the target device to the target device;
A determination unit that determines whether the communication device transmits a request to use the resource provided by the target device to the target device based on the connection state, or whether the access proxy unit transmits to the target device;
An access authorization device comprising: The access authorization device according to claim 1, wherein the state determination unit determines whether the communication device is connected to the network or is connectable to the network. When the communication device is connected to the network or in a connectable state, the determination unit determines to transmit the use request from the communication device to the target device, and the use to the target device The access authorization apparatus according to claim 2, wherein instruction information for transmitting a request is transmitted to the communication apparatus. The determining unit, after transmitting the instruction information to the communication device, receives a report that an error has occurred with respect to the transmission of the use request from the communication device to the target device. Determined to transmit the usage request to the target device,
The access authorization device according to claim 3, wherein the access proxy unit transmits the use request to the target device according to the determination of the determination unit. The determining unit determines that the access proxy unit transmits the use request to the target device when the communication device is not connected to the network or is not connectable.
The access authorization device according to claim 2 or 3, wherein the access proxy unit transmits the use request to the target device according to the determination of the determination unit. The communication unit receives a first request transmitted from the communication device,
The access authorization device according to any one of claims 1 to 5, wherein the state determination unit determines the connection state when the first request is received. The access authorization apparatus according to claim 6, wherein the first request is at least one of a permission request regarding use of the resource and a use request of the resource. In response to the determination of the connection state based on the permission request, when the communication device determines that the communication device is not connected to the network or cannot be connected, the access proxy unit accepts the resource use request. A first authorization response including information related to a first API (Application Programming Interface) is transmitted to the communication device;
The access authorization device according to claim 7, wherein the access proxy unit receives the resource usage request based on the information related to the first API from the communication device, and transmits the resource usage request to the target device. In response to the determination of the connection state based on the resource usage request from the communication device, if it is determined that the communication device is connected to the network or is in a connectable state, an error response is transmitted to the communication device. To the device,
After transmitting the error response, receiving the permission request regarding the use of the resource from the communication device, and depending on the determination of the connection state based on the permission request, the communication device is connected to the network or The access authorization device according to claim 7, wherein when it is determined that the connection is possible, a second permission response including instruction information for transmitting the use request is transmitted to the communication device. The access authorization apparatus according to claim 9, wherein the second permission response includes information related to a second API (Application Programming Interface) for the target device to accept a request to use the resource. The second API is an API for the gateway device to accept a request to use the resource to the target device.
The access authorization device according to claim 10, wherein the communication unit communicates with the gateway device instead of the target device. The second permission response includes information on a plurality of the second APIs,
The access authorization device according to claim 11, wherein the gateway device is connected to a plurality of networks, and the second API that can be accepted is different for each network. In response to the determination of the connection state based on the resource usage request from the communication device, when it is determined that the communication device is connected to or connectable to the network, a plurality of second APIs Sending a response including information to the communication device;
The second API is an API for the gateway device to accept a request to use the resource to the target device.
The communication unit communicates with the gateway device instead of the target device,
The access authorization device according to claim 7, wherein the gateway device is connected to a plurality of networks, and the second API that can be accepted is different for each network. In the state determination unit, the transmission source IP address of the first request received from the communication device matches an IP address registered in advance with respect to the target device, or is included in a range of IP addresses registered in advance. The access authorization device according to any one of claims 6 to 13, wherein the communication device determines whether the communication device is connected to the network. The state determination unit receives information specifying a position where the communication device exists from the communication device, and based on the received information and location information acquired in advance of the target device, the communication device The access authorization device according to any one of claims 6 to 13, wherein it is determined whether or not the connection is possible. When the state determination unit determines that the communication device is connected to or can be connected to the network, the state determination unit transmits instruction information for activating the function of accepting the resource use request to the target device. The access authorization device according to any one of claims 1 to 15. When the state determination unit determines that the communication device is not connected to the network or is in a state where connection is not possible, instruction information for disabling the function of accepting the resource use request is included in the target The access authorization device according to any one of claims 1 to 16, wherein the access authorization device is transmitted to a device. When the determination that the communication device is not connected to the network or in a state where the communication device is not connected is changed to the determination that the communication device is connected to or connected to the network, Based on the policy information given in advance, it is determined whether or not it is necessary to obtain a change permission from the user of the communication device, and if it is necessary to obtain a permission, information indicating the permission of the user is received. The access authorization device according to any one of claims 1 to 17, wherein later, instruction information for transmitting the resource use request to the target device is transmitted to the communication device. In the case where the policy information given in advance indicates that the access proxy unit performs transmission of a resource use request when the communication device is connected to or connectable to the network, the communication device The access authorization device according to any one of claims 1 to 13, wherein the access proxy unit transmits a request to use the resource to the target device even when connected to a network or connectable. The communication unit disconnects a communication connection with the target device when it is determined that the communication device is connected to or connected to the network. The access authorization device described. Information for identifying a connection state between a communication device that can use a resource provided by a target device connected to a network and the network is acquired from at least one of the communication device and the target device, and based on the information, A state determination step for determining a connection state; and a determination for determining whether the communication device transmits a request for using a resource provided by the target device to the target device or an access proxy unit based on the connection state Steps,
An access authorization method comprising: Information for identifying a connection state between a communication device that can use a resource provided by a target device connected to a network and the network is acquired from at least one of the communication device and the target device, and based on the information, A state determination step for determining a connection state; and a determination for determining whether the communication device transmits a request for using a resource provided by the target device to the target device or an access proxy unit based on the connection state Steps,
A program that causes a computer to execute. The access authorization device according to any one of claims 1 to 20,
A communication system comprising: at least one of the target device and the communication device. The communication system according to claim 23, comprising both the target device and the communication device.

Images