JP6860793B2 - Authentication system, its control method, and program, and authentication server, its control method, and program. - Google Patents

Description

The present invention relates to an authentication system, its control method, and a program capable of easily associating token information acquired from a web service server with user's authentication information, and an authentication server, its control method, and a program.

Using an image forming apparatus such as an MFP (Multi Functional Peripheral), which is a multifunction device having a printer function, for example, a printing instruction is given from a client PC to print a document.

When the user logs in to the MFP using an IC card or the like, the user can use the functions of the MFP.

On the other hand, there is a web service server that assigns an ID to a user, allocates storage for each user, and provides a service. The service includes, for example, a service in which a web service server generates a screen in which an image stored in a storage can be viewed like an album and sends it to a client PC, and the image can be viewed from the client PC through a browser or the like.

The services provided by the web service server are diverse, for example, a calendar stored on the storage by the user, an album on the web as described above, and the like.

In the following Patent Document 1, the ID and password of the web service used for each user are stored, and the user authenticates to the MFP to use the ID and password of the web service corresponding to the user. A mechanism for using web services is disclosed.

Japanese Unexamined Patent Publication No. 2008-228216

In the mechanism described above, when the user authenticates to the MFP, the MFP can communicate the web service ID and password itself with the web service server to provide the corresponding web service. However, if the communication is intercepted by a malicious third party, if the ID and password are leaked, the third party will log in to the web service with the leaked ID and password, browse the web service, or change the password. You can do it.

If the password is changed by a third party, there is a serious security risk that the original user will not be able to log in to the web service.

Therefore, there is a mechanism called an access token. The access token is information for authenticating to the web service server.

Since the access token has an expiration date or is changed regularly, it is more useful for security than an ID and a password.

Therefore, by storing the authentication information for the user to authenticate to the MFP and the access token in association with each other, the user can authenticate to the MFP to secure the web service corresponding to the user by using the access token. Can be used on the MFP while maintaining the above. For example, an image of an album on a web service can be output, or a calendar on a web service can be output.

However, in order to store the authentication information for the user to use the MFP and the access token for using the web service in association with each other, the user needs to store the access token in association with the authentication server of the MFP. It takes time and effort.

Therefore, an object of the present invention is to provide a mechanism that allows a user to use a web service safely and easily.

An information processing system including an image forming apparatus that receives a web service from a web service server and an information processing apparatus that performs an authentication process between the image forming apparatus and the web service server in order to achieve the above object. The information processing device includes a storage means for storing information related to an access token to the web service server corresponding to the user identification information used in the authentication processing means of the image forming device. , The web based on whether the authentication processing means that performs the authentication process using the user identification information for identifying the user and the access token corresponding to the user identification information used in the authentication process are stored in the storage means. It is characterized by having a display control means for controlling the display of items for accessing the service.

According to the present invention, there is an effect that the user can use the web service safely and easily .

It is a block diagram which shows an example of the system structure in embodiment of this invention. It is a figure which shows an example of the hardware composition of the authentication server 100 and the web service server 200 in embodiment of this invention. It is a figure which shows an example of the hardware composition of the image forming apparatus 300 in embodiment of this invention. It is a figure which shows an example of the hardware composition of the mobile terminal 400 in embodiment of this invention. It is a figure which shows an example of the functional structure of the authentication server 100, the web service server 200, the image forming apparatus 300, and the mobile terminal 400 in embodiment of this invention. It is a flowchart which shows a series of flow in Embodiment of this invention. It is a flowchart explaining the process which the authentication server 100 generates the card registration password corresponding to the token information. It is a flowchart explaining the detailed process flow of the card registration process shown in FIG. It is a flowchart explaining the detailed process flow of the web service information display process shown in FIG. It is a figure which shows an example of the authentication table 1000. It is a figure which shows an example of the card ID table 1100. This is a screen example showing an example of a two-dimensional bar code display screen 1200. It is a screen example which shows an example of the authorization request screen 1300. It is a screen example which shows an example of the authorization screen 1400. This is a screen example showing an example of the user information usage confirmation screen 1500. It is a screen example which shows an example of the authorization completion screen 1600. This is a screen example showing an example of the menu screen 1700. This is a screen example showing an example of the user information management screen 1800. It is a figure which shows an example of the legitimate access token table 1900. It is a figure which shows an example of the IC card authentication screen 2000. It is a figure which shows an example of a calendar screen 2100.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 1 is a system configuration diagram showing an example of the configuration of an authentication system including the image forming apparatus 300 of the present invention, the card reader 310 included in the image forming apparatus 300, the authentication server 100, the web service server 200, and the mobile terminal 400. The authentication server 100 may be configured to be executed as a service in the image forming apparatus 300.

As shown in FIG. 1, in the system of this embodiment, the image forming apparatus 300, the authentication server 100, and the web service server 200 are connected via a local area network (LAN) 600. The communication is not limited to the local network but may be via the Internet.

The image forming apparatus 300 receives the authentication based on the card ID of the IC card held over the card reader 310, and print data corresponding to the authenticated user from a print server or mass storage (not shown). It is a device that can receive and output to paper or send a fax.

In addition to the card reader 310, the touch panel on the image forming apparatus 300 is configured to be capable of performing authentication by inputting a user ID and password using a soft keyboard.

The authentication server 100 is a device that stores an authentication table 1000 for executing authentication by IC card authentication or keyboard authentication and a card ID table 1100 shown in FIG.

The web service server 200 is a server that provides storage to each user to provide a service. For example, there is one in which the web service server 200 generates a screen in which the image stored in the storage can be browsed like an album and sends it to the client PC, and the image can be browsed from the client PC through a browser or the like.

The image forming apparatus 300 is an apparatus showing an example of the MFP.

Hereinafter, the hardware configuration of the information processing device applicable to the authentication server 100 and the web service server 200 shown in FIG. 1 will be described with reference to FIG.

In FIG. 2, 201 is a CPU that comprehensively controls each device and controller connected to the system bus 204. Further, the ROM 203 or the external memory 211 is necessary to realize a function to be executed by a BIOS (Basic Input / Output System) or an operating system program (hereinafter, OS) which is a control program of the CPU 201, and each server or each PC. Various programs etc. are stored.

The authentication table 1000 is stored in the external memory 211 of the authentication server 100. An example of the authentication table 1000 is shown in FIG. Further, the external memory 211 of the web service server 200 stores a web application capable of providing a web service to the user. For example, a user logs in to the web service server 200 with a client PC using an ID and a password, and the client PC sends a web service provision request to the web service server 200. Then, the web service server 200 identifies a web application that provides a web service that can be used by the user from the external memory 211, and operates the web application. As a result, the web application returns various information as a web service to the client PC.

Reference numeral 202 denotes a RAM, which functions as a main memory of the CPU 201, a work area, and the like. The CPU 201 realizes various operations by loading a program or the like necessary for executing the process from the ROM 203 or the external memory 211 into the RAM 202 and executing the loaded program.

Further, 205 is an input controller, which controls input from an input device 209, a pointing device such as a mouse (not shown), or the like. Reference numeral 206 denotes a video controller, which controls the display on a display such as a display (CRT) 210. The display may be not only a CRT but also another display such as a liquid crystal display.

Reference numeral 207 is a memory controller, which is connected to a hard disk (HD) for storing boot programs, various applications, font data, user files, edit files, various data, etc., a flexible disk (FD), or a PCMCIA card slot via an adapter. It controls access to an external memory 211 such as a compact flash (registered trademark) memory.

Reference numeral 208 denotes a communication I / F controller, which connects and communicates with an external device via a network (for example, LAN600 shown in FIG. 1), and executes communication control processing on the network. For example, communication using TCP / IP is possible.

The CPU 201 enables display on the display 210 by, for example, executing an outline font expansion (rasterization) process in the display information area in the RAM 202. Further, the CPU 201 enables a user instruction with a mouse cursor or the like (not shown) on the display 210.

Various programs (for example, a browser) running on the hardware are recorded in the external memory 211 (storage means), and are executed by the CPU 201 by being loaded into the RAM 202 as needed.

Next, the hardware configuration of the image forming apparatus 300 as the image forming apparatus of the present invention will be described with reference to FIG.

FIG. 3 is a block diagram showing an example of the hardware configuration of the image forming apparatus 300.

In FIG. 3, the controller unit 3000 is connected to a scanner 3015 functioning as an image input device and a printer 3014 functioning as an image output device, and is connected to a local area network such as LAN600 shown in FIG. By connecting to a public line (WAN) such as ISDN, image data and device information can be input and output.

As shown in FIG. 3, the controller unit 3000 includes a CPU 3001, a RAM 3006, a ROM 3002, an external storage device (hard disk drive (HDD)) 3007, a network interface (Network I / F) 3003, a modem (Mode) 3004, and an operation unit interface ( Operation unit I / F) 3005, external interface (external I / F) 3009, image bus interface (IMAGE BUS I / F) 3008, raster image processor (RIP) 3010, printer interface (printer I / F) 3011, scanner interface It is composed of (scanner I / F) 3012, an image processing unit 3013, and the like.

The CPU 3001 is a processor that controls the entire system.

The RAM 3006 is a system work memory for operating the CPU 3001, a program memory for recording a program, and an image memory for temporarily storing image data.

The ROM 3002 stores a system boot program and various control programs.

The external storage device (hard disk drive HDD) 3007 stores various programs, image data, and the like for controlling the system. It also stores various tables.

The operation unit interface (operation unit I / F) 3005 is an interface unit with the operation unit (UI) 3018, and outputs image data to be displayed on the operation unit 3018 to the operation unit 3018.

Further, the operation unit I / F 3005 plays a role of transmitting information (for example, user information) input by the system user from the operation unit 3018 to the CPU 3001. The operation unit 3018 is provided with a display unit having a touch panel, and various instructions can be given by the user pressing (touching with a finger or the like) a button displayed on the display unit.

The network interface (Network I / F) 3003 connects to a network (LAN) and inputs / outputs data.

The modem (MODEM) 3004 connects to a public line and inputs / outputs data such as sending and receiving faxes.

The external interface (external I / F) 3009 is an interface unit that accepts external inputs such as USB, IEEE1394, a printer port, and RS-232C. In this embodiment, a card reader for reading an IC card required for authentication is used. 310 is connected.

Then, the CPU 3001 can control the reading of information from the IC card by the card reader 310 via the external I / F 3009, and can acquire the information read from the IC card. The storage medium is not limited to an IC card and may be a storage medium capable of identifying a user. In this case, the storage medium stores identification information for identifying the user. This identification information may be the serial number of the storage medium or the user code given by the user in the company. The above devices are placed on the system bus.

On the other hand, the image bus interface (IMAGE BUS I / F) 3008 is a bus bridge that connects the system bus 3016 and the image bus 3017 that transfers image data at high speed to convert the data structure. The image bus 3017 is composed of a PCI bus or IEEE 1394. The following devices are arranged on the image bus 3017.

The raster image processor (RIP) 3010 expands vector data such as a PDL code into a bitmap image, for example.

The printer interface (printer I / F) 3011 connects the printer 3014 and the controller unit 3000, and performs synchronous / asynchronous conversion of image data.

Further, the scanner interface (scanner I / F) 3012 connects the scanner 3015 and the controller unit 3000, and performs synchronous / asynchronous conversion of image data.

The image processing unit 3013 corrects, processes, and edits the input image data, and corrects, converts the resolution, and the like of the print output image data. In addition to this, the image processing unit 3013 rotates the image data and performs compression / decompression processing such as JPEG for the multi-valued image data and JBIG, MMR, MH for the binary image data.

The scanner 3015 connected to the scanner I / F 3012 illuminates an image on paper as a document and scans it with a CCD line sensor to convert it into an electric signal as raster image data. The manuscript paper is set in the tray of the manuscript feeder, and when the device user gives a reading start instruction from the operation unit 3018, the CPU 3001 gives an instruction to the scanner, and the feeder feeds the manuscript paper one by one to read the manuscript image. I do.

The printer 3014 connected to the printer I / F 3011 is a part that converts raster image data into an image on paper, and the method is an electrophotographic method using a photoconductor drum or a photoconductor belt, and ink is applied from a minute nozzle array. There is an inkjet method that ejects and prints an image directly on the paper, but any method may be used. The start of the print operation is started by the instruction from the CPU 3001. The printer 3014 has a plurality of paper feed stages so that different paper sizes or different paper orientations can be selected, and there is a paper cassette corresponding to the plurality of paper feed stages.

The operation unit 3018 connected to the operation unit I / F 3005 has a liquid crystal display (LCD) display unit. A touch panel sheet is pasted on the LCD, and the operation screen of the system is displayed, and when the displayed key is pressed, the position information is transmitted to the CPU 3001 via the operation unit I / F 3005. Further, the operation unit 3018 includes, for example, a start key, a stop key, an ID key, a reset key, and the like as various operation keys.

Here, the start key of the operation unit 3018 is used when starting a reading operation of a document image or the like. In the center of the start key, there are two color LEDs, green and red, and the colors indicate whether or not the start key can be used. Further, the stop key of the operation unit 3018 functions to stop the operation during operation. Further, the ID key of the operation unit 3018 is used when inputting the user ID of the user. The reset key is used when initializing the setting from the operation unit 3018.

The card reader 310 connected to the external I / F 3009 reads the information stored in the IC card (for example, FeliCa (registered trademark) of Sony Corporation) under the control of the CPU 3001, and reads the read information into the external I / F / F 3009. Notify the CPU 3001 via F3009.

In the present embodiment, the authentication table is stored in the authentication server 100, but the authentication table may be stored in the image forming apparatus 300 to realize the same operation as the authentication server.

Next, the hardware configuration of the mobile terminal 400 will be described with reference to the figure shown in FIG.

FIG. 4 is a diagram showing a hardware configuration of the mobile terminal 400. The hardware configuration shown in FIG. 4 is just an example.

The mobile terminal 400 is a device provided with a touch panel. In the present embodiment, the description will be made assuming a device such as a so-called smartphone or tablet terminal, but the description is not particularly limited to this. A personal computer may be used as long as it is a device provided with a touch panel.

The CPU 401 comprehensively controls the memory and the controller via the system bus. The ROM 402 or the flash memory 414 stores a BIOS (Basic Input / Output System), which is a control program of the CPU 401, and an operating system. Further, various programs and the like, which will be described later, necessary for realizing the function executed by the mobile terminal 400 are stored.

The RAM 403 functions as a main memory, a work area, and the like of the CPU 401. The CPU 401 realizes various operations by loading a program or the like necessary for executing a process into the RAM 403 and executing the program.

The display controller 404 controls the display on a display device such as the display 410. The display 410 is, for example, a liquid crystal display. A touch panel 411 is provided on the surface of the display 410. The touch panel controller 405 controls the detection of the touch operation on the touch panel 411. The touch panel controller 405 can also detect a touch operation (hereinafter, referred to as multi-touch) on a plurality of locations on the touch panel 411.

The camera controller 406 controls shooting with the camera 412. The camera 412 is a digital camera, and an image captured under the control of the camera controller 406 is converted into digital data by an image sensor. The camera 412 can capture still images and moving images.

The sensor controller 407 controls inputs from various sensors 413 included in the mobile terminal 400. There are various sensors in the sensor 413 of the mobile terminal 400, such as a directional sensor and an acceleration sensor.

The network controller 408 connects and communicates with an external device via a network, and executes communication control processing on the network. For example, Internet communication using TCP / IP is possible.

The flash memory controller 409 controls access to the flash memory 414 that stores a boot program, browser software, various applications, font data, user files, edit files, various data, and the like. In the present embodiment, the flash memory will be described, but it may be a storage medium such as a hard disk, a flexible disk, or a card-type memory connected to the PCMCIA card slot via an adapter.

The CPU 401, each memory, and each controller described above are integrated into one chip 415. It is provided inside the mobile terminal 400 in the form of so-called SoC (System on Chip).

The CPU 401 enables display on the display 410 by, for example, executing an outline font expansion (rasterization) process in the display information area in the RAM 403.

Various programs and the like used by the mobile terminal 400 of the present invention to execute various processes described later are recorded in the flash memory 414, and are executed by the CPU 401 by being loaded into the RAM 403 as needed. .. Further, the definition file and various information tables used by the program according to the present invention are stored in the flash memory 414. The above is the hardware configuration in this embodiment.

Next, the functional configurations of the authentication server 100, the web service server 200, the image forming apparatus 300, and the mobile terminal 400 will be described with reference to the diagram shown in FIG. 5. The functional configuration diagram of FIG. 5 is an example and is used or intended. There are various configuration examples depending on the situation.

The authentication server 100 includes a communication unit 150, an authentication table management unit 151, and a password generation unit 152.

The communication unit 150 is a functional unit that communicates with the image forming apparatus 300, the web service server 200, and the mobile terminal 400.

The authentication table management unit 151 is a functional unit that manages the authentication table 1000.

The password generation unit 152 is a functional unit that generates a password associated with an access token.

The web service server 200 includes a communication unit 250, a data management unit 251, a token management unit 252, and a screen generation unit 253.

The communication unit 250 is a functional unit that communicates with the authentication server 100, the mobile terminal 400, and the image forming apparatus 300.

The data management unit 251 is a functional unit that manages web service information, which is data provided as a web service, for each user.

The token management unit 252 is a functional unit that generates an access token corresponding to the refresh token and determines whether or not the received access token is valid.

The screen generation unit 253 is a functional unit that generates a screen to be transmitted to the mobile terminal 400 or the image forming apparatus 300.

The image forming apparatus 300 includes a card reader control unit 350, an authentication server communication unit 351, an authentication unit 352, a display control unit 353, an output control unit 354, an application unit 355, and a web service server communication unit 356.

The card reader control unit 350 is a functional unit that acquires a card ID (serial number) held over the card reader 310.

The authentication server communication unit 351 is a functional unit that sends and receives an authentication request to and from the authentication server 100.

The authentication unit 352 controls the entire authentication system, and when the authentication is successful, permits the use of the image forming apparatus 300 by using the user information.

The display control unit 353 is a functional unit for displaying various screens on the operation unit 3018 of the image forming apparatus 300.

The output control unit 354 is a functional unit that controls the output of print data.

The application unit 355 is a functional unit for controlling an application that executes a print / scan / USB function of the image forming apparatus 300.

The web service server communication unit is a functional unit that communicates with the web service server 200.

The mobile terminal 400 includes a photographing unit 450, a communication unit 451 and a display control unit 452, and an application unit 453.

The photographing unit 450 is a functional unit capable of photographing and reading a two-dimensional bar code displayed on the operation unit 3018 of the image forming apparatus 300.

The communication unit 451 is a functional unit capable of communicating with the authentication server 100 and the web service server 200.

The display control unit 452 is a functional unit that displays a screen transmitted from the authentication server 100 and the web service server 200.

The application unit 453 is a functional unit that controls the operation of an application such as a web browser.

Next, an embodiment of the present invention will be described with reference to the flowchart shown in FIG.

In step S601, the CPU 3001 of the image forming apparatus 300 displays an authentication screen 2000 indicating that the IC card is held up to log in to the image forming apparatus 300. For example, the authentication screen 2000 shown in FIG.

In step S625, the CPU 3001 of the image forming apparatus 300 determines whether or not the user information management button 2001 arranged on the authentication screen 2000 has been pressed. If it is determined that the user information management button 2001 is pressed, the process proceeds to step S626, and if it is determined that the user information management button 2001 is not pressed, the process proceeds to step S602.

In step S626, the CPU 3001 of the image forming apparatus 300 associates and stores the user's IC card and the access token generated by the web service server 200 so that the web service can be used by authenticating to the image forming apparatus 300. The card registration process is performed. The details of the card registration process will be described later with reference to FIG.

In step S602, the CPU 3001 of the image forming apparatus 300 periodically detects whether the IC card is held over the card reader 310 by the user. When the IC card is held over, the process moves to step S603.

In step S603, the CPU 3001 of the image forming apparatus 300 acquires the card ID of the IC card held by the user from the card reader 310.

In step S604, the CPU 3001 of the image forming apparatus 300 transmits the card ID acquired in step S603 to the authentication server 100.

In step S605, the CPU 201 of the authentication server 100 receives the card ID transmitted in step S604.

In step S606, the CPU 201 of the authentication server 100 authenticates using the card ID. More specifically, the card ID table 1100 stored in the authentication server 100 is collated to determine whether or not the card ID is stored in the card ID table 1100. The card ID 1101 (authentication information) and the user name 1001 (authentication information) are stored in association with each other in the card ID table 1100. The card ID 1101 indicates a card ID, and the user name 1001 stores a name that identifies the user.

Further, the authentication table 1000 shown in FIG. 10 is referred to. In the authentication table 1000, the user name 1001, the access token 1002, the refresh token 1003, and the card registration password 1004 are stored in association with each other. The access token 1002 is token information for acquiring the web service information which is the information of the user's web service from the web service server 200. The refresh token 1003 is a key for updating the access token 1002. When the authentication server 100 transmits the refresh token 1003 to the web service server 200, the web service server 200 updates the access token 1002 corresponding to the refresh token 1003. The card registration password 1004 is a key for storing the IC card and the access token 1002 in association with each other.

In step S607, the CPU 201 of the authentication server 100 determines the authentication result by the collation in step S606. More specifically, if the user name 1001 corresponding to the card ID 1101 detected in step S602 is stored in the authentication table 1000, the authentication is successful, and if it is not stored in the authentication table 1000, the authentication is determined to be unsuccessful. .. If the authentication is successful, the process proceeds to step S608. If the authentication fails, the process proceeds to step S609.

In step S608, the CPU 201 of the authentication server 100 transmits an authentication result (authentication failure) to the authentication server 100.

In step S609, the CPU 201 of the authentication server 100 transmits the refresh token 1003 corresponding to the user name 1001 collated in step S606 and the token acquisition request to the web service server 200.

In step S610, the CPU 201 of the web service server 200 receives the refresh token 1003 and the token acquisition request.

In step S611, the CPU 201 of the web service server 200 reissues the access token corresponding to the refresh token 1003 (update means). This will be described more specifically. The legitimate access token table 1900 shown in FIG. 19 is stored in the external memory 211 of the web service server 200. In the legitimate access token table 1900, the legitimate access token 1901, the refresh token 1003, the ID 1902, and the password 1903 are stored in association with each other. The legitimate access token 1901 is a legitimate access token managed by the web service server 200, and if this legitimate access token is used, the corresponding user's web service information is acquired, and the user's web service information is sent to the source of the access token. Can be sent. ID 1902 and password 1903 are an ID and a password for logging in to the web service server 200.

When the refresh token 1003 is accepted, the corresponding legitimate access token 1901 is rewritten and reissued.

In step S612, the CPU 201 of the web service server 200 transmits the legitimate access token 1901 reissued in step S611 to the authentication server 100.

In step S613, the CPU 201 of the authentication server 100 receives the legitimate access token 1901 (token information) reissued by the web service server 200. (Token information acquisition method)

In step S614, the CPU 201 of the authentication server 100 updates the legitimate access token 1901 received in step S613 to the access token 1002 corresponding to the refresh token 1003 transmitted in step S609. By updating the access token using the refresh token in this way, even if the access token is leaked due to interception of communication or the like, the leaked access token can be invalidated. Further, it becomes possible to provide the image forming apparatus 300 with an access token whose expiration date has not expired.

In step S615, the CPU 201 of the authentication server 100 transmits an authentication result (information indicating authentication success, information indicating the presence of an access token, user name 1001) to the image forming apparatus 300.

In step S616, the CPU 3001 of the image forming apparatus 300 receives the authentication result transmitted from the authentication server 100 (authentication receiving means).

In step S617, the CPU 3001 of the image forming apparatus 300 determines the authentication result received in step S616. If the authentication is successful, the process proceeds to step S618. If the authentication fails, the process proceeds to step S624.

In step S618, the CPU 3001 of the image forming apparatus 300 determines whether or not the authentication result received in step S616 contains information indicating that there is a token. If there is information indicating that there is a token, the process proceeds to step S619. If there is no information indicating that there is a token, the process proceeds to step S623.

In step S619, the CPU 3001 of the image forming apparatus 300 displays a menu screen 1700 (screen after login) to which an access icon for using the web service provided by the web service server 200 is added on the operation unit 3018. For example, the menu screen 1700 shown in FIG. On the menu screen 1700, an icon indicating a function that can be used by the image forming apparatus 300 is displayed. For example, pressing the copy icon transitions to a screen where the copy function can be used. In FIG. 17, a web service calendar icon 1701 capable of accessing the web service is arranged. When the web service calendar icon 1701 is pressed, the web service is accessed and the calendar information provided by the web service is acquired using the access token. The web service is an example and is not limited to the calendar.

In step S620, the CPU 3001 of the image forming apparatus 300 determines whether or not the web service calendar icon 1701 of the menu screen 1700 is pressed. If it is determined that the web service calendar icon 1701 is pressed, the process proceeds to step S621, and if it is determined that the web service calendar icon 1701 is not pressed, the process proceeds to step S622.

In step S621, the CPU 3001 of the image forming apparatus 300 performs a web service information display process, which is a process of acquiring the web service information and displaying it on the operation unit 3018. The detailed processing flow will be described later in the flowchart shown in FIG.

In step S622, the CPU 3001 of the image forming apparatus 300 presses the icon displayed on the menu screen 1700, and executes a process corresponding to the pressed icon.

In step S623, the CPU 3001 of the image forming apparatus 300 displays the menu screen 1700. The web service calendar icon 1701 is not arranged on the menu screen 1700 displayed in step S623.

In step S624, the CPU 3001 of the image forming apparatus 300 displays on the operation unit a two-dimensional bar code in which a URL for generating a password is embedded in the authentication server 100 in order to associate and store the access token and the user. The two-dimensional bar code displays what is stored in the HDD 3007 in advance. For example, the two-dimensional bar code display screen 1200 as shown in FIG. The two-dimensional bar code 1201 is displayed on the two-dimensional bar code display screen 1200, and the user can access the URL included in the two-dimensional bar code by reading the bar code.

The flow of a series of processes in the embodiment of the present invention has been described above.

Next, the process of generating the password corresponding to the access token by the authentication server 100 will be described in detail using the flowchart shown in FIG. 7.

In step S701, the CPU 401 of the mobile terminal 400 reads the two-dimensional bar code in which the URL information for registering the card displayed on the operation unit 3018 of the image forming apparatus 300 is embedded by the photographing unit 450.

In step S702, the CPU 401 of the mobile terminal 400 accesses the URL embedded in the two-dimensional bar code read in step S701. (Request the authorization request screen 1300 to the authentication server 100.)

In step S703, the CPU 201 of the authentication server 100 receives the request of the authorization request screen 1300.

In step S704, the CPU 201 of the authentication server 100 transmits the authorization request screen 1300 to the mobile terminal 400. It is assumed that the authorization request screen 1300 is stored in the external memory 211.

In step S705, the CPU 401 of the mobile terminal 400 displays the authorization request screen 1300 transmitted in step S704 on the display 410. The approval request screen 1300 is the approval request screen 1300 shown in FIG. A start button 1301 is arranged on the authorization request screen 1300, and an authorization request is made to the web service server 200 by accepting the pressing of the start button 1301.

In step S706, the CPU 401 of the mobile terminal 400 accepts the press of the start button 1301 and transmits an authorization request to the authentication server 100.

In step S707, the CPU 201 of the authentication server 100 receives the authorization request. By transmitting the authorization request to the authentication server 100 without directly transmitting the authorization request to the web service server 200 in step S706, the authentication server sets the destination of the token information transmitted by the web service server 200 in step S717. It can be 100. The token information indicates an access token and a refresh token.

In step S708, the CPU 201 of the authentication server 100 transmits an authorization request to the web service server 200 with a destination for token information.

In step S709, the CPU 201 of the web service server 200 receives the authorization request transmitted in step S708.

In step S710, the CPU 201 of the web service server 200 transmits the authorization screen 1400 to the mobile terminal 400. On the authorization screen 1400 shown in FIG. 14, an ID input field 1401, a password input field 1402, and a login button 1403 are arranged. The ID input field 1401 and the password input field 1402 are input fields for the user to input the ID 1902 and the password 1903 for logging in to the web service server 200, respectively. When the press of the login button 1403 is accepted, the ID 1902 and the password 1903 entered in the ID input field 1401 and the password input field 1402 are transmitted to the web service server 200 to log in.

In step S711, the CPU 401 of the mobile terminal 400 receives the authorization screen 1400 transmitted by the web service server 200, and displays the authorization screen 1400 on the display 410.

In step S712, when the CPU 401 of the mobile terminal 400 accepts the press of the login button 1403, the ID and password (authorization information) entered in the ID input field 1401 and the password input field 1402 of the authorization screen 1400 for the web service server 200 ) Is sent.

In step S713, the CPU 201 of the web service server 200 receives the ID and password (authorization information) transmitted in step S712.

In step S714, the CPU 201 of the web service server 200 confirms the authorization information received in step S713. More specifically, the confirmation is performed by checking whether or not the set of the ID and the password received in step S713 and the set of the ID 1902 and the password 1903 stored in the external memory 211 of the web service server 200 match.

In step S715, the CPU 201 of the web service server 200 determines whether or not the authorization was successful based on the authorization information received in step S713. Specifically, if the pair of ID 1902 and password 1903 stored in the external memory 211 matches the pair of ID and password received in step S713, it is determined that the authorization was successful, and if they do not match, the authorization fails. It is determined that it has been done. If the authorization is successful, the process proceeds to step S718. If the authorization fails, the process proceeds to step S716.

In step S716, the CPU 201 of the web service server 200 transmits the authorization failure screen to the mobile terminal 400.

In step S717, the CPU 401 of the mobile terminal 400 displays the authorization failure screen received from the web service server 200 on the operation unit 3018. After displaying the authorization failure screen, the process ends.

In step S718, the CPU 201 of the web service server 200 transmits the user information use confirmation screen 1500, which is a screen for confirming the permission of the user information used when using the web service to the mobile terminal 400. The user information 1501 used by the web service, the accept button 1502, and the cancel button 1503 are arranged on the user information use confirmation screen 1500 shown in FIG. The user confirms the user information 1501 used by the web service, and if there is no problem, presses the consent button 1502.

In step S719, the CPU 401 of the mobile terminal 400 receives the user information usage confirmation screen 1500 and displays it on the display 410.

In step S720, the CPU 401 of the mobile terminal 400 determines whether or not either the consent button 1502 or the cancel button 1503 of the displayed user information use confirmation screen 1500 is pressed. If it is determined that the consent button 1502 has been pressed, the process proceeds to step S716, and if it is determined that the cancel button 1503 has been pressed, the process proceeds to step S721.

In step S721, the CPU 201 of the web service server 200 receives the information that the cancel button 1503 is pressed.

In step S722, the CPU 201 of the web service server 200 transmits a result indicating that the approval has been canceled to the authentication server 100.

In step S723, the CPU 201 of the authentication server 100 receives a result indicating that the approval has been cancelled.

In step S724, the CPU 201 of the authentication server 100 transmits an authorization cancel screen to the mobile terminal 400.

In step S725, the CPU 401 of the mobile terminal 400 displays the authorization cancel screen received from the authentication server 100 on the display 410.

In step S726, the CPU 201 of the web service server 200 receives the approval request.

In step S733, the CPU 201 of the web service server 200 generates the legitimate access token 1901 and the refresh token 1003 corresponding to the ID 1902. The generated legitimate access token 1901 and refresh token 1003 are stored in the legitimate access token table 1900 in association with the ID 1902.

In step S727, the CPU 201 of the web service server 200 transmits a result indicating approval to the authentication server 100, a legitimate access token 1901 associated with the ID 1902, and a refresh token 1003.

In step S728, the CPU 201 of the authentication server 100 receives the result indicating the approval, the legitimate access token 1901 associated with the ID 1902, and the refresh token 1003 (token information acquisition means).

In step S729, the CPU 201 of the authentication server 100 generates the card registration password 1004 (password generation means).

In step S730, the CPU 201 of the authentication server 100 stores the legitimate access token 1901 and the refresh token 1003 received in step S728 and the card registration password 1004 generated in step S729 in the authentication table 1000. The user name 1001 is registered in the blank.

In step S731, the CPU 201 of the authentication server 100 generates the authorization completion screen 1600 and transmits it to the mobile terminal 400. The authorization completion screen 1600 shown in FIG. 16 is provided with a password display field 1601 for displaying the card registration password 1004.

In step S732, the CPU 401 of the mobile terminal 400 displays the authorization completion screen 1600 transmitted in step S731 on the display 410. As a result, the user can confirm the card registration password 1004.

This completes the description of the flowchart shown in FIG. 7.

Next, the detailed processing flow of the card registration process shown in FIG. 6 will be described with reference to the flowchart shown in FIG.

In step S801, the CPU 3001 of the image forming apparatus 300 displays the user information management screen 1800 on the operation unit 3018. On the user information management screen 1800 shown in FIG. 18, a user name input field 1801, a card registration password input field 1802, and a card detection button 1803 are arranged. The user name input field 1801 is an input field for inputting the user name 1001. The card registration password input field 1802 is an input field for inputting the card registration password. When the card detection button 1803 is pressed, the card reader 310 reads the card ID 1101 of the IC card.

In step S802, the CPU 3001 of the image forming apparatus 300 accepts inputs to the user name input field 1801 and the card registration password input field 1802. (Password reception method / authentication information acquisition method)

In step S812, the CPU 3001 of the image forming apparatus 300 determines whether or not the card detection button 1803 is pressed. When the card detection button 1803 is pressed, the process proceeds to step S813. Wait until the card detection button 1803 is pressed.

In step S813, the CPU 3001 of the image forming apparatus 300 reads the card ID 1101 of the IC card with the card reader 310. (Authentication information acquisition means)

In step S803, the CPU 3001 of the image forming apparatus 300 transmits the user name 1001, the card registration password 1004, and the card ID 1101 entered in step S802 to the authentication server 100.

In step S804, the CPU 201 of the authentication server 100 receives the user name 1001, the card registration password 1004, and the card ID 1101.

In step S805, the CPU 201 of the authentication server 100 verifies whether the card registration password 1004 received in step S804 has already been registered in the authentication table 1000.

In step S806, the CPU 201 of the authentication server 100 determines the collation process performed in step S805. If the card registration password 1004 is registered in the authentication table 1000, the process proceeds to step S809. If it has not been registered, the process proceeds to step S807.

In step S807, the CPU 201 of the authentication server 100 transmits a card registration password verification failure screen to the image forming apparatus 300.

In step S808, the CPU 3001 of the image forming apparatus 300 displays the card registration password verification failure screen received from the authentication server 100 on the operation unit.

In step S809, the CPU 201 of the authentication server 100 updates the authentication table 1000 by registering the user name 1001 received in step S804 in the user name 1001 corresponding to the card registration password 1004. Further, the card ID and the user ID received in step S804 are registered in the card ID table 1100 (storing means). When the registration is completed, the card registration password 1004 of the registered record is deleted. By doing so, it is possible to prevent the password from being accidentally matched by a registration request from another user and overwriting the user information.

In this way, by using the registration password generated by the authentication server 100, the card ID 1101, the user name 1001, the access token 1002, and the refresh token 1003 for performing authentication can be stored in association with each other in the image forming apparatus 300. it can. As a result, the user can acquire the web service information of the web service server 200 by authenticating to the image forming apparatus 300, and can use the web service information in the image forming apparatus 300.

In step S810, the CPU 201 of the authentication server 100 transmits the card ID registration success screen to the image forming apparatus 300.

In step S809, the CPU 3001 of the image forming apparatus 300 displays the card ID registration success screen received from the authentication server 100 on the operation unit 3018.

This is the end of the description of the flowchart shown in FIG.

Next, the detailed processing flow of the web service information display processing shown in FIG. 6 will be described with reference to the flowchart shown in FIG.

In step S901, the CPU 3001 of the image forming apparatus 300 transmits an access token acquisition request to the authentication server 100.

In step S902, the CPU 201 of the authentication server 100 receives the access token acquisition request.

In step S903, the CPU 201 of the authentication server 100 acquires the access token 1002 corresponding to the card ID 1101 transmitted in step S604.

In step S904, the CPU 201 of the authentication server 100 transmits the access token 1002 acquired in step S903 to the image forming apparatus 300.

In step S905, the CPU 3001 of the image forming apparatus 300 receives the access token 1002.

In step S906, the CPU 3001 of the image forming apparatus 300 transmits a transmission request for calendar data of the calendar, which is a web service, to the web service server 200 together with the access token 1002 received in step S905.

In step S907, the CPU 201 of the web service server 200 receives the calendar data transmission request and the access token 1002.

In step S908, the CPU 201 of the web service server 200 determines whether or not the access token 1002 received in step S907 is valid. Specifically, the determination is made based on the legitimate access token table 1900 stored in the external memory 211 in the web service server 200. It is determined whether or not the access token 1002 received in step S907 exists in the legitimate access token 1901 of the legitimate access token table 1900, and if it is determined to exist, it is determined to be legitimate. If it is determined that it does not exist, it is determined that it is not valid. If it is determined that the access token 1002 received in step S907 is valid, the process proceeds to step S912, and if it is determined that the access token 1002 received in step S907 is not valid, the process proceeds to step S909.

In step S909, the CPU 201 of the web service server 200 transmits an error screen to the image forming apparatus 300 informing that the access token 1002 received in step S907 is not valid.

In step S910, the CPU 3001 of the image forming apparatus 300 receives the error screen transmitted from the web service server 200.

In step S911, the CPU 3001 of the image forming apparatus 300 displays the error screen received in step S910 on the operation unit 3018.

In step S912, the CPU 201 of the web service server 200 acquires the user's calendar data based on the access token 1002 determined to be valid (information acquisition means).

In step S913, the CPU 201 of the web service server 200 generates the calendar screen 2100 based on the calendar data acquired in step S912. For example, the calendar screen 2100 shown in FIG.

In step S914, the CPU 201 of the web service server 200 transmits the calendar screen 2100 generated in step S913 to the image forming apparatus 300.

In step S915, the CPU 3001 of the image forming apparatus 300 receives the calendar screen 2100 transmitted in step S914.

In step S916, the CPU 3001 of the image forming apparatus 300 displays the calendar screen 2100 received in step S915 on the operation unit 3018.

This is the end of the description of the flowchart shown in FIG.

As described above, the user can use the web service information of the web service provided by the web service server 200 in the image forming apparatus 300 simply by authenticating to the image forming apparatus 300.

As described above, according to the embodiment of the present invention, it is possible to provide a mechanism capable of easily associating the token information acquired from the web service server with the user authentication information.

The present invention can be, for example, an embodiment as a system, an apparatus, a method, a program, a storage medium, or the like, and specifically, may be applied to a system composed of a plurality of devices, or 1 It may be applied to a device consisting of two devices.

The present invention includes a software program that realizes the functions of the above-described embodiments, which is directly or remotely supplied to a system or an apparatus. The present invention also includes cases where the computer of the system or device can also read and execute the supplied program code.

Therefore, in order to realize the functional processing of the present invention on a computer, the program code itself installed on the computer also realizes the present invention. That is, the present invention also includes a computer program itself for realizing the functional processing of the present invention.

In that case, as long as it has a program function, it may be in the form of an object code, a program executed by an interpreter, script data supplied to the OS, or the like.

Recording media for supplying programs include, for example, flexible disks, hard disks, optical disks, magneto-optical disks, MOs, CD-ROMs, CD-Rs, CD-RWs, and the like. There are also magnetic tapes, non-volatile memory cards, ROMs, DVDs (DVD-ROM, DVD-R) and the like.

In addition, as a program supply method, a browser of a client computer is used to connect to an Internet homepage. Then, the computer program itself of the present invention or a compressed file including the automatic installation function can be supplied from the homepage by downloading it to a recording medium such as a hard disk.

It can also be realized by dividing the program code constituting the program of the present invention into a plurality of files and downloading each file from different homepages. That is, the present invention also includes a WWW server that allows a plurality of users to download a program file for realizing the functional processing of the present invention on a computer.

In addition, the program of the present invention is encrypted, stored in a storage medium such as a CD-ROM, distributed to users, and the key information for decrypting the encryption is downloaded from the homepage to the user who clears the predetermined conditions. Let me. Then, by using the downloaded key information, it is possible to execute an encrypted program and install it on a computer.

Further, the function of the above-described embodiment is realized by the computer executing the read program. In addition, based on the instruction of the program, the OS or the like running on the computer performs a part or all of the actual processing, and the function of the above-described embodiment can be realized by the processing.

Further, the program read from the recording medium is written to the memory provided in the function expansion board inserted in the computer or the function expansion unit connected to the computer. After that, based on the instruction of the program, the function expansion board, the CPU provided in the function expansion unit, or the like performs a part or all of the actual processing, and the function of the above-described embodiment is also realized by the processing.

It should be noted that the above-described embodiments merely show examples of embodiment in carrying out the present invention, and the technical scope of the present invention should not be construed in a limited manner by these. That is, the present invention can be implemented in various forms without departing from the technical idea or its main features.

100 Authentication server 200 Web service server 300 Image forming device 310 IC card reader 600 LAN
201 CPU
202 RAM
203 ROM
204 System Bus 205 Input Controller 206 Video Controller 207 Memory Controller 208 Communication I / F Controller 209 Keyboard 210 CRT Display 211 External Memory 3001 CPU
3002 ROM
3003 Network interface 3004 Modem 3005 Operation unit I / F
3006 RAM
3007 External storage device 3008 Image bus I / F
3009 External I / F
3010 Raster image processor 3011 Printer I / F
3012 Scanner I / F
3013 Image processing unit 3014 Printer 3015 Scanner 401 CPU
402 ROM
403 RAM
404 Display controller 405 Touch panel controller 406 Camera controller 407 Sensor controller 408 Network controller 409 Flash memory controller 410 Display 411 Touch panel 412 Camera 413 Sensor 414 Flash memory

Claims (8)

An information processing system including an image forming apparatus that receives a web service from a web service server, and an information processing apparatus that performs authorization processing between the image forming apparatus and the web service server.
The information processing device
A storage means for storing information related to an access token to the web service server corresponding to the user identification information used in the authentication processing means of the image forming apparatus.
With
The image forming apparatus
An authentication processing means that performs authentication processing using user identification information for identifying a user,
A display control means that controls the display of an item for accessing the web service based on whether the access token corresponding to the user identification information used in the authentication process is stored in the storage means.
An information processing system characterized by being equipped with. The first aspect of claim 1, wherein the image forming apparatus further includes a web service requesting means for requesting the web service from the web service server by using the access token stored in the storage means. Information processing system. The information according to claim 2, wherein the web service requesting means requests the web service from the web service server by using an access token corresponding to a user authenticated by the authentication processing means. Processing system. The authentication processing means authenticates the user using the user identification information obtained by reading the reading medium.
The information processing according to any one of claims 1 to 3, wherein the storage means stores the access token so that the user identification information of the reading medium used in the authentication process corresponds to each other. system. It is a control method of an information processing system including an image forming apparatus for receiving a web service from a web service server and an information processing apparatus for performing authorization processing between the image forming apparatus and the web service server.
The information processing device
A storage step of storing information related to an access token to the web service server corresponding to the user identification information used in the authentication processing means of the image forming apparatus.
And
The image forming apparatus
An authentication processing step that performs an authentication process using user identification information to identify a user,
A display control step that controls the display of an item for accessing the web service based on whether the access token corresponding to the user identification information used in the authentication process is stored in the storage step.
A control method for an information processing system, which is characterized by executing. An image forming device that can communicate with an information processing device that performs authorization processing with a web service server and receives a web service from the web service server.
An authentication processing means that performs authentication processing using user identification information for identifying a user,
Based on whether the access token corresponding to the user identification information used in the authentication process is stored in the information processing device that stores the information related to the access token to the web service server corresponding to the user identification information. Display control means that control the display of items to access web services,
An image forming apparatus characterized by being provided with. It is a control method of an image forming device that can communicate with an information processing device that performs authorization processing with a web service server and receives a web service from the web service server.
The image forming apparatus
An authentication processing step that performs an authentication process using user identification information to identify a user,
Based on whether the access token corresponding to the user identification information used in the authentication process is stored in the information processing device that stores the information related to the access token to the web service server corresponding to the user identification information. Display control steps that control the display of items to access web services,
A method of controlling an image forming apparatus, which comprises executing. A computer of an image forming apparatus that can communicate with an information processing apparatus that performs authorization processing with a web service server and receives a web service from the web service server.
An authentication processing means that performs authentication processing using user identification information for identifying a user,
Based on whether the access token corresponding to the user identification information used in the authentication process is stored in the information processing device that stores the information related to the access token to the web service server corresponding to the user identification information. Display control means that control the display of items to access web services,
A program to make it work.

Images