JPWO2020225616A5 - - Google Patents
Download PDFInfo
- Publication number
- JPWO2020225616A5 JPWO2020225616A5 JP2021565850A JP2021565850A JPWO2020225616A5 JP WO2020225616 A5 JPWO2020225616 A5 JP WO2020225616A5 JP 2021565850 A JP2021565850 A JP 2021565850A JP 2021565850 A JP2021565850 A JP 2021565850A JP WO2020225616 A5 JPWO2020225616 A5 JP WO2020225616A5
- Authority
- JP
- Japan
- Prior art keywords
- access
- application
- token
- entitlements
- user system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004590 computer program Methods 0.000 claims 2
- 238000001914 filtration Methods 0.000 claims 2
Claims (17)
ユーザ・システム要求を介して前記アプリケーションにアクセスすることと、
前記認証サーバにアクセス要求をリダイレクトすることと、
前記認証サーバと前記アプリケーションとの間で交換された認証証明によってユーザを認証することであって、前記認証証明が、スコープの標準セマンティックを使用する制限付きエンタイトルメントを求める要求を含み、前記制限付きエンタイトルメントが、リソースについて前記アクセス制御サーバによって管理される既存のエンタイトルメントのサブセットを表す、前記認証することと、
前記認証が成功し、前記アプリケーションが前記認証サーバに登録された場合、前記認証サーバから前記アプリケーションにアクセス・トークンをリフレッシュ・トークンと共に送ることであって、前記アクセス・トークンおよび前記リフレッシュ・トークンが前記制限付きエンタイトルメントを含む、前記送ることと、
前記ユーザ・システムによって開始された前記アプリケーションによるオペレーションの実行を要求することであって、
前記制限付きエンタイトルメントを含む前記アクセス・トークンを提供する前記アプリケーションによる前記オペレーションを起動すること、
前記オペレーションによって前記アクセス制御サーバを起動すること、
前記ユーザ・システムの識別子と、前記既存のエンタイトルメントの前記サブセットを含む前記トークンの前記スコープとを前記アクセス制御サーバに提供すること、
前記アクセス制御サーバによって前記既存のエンタイトルメントをフィルタリングするためのエンタイトルメントの前記サブセットを使用して、前記オペレーションに対する前記ユーザ・システムのアクセスを決定すること
を含む、前記要求することと
を含む、方法。 A computer-implemented method for token-based authorization within a data processing environment, said data processing environment comprising at least a user system, an application, an authentication server, and an access control server, said user system having a network connection. connected to a server running said application via, said application providing access to operations, at least said operations being identifiable by their identifiers, said method comprising:
accessing the application via a user system request;
redirecting access requests to the authentication server;
authenticating a user with authentication credentials exchanged between the authentication server and the application, wherein the authentication credentials validate requests for restricted entitlements using standard semantics of scope; said authenticating, wherein said restricted entitlements represent a subset of existing entitlements managed by said access control server for resources;
sending an access token together with a refresh token from the authentication server to the application if the authentication is successful and the application is registered with the authentication server, wherein the access token and the refresh token are said sending, including limited entitlements;
requesting execution of an operation by the application initiated by the user system,
invoking the operation by the application providing the access token containing the restricted entitlement;
invoking the access control server by the operation;
providing the access control server with an identifier of the user system and the scope of the token that includes the subset of the existing entitlements;
determining access of the user system to the operation using the subset of entitlements for filtering the existing entitlements by the access control server; ,Method.
ユーザ・システム要求を介して前記アプリケーションにアクセスするように適合されたアクセシング・モジュールと、
前記認証サーバにアクセス要求をリダイレクトするように適合されたリダイレクティング・モジュールと、
前記認証サーバと前記アプリケーションとの間で交換された認証証明によってユーザを認証するように適合された認証サーバであって、前記認証証明が、スコープの標準セマンティックを使用する制限付きエンタイトルメントを求める要求を含み、前記制限付きエンタイトルメントが、リソースについて前記アクセス制御サーバによって管理される既存のエンタイトルメントのサブセットを表す、前記認証サーバと、
前記認証が成功し、前記アプリケーションが前記認証サーバに登録された場合、前記認証サーバから前記アプリケーションにアクセス・トークンをリフレッシュ・トークンと共に送るように適合された送信側であって、前記アクセス・トークンおよび前記リフレッシュ・トークンが前記制限付きエンタイトルメントを含む、前記送信側と
を備え、
前記ユーザ・システムが、前記ユーザ・システムによって開始された前記アプリケーションによるオペレーションの実行を要求するように適合され、前記オペレーションの実行を要求することが、
前記制限付きエンタイトルメントを含む前記アクセス・トークンを提供する前記アプリケーションによる前記オペレーションを起動すること、
前記オペレーションによって前記アクセス制御サーバを起動すること、
前記ユーザ・システムの識別子と、前記既存のエンタイトルメントの前記サブセットを含む前記トークンの前記スコープとを前記アクセス制御サーバに提供すること、
前記アクセス制御サーバによって前記既存のエンタイトルメントをフィルタリングするためのエンタイトルメントの前記サブセットを使用して、前記オペレーションに対する前記ユーザ・システムのアクセスを決定すること
を含む、アクセス・システム。 An access system for token-based authorization in a data processing environment, said data processing environment comprising at least a user system, an application, an authentication server and an access control server, said user system having a network connection. connected to a server running said application via, said application providing access to operations, at least said operations being identifiable by their identifiers, said access system comprising:
an accessing module adapted to access said application via a user system request;
a redirecting module adapted to redirect access requests to said authentication server;
An authentication server adapted to authenticate a user by means of authentication credentials exchanged between said authentication server and said application, said authentication credentials being a restricted entity using standard semantics of scope. said authorization server comprising a request for an entitlement, said restricted entitlement representing a subset of existing entitlements managed by said access control server for a resource;
a sender adapted to send an access token together with a refresh token from the authentication server to the application if the authentication is successful and the application is registered with the authentication server, wherein the access token and said sender, wherein said refresh token includes said restricted entitlement;
said user system being adapted to request execution of an operation by said application initiated by said user system, requesting execution of said operation;
invoking the operation by the application providing the access token containing the restricted entitlement;
invoking the access control server by the operation;
providing the access control server with an identifier of the user system and the scope of the token that includes the subset of the existing entitlements;
determining access of said user system to said operation using said subset of entitlements for filtering said existing entitlements by said access control server.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP19172926 | 2019-05-07 | ||
EP19172926.8 | 2019-05-07 | ||
PCT/IB2020/053254 WO2020225616A1 (en) | 2019-05-07 | 2020-04-06 | Fine-grained token based access control |
Publications (2)
Publication Number | Publication Date |
---|---|
JP2022531872A JP2022531872A (en) | 2022-07-12 |
JPWO2020225616A5 true JPWO2020225616A5 (en) | 2022-08-30 |
Family
ID=66439944
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
JP2021565850A Pending JP2022531872A (en) | 2019-05-07 | 2020-04-06 | Fine-grained token-based access control |
Country Status (6)
Country | Link |
---|---|
US (1) | US11277267B2 (en) |
JP (1) | JP2022531872A (en) |
CN (1) | CN113711563B (en) |
DE (1) | DE112020000538T5 (en) |
GB (1) | GB2599273B (en) |
WO (1) | WO2020225616A1 (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11609916B1 (en) * | 2019-06-21 | 2023-03-21 | Amazon Technologies, Inc. | Robotics application development and monitoring over distributed networks |
CN113536365B (en) * | 2021-06-07 | 2022-10-28 | 北京字跳网络技术有限公司 | File access method, device, equipment and medium |
CN114372254B (en) * | 2021-08-16 | 2023-03-24 | 中电长城网际系统应用有限公司 | Multi-authentication authorization method under big data environment |
US11695561B2 (en) | 2021-11-19 | 2023-07-04 | Fmr Llc | Decentralized authorization of user access requests in a multi-tenant distributed service architecture |
US11431513B1 (en) | 2021-11-19 | 2022-08-30 | Fmr Llc | Decentralized authorization of user access requests in a distributed service architecture |
CN113886862B (en) * | 2021-12-06 | 2022-04-15 | 粤港澳大湾区数字经济研究院(福田) | Trusted computing system and resource processing method based on trusted computing system |
CN114138375A (en) * | 2021-12-30 | 2022-03-04 | 高新兴智联科技有限公司 | Internet of things service cloud architecture and radio frequency test system applying same |
CN115037954A (en) * | 2022-05-18 | 2022-09-09 | 阿里云计算有限公司 | Control method, device and system for accessing live broadcast |
WO2024044064A1 (en) * | 2022-08-23 | 2024-02-29 | Cisco Technology, Inc. | Privacy preserving secure access |
CN116155565B (en) * | 2023-01-04 | 2023-10-10 | 北京夏石科技有限责任公司 | Data access control method and device |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6766454B1 (en) * | 1997-04-08 | 2004-07-20 | Visto Corporation | System and method for using an authentication applet to identify and authenticate a user in a computer network |
US20050125677A1 (en) * | 2003-12-09 | 2005-06-09 | Michaelides Phyllis J. | Generic token-based authentication system |
US8566462B2 (en) * | 2005-05-12 | 2013-10-22 | Digital River, Inc. | Methods of controlling access to network content referenced within structured documents |
US7673135B2 (en) * | 2005-12-08 | 2010-03-02 | Microsoft Corporation | Request authentication token |
US8868915B2 (en) * | 2010-12-06 | 2014-10-21 | Verizon Patent And Licensing Inc. | Secure authentication for client application access to protected resources |
US9374356B2 (en) | 2011-09-29 | 2016-06-21 | Oracle International Corporation | Mobile oauth service |
CN103716283B (en) * | 2012-09-29 | 2017-03-08 | 国际商业机器公司 | For processing the method and system of the OAuth certification of the Web service called on stream |
US9038142B2 (en) | 2013-02-05 | 2015-05-19 | Google Inc. | Authorization flow initiation using short-term wireless communication |
EP3047626B1 (en) * | 2013-09-20 | 2017-10-25 | Oracle International Corporation | Multiple resource servers with single, flexible, pluggable oauth server and oauth-protected restful oauth consent management service, and mobile application single sign on oauth service |
US9306939B2 (en) | 2014-05-30 | 2016-04-05 | Oracle International Corporation | Authorization token cache system and method |
US10104084B2 (en) | 2015-07-30 | 2018-10-16 | Cisco Technology, Inc. | Token scope reduction |
US10652365B2 (en) * | 2016-01-06 | 2020-05-12 | Adobe Inc. | Robust computing device identification framework |
US9923905B2 (en) * | 2016-02-01 | 2018-03-20 | General Electric Company | System and method for zone access control |
US10452328B2 (en) | 2016-08-31 | 2019-10-22 | Vmware, Inc. | Extensible token-based authorization |
US10708053B2 (en) * | 2017-05-19 | 2020-07-07 | Intuit Inc. | Coordinating access authorization across multiple systems at different mutual trust levels |
JP2018205840A (en) * | 2017-05-30 | 2018-12-27 | キヤノン株式会社 | System, method therefor and program therefor |
US11616771B2 (en) | 2017-08-18 | 2023-03-28 | Transform Sr Brands Llc | Application user single sign-on |
CN109309683B (en) | 2018-10-30 | 2021-09-14 | 泰华智慧产业集团股份有限公司 | Token-based client identity authentication method and system |
-
2020
- 2020-03-06 US US16/810,893 patent/US11277267B2/en active Active
- 2020-04-06 DE DE112020000538.0T patent/DE112020000538T5/en active Pending
- 2020-04-06 JP JP2021565850A patent/JP2022531872A/en active Pending
- 2020-04-06 CN CN202080029015.4A patent/CN113711563B/en active Active
- 2020-04-06 GB GB2117302.6A patent/GB2599273B/en active Active
- 2020-04-06 WO PCT/IB2020/053254 patent/WO2020225616A1/en active Application Filing
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10122707B2 (en) | User impersonation/delegation in a token-based authentication system | |
EP3213487B1 (en) | Step-up authentication for single sign-on | |
US9699168B2 (en) | Method and system for authenticating a rich client to a web or cloud application | |
US9628469B2 (en) | Single sign on for a remote user session | |
US9560080B2 (en) | Extending organizational boundaries throughout a cloud architecture | |
US9519777B2 (en) | Techniques for controlling authentication | |
JP7196174B2 (en) | Authentication methods, systems and programs using delegated identities | |
US11277267B2 (en) | Fine-grained token based access control | |
US20140013409A1 (en) | Single sign on for cloud | |
US11356458B2 (en) | Systems, methods, and computer program products for dual layer federated identity based access control | |
WO2013071087A1 (en) | Single sign on for cloud | |
AU2019449420B2 (en) | Centralized authentication and authorization with certificate management | |
TW200400741A (en) | Persistent authorization context based on external authentication | |
US20150180850A1 (en) | Method and system to provide additional security mechanism for packaged web applications | |
US20220191185A1 (en) | Integration of legacy authentication with cloud-based authentication | |
JPWO2020225616A5 (en) | ||
US20190132304A1 (en) | Loopback verification of multi-factor authentication | |
AU2019370092B2 (en) | Centralized authentication and authorization | |
WO2023160632A1 (en) | Method for setting cloud service access permissions of enclave instance, and cloud management platform | |
Edge et al. | Identity and Device Trust | |
Gatev et al. | Plugging Middleware | |
Thakore et al. | Scalable and Privacy-preserving Access Mechanism for Dynamic Clouds |