WO2013186070A1 - A method and a system for providing access to protected resources via an oauth protocol - Google Patents

A method and a system for providing access to protected resources via an oauth protocol Download PDF

Info

Publication number
WO2013186070A1
WO2013186070A1 PCT/EP2013/061359 EP2013061359W WO2013186070A1 WO 2013186070 A1 WO2013186070 A1 WO 2013186070A1 EP 2013061359 W EP2013061359 W EP 2013061359W WO 2013186070 A1 WO2013186070 A1 WO 2013186070A1
Authority
WO
WIPO (PCT)
Prior art keywords
oauth
protocol
access
bridge
infrastructure
Prior art date
Application number
PCT/EP2013/061359
Other languages
French (fr)
Inventor
David LOZANO
Diego GONZÁLEZ
Jorge LORENZO
José Antonio Rodriguez
Santiago PRIETO MARTÍN
Original Assignee
Telefonica, S.A.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonica, S.A. filed Critical Telefonica, S.A.
Publication of WO2013186070A1 publication Critical patent/WO2013186070A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion

Definitions

  • the present invention generally relates, in a first aspect, to a method for providing access to protected resources via an OAuth protocol, and more particularly to a method which provides a solution for migrating from OAuth 1.0 to OAuth 2.0 infrastructures.
  • a second aspect of the invention relates to a system arranged to implement the method of the first aspect.
  • Opening up APIs implies different issues that must be properly solved from a technical point of view in order to achieve really useful and suitable results.
  • One of the main problems to be solved is security and, especially, end-user's privacy.
  • Internet applications should only access service providers' functionalities after having correctly authenticated and after having received the explicit consent or authorization from the owner of the resources to be accessed, without the need for the resource owner (typically an end-user) to share his/her identity or credentials with the application.
  • OAuth 2.0 [2] the new OAuth 2.0 [2] of this standard, which is expected to also become an official standard very soon.
  • OAuth 2.0 maintains the overall approach established by OAuth 1.0, it must be noted that it replaces and obsoletes the previous protocol version. Hence, the second version is not backward, nor forward compatible with the first version, meaning that OAuth 1 .0 clients cannot directly access OAuth 2.0 servers and vice versa.
  • enterprises already supporting OAuth 1.0, but wanting to evolve and support the new OAuth 2.0 standard face different technical and economic issues.
  • One of the major issues is that the support for "legacy" applications using OAuth 1.0 must be maintained. These applications are already working and generating profits and, in many cases, they are installed in end-user devices, therefore, updating and re-installing them to support OAuth 2.0 is not an easy option.
  • the main current existing technologies are the OAuth 1.0 Protocol [1] that is standardized by the IETF (http://www.ietf.org/) and the OAuth 2.0 Protocol [2] which is under standardization process by the IETF, but (at the time of writing this document) expected to become an official standard very soon.
  • OAuth 1.0 and 2.0 define an open protocol to allow secure API authorization in a simple and standard method for native and web applications, available both for Trusted and Non-Trusted Consumers (Clients).
  • OAuth as specified, is directly applicable to grant access to resources in REST [8] web services, but may also be used for example in SOAP-based web services.
  • the client In order for the client to access resources, it first has to obtain by means of the OAuth API, permission from the resource owner (e.g. final user). This permission is expressed in the form of a token and matching shared-secret.
  • the purpose of the token is to make it unnecessary for the resource owner to share its credentials with the client.
  • tokens can be issued with a restricted scope and limited lifetime, and can be revoked independently.
  • the main purpose of the OAuth API is to provide the means for the consumer to gain a valid Access Token.
  • Request Token is used as a reference within the delegated authorization procedures. More concretely, according to [1], Request Tokens are used by the Consumer to ask the User to authorize access to the Protected Resources. Then, the User-authorized Request Token, that is recommended to have a limited lifetime, is exchanged for an Access Token.
  • this Access Token is used by the Consumer to access the APIs on behalf of the User, instead of using the User's credentials (e.g. user and password). Access Tokens may limit access to certain APIs or even resources within a given API.
  • the implicit grant type is suitable for clients incapable of maintaining their client credentials confidential (for authenticating with the authorization server) such as client applications residing in a user- agent (e.g. browser).
  • the resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as its computer operating system or a highly privileged application.
  • the client can request an Access Token using only its client credentials when the client is requesting access to the protected resources under its control, or those of another resource owner which has been previously arranged with the authorization server (the method of which is beyond the scope of the OAuth 2.0 specification).
  • OAuth 1.0 and 2.0 are systematically considered as parallel, independent and non-compatible solutions.
  • No solutions for re-using OAuth 1.0 support in order to expose OAuth 2.0 have been identified in current, public state-of-the-art so far.
  • the present invention provides a technical solution for making it possible.
  • the present invention provides, in a first aspect, a method for providing access to protected resources via an OAuth protocol, the method comprising providing access to protected resources to an application of a computing device through an OAuth 1 .0 infrastructure.
  • the method comprises providing said access to protected resources through an OAuth 1.0 infrastructure to said application supporting OAuth 2.0 protocol by means of an intermediary entity adapting OAuth 2.0 protocol to OAuth 1 .0 protocol, and vice versa.
  • the method comprises providing said access to said protected resources without modifying said OAuth 1.0 infrastructure.
  • a second aspect of the present invention concerns to a system for providing access to protected resources via an OAuth protocol, said system comprising a OAuth 1.0 infrastructure providing said access to said protected resources and a computing device with an application supported by OAuth protocol, for accessing said protected resources.
  • the system of the second aspect of the invention is adapted to implement the method of the first aspect.
  • Figure 1 shows an example of the interactions followed by OAuth 1 .0.
  • Figure 2 shows an example of the interactions followed by OAuth 2.0.
  • FIG. 3 shows the OAuth 2.0 Bridge architecture, according to an embodiment of the present invention.
  • FIG. 4 shows the diagram of the authorization code flow on top of an OAuth
  • Figure 5 shows the diagram of the implicit grant flow on top of an OAuth 1 .0 infrastructure, according to an embodiment of the present invention.
  • Figure 6 shows the diagram of accessing protected resources exposed by OAuth 1 .0 infrastructure, according to an embodiment of the present invention.
  • FIG 7 shows the flow diagram for refreshing an access token with the help of the OAuth 2.0 Bridge, according to an embodiment of the present invention.
  • the present invention provides a solution to expose OAuth 2.0 on top of existing OAuth 1 .0 infrastructures, without having to modify the OAuth 1 .0 support within the existing infrastructure (i.e. without modifying existing Authorization and
  • the basic concept of the invention is to use an intermediary entity (i.e. a bridge) that adapts standard OAuth 2.0 into standard OAuth 1.0.
  • the OAuth Bridge basically behaves as the external client from OAuth 1.0 infrastructure's perspective, while it behaves as OAuth 2.0 Authorization and Resource Server from external OAuth 2.0 client's perspective.
  • the final responsibility of generating, maintaining and validating identifiers, credentials and tokens as well as enforcing the adequate access scope to protected resources remains at the existing OAuth 1.0 infrastructure.
  • the OAuth 2.0 Bridge behaves as an intermediary enabling OAuth 2.0 without having to modify existing OAuth 1.0 Authorization and Resource Servers, as graphically summarized in Figure 3.
  • OAuth 1.0 clients will still use the existing Oauth 1.0 infrastructure, without passing through the bridge. Thus no change on existing Oauth 1.0-based services is required.
  • the OAuth 2.0 Bridge has to:
  • OAuth 1.0 OAuth 1.0
  • the OAuth 2.0 Bridge validates OAuth 2.0 requests coming from external clients: validate the requests are well formed, check if the received access token is valid and was issued for the external client sending the request, validate signatures when applicable (depending on the access token type) and, optionally, make further access security checking, such as access scope validations, etc.
  • OAuth Bridge Correctly form and sign OAuth 1.0 requests, using appropriate credentials and token values and secrets, before sending them towards the OAuth 1 .0 infrastructure.
  • the OAuth Bridge must be able of correctly interacting with the underlying OAuth 1 .0 infrastructure, especially with the Authorization Server, for querying, handling and, optionally, storing client identifiers, client credentials, client registration details, Token values, Token secrets and Authorization Codes.
  • the OAuth Bridge can simply query the OAuth 1.0 infrastructure for client and token information whenever a new OAuth 2.0 request arrives. Alternatively, in order to improve performance, it may query and then cache this information temporarily or permanently.
  • OAuth 2.0 tokens may be of different types and may have the same or different values (and secrets, when applicable depending on the token type) than those generated in the OAuth 1.0 infrastructure.
  • the OAuth 2.0 Bridge must therefore be ready to correctly handle this mapping and, as result, use the correct Access Token on both communication sides (OAuth 2.0 Access Tokens towards external client vs OAuth 1.0 Access Tokens towards the existing infrastructure).
  • the overall concept of the invention is the same independently of reusing token values (and secrets when applicable) or generating new values for the OAuth 2.0 side.
  • the OAuth 2.0 Bridge also needs to provide the OAuth 2.0 authorization endpoint: a web page that interacts with the existing OAuth 1.0 Authorization Server in order to authenticate final users and authorize the access for external applications (also known as AA Portal: Authentication and Authorization Portal).
  • this web page can be implemented as an integral part of the OAuth 2.0 Bridge, or it can be implemented using an external web server, provided that it can correctly interact and pass information between the OAuth 1.0 Authorization Server and the OAuth 2.0 Bridge.
  • the present document explicitly considers the option of providing this web page at an external web server, detailing how it has to interact and pass information between the different involved elements.
  • the overall concept of the invention is the same independently of the option chosen in this regard.
  • the bridge must therefore know how the URLs it exposes map to OAuth 1.0 Protected Resource URLs as well as how to use the OAuth 1.0 Temporary Credentials and Token endpoints. This can be achieved in different ways, not affecting the basic idea of the present invention. For example, manual URL configuration could be used, or automatic rules may be applied to convert one set of URLs into another set of URLs, etc.
  • client_secret can be any kind of credential, as configured during client registration process (textual password, HMAC-SHA1 key, a certificate or others).
  • OAuth 2.0 standard messages [2] are represented by non-dotted lines
  • OAuth 1.0 standard messages [1] are represented by single dotted-lines
  • double dotted lines are used to represent non-standard interactions among the OAuth 2.0 Bridge, the Authentication&Authorization Portal and the OAuth 1 .0 infrastructure.
  • the OAuth 2.0 Bridge must be capable of mapping Access Tokens, and associated details, between both communication sides. To do so, the OAuth 2.0 Bridge maintains a set of mapping tables that interrelate: - Each clientjd with its corresponding client_secret.
  • Each clientjd with one or more Access Tokens generated on the OAuth 1 .0 side For each Access Token generated on the OAuth 1.0 side, the following details are stored: o Token value o Token secret o Expiration time (optional) o Access scope (optional) o Signing schemes associated to the Access Token - Each Access Token generated on the OAuth 1 .0 side with an associated Access Token generated on the OAuth 2.0 side [3] [4].
  • this table can be stored permanently of just cached for a freely chosen period of time, as Access Token details can be queried from OAuth 1.0 Authorization Server when received from the OAuth 2.0 side.
  • the table needs to be stored at least for a period of time equal or greater than the expiration time of the OAuth 1 .0 Access Token (meaning permanent storage for perpetual OAuth 1.0 Access Tokens). Note that when Refresh Tokens are used, then Access Token values are never the same on both sides.
  • entries in this table may be deleted whenever the OAuth 1.0 Access Token is known to have expired or have been revoked, as directly indicated by the OAuth 1.0 Authorization Server when trying to recover Access Token details or as inferred from 401 error responses from OAuth 1 .0 Protected Resources.
  • Authorization code flow may be deleted whenever the OAuth 1.0 Access Token is known to have expired or have been revoked, as directly indicated by the OAuth 1.0 Authorization Server when trying to recover Access Token details or as inferred from 401 error responses from OAuth 1 .0 Protected Resources.
  • the following diagram shows how the OAuth 2.0 Bridge makes it possible to offer the standard OAuth 2.0 - authorization code flow on top of an OAuth 1.0 infrastructure.
  • the first step is to redirect the user (via the user-agent) to the authorization endpoint, in this case, the AA Portal.
  • the AA portal In order to later authorize the access on the OAuth 1.0 infrastructure, the AA portal immediately sends a message to the OAuth 2.0 Bridge signaling the need to obtain an OAuth 1.0 Request Token. This message includes the clientjd and, when included by the client in the previous step, the redirect_uri. 3. If the OAuth 2.0 Bridge does not have the client_secret in its cache (as stored from previous accesses), it queries that information from the OAuth 1 .0 Authorization Server. It also queries the redirect_uri if not sent from the AA Portal and also not in cache. The OAuth 1.0 Authorization Server responds with the requested information. 4. The OAuth 2.0 Bridge temporarily caches the clientjd and the redirect_uri for later usages. The time this information will be maintained in the cache should be reconfigurable, so that the performance can be optimized against memory usage.
  • the OAuth 2.0 Bridge may also need to know further information on the client, such as signature method to be used against OAuth 1.0 infrastructure, allowed Protected Resources and other details typically set up during client registration. All this information is actually handled by the OAuth 1.0 and should also be queried and cached by the bridge, along with the client_secret and redirect_uri, as explained above. 5.
  • the OAuth 2.0 Bridge uses the information received from the AA Portal ⁇ clientjd, redirect_uri) plus the client_secret, the OAuth 2.0 Bridge sends a standard OAuth 1.0 Request Token request towards the OAuth 1.0 Authorization Server. The server responds with the Request Token and associated secret.
  • the OAuth 2.0 Bridge temporarily caches the received Request Token, and the secret, in association with the clientjd.
  • the time for caching this token/secret should also be configurable, independently from the caching time for the clientjd.
  • the OAuth 2.0 Bridge immediately responds the AA portal with the obtained Request Token.
  • the AA Portal indicates the user must authenticate. The user authenticates. If this process fails, the flow is blocked here. Otherwise, proceed with next steps.
  • the user is asked for authorization for the application identified by clientjd. If included in step 1 , the AA Portal considers the scope parameter to inform the user of the access scope requested by the application (e.g. access only to some resources or specific parts of resources). If the user denies the authorization, the flow is blocked here. If the user grants the authorization, proceed with next steps.
  • the AA Portal informs the OAuth 1 .0 Authorization Sever about the authorization provided by the end user, including the granted access scope.
  • the OAuth 1.0 Authorization Server responds with the associated Authorization Code. All this communication takes places through the OAuth 2.0 Bridge, which acts as a proxy or relay between the two entities, so that the OAuth 2.0 Bridge can also get the Authorization Code generated by the OAuth 1.0 Authorization Server.
  • the OAuth 2.0 Bridge caches the Authorization Code in association to the Request Token and the corresponding Token Secret and Clientjd.
  • the AA Portal redirects the user (via the user-agent) back to the external client.
  • This redirection includes the Authorization Code and the state parameter (this latter, if provided by the client itself in step 1 ).
  • the client sends an Access Token Request towards the OAuth 2.0 Bridge (to the Token endpoint), signaling the "authorization_code” grant type and the other standard parameters (including the Authorization Code).
  • the OAuth 2.0 Bridge validates the request is syntactically valid and, based on the information stored in its cache, it also validates that the client_secret and the redirect_uri are valid for that clientjd. Additionally, it also validates that the received Authorization Code was actually issued for that clientjd.
  • the OAuth 2.0 Bridge sends an Access Token request towards the OAuth 1 .0 Authorization server. All the information required to correctly sign the request (cliendjd, client_secret, Request Token and Request Token secret) is taken from bridge internal cache. Specifically, the Request Token and the Request Token Secret to be used are those associated to the received Authorization Code, as stored in previous steps. If the Request Token has already expired or it is not present, the request received in step 14 is rejected with an appropriate error code. The OAuth 2.0 Bridge also has to include the Authorization Code received in step 14. If the Authorization Code is valid, the OAuth 1.o Authorization server responds with a valid Access Token plus an associated secret. If the Authorization Code is invalid, the request is rejected and this error is sent back to the client by the bridge.
  • the OAuth 2.0 Bridge responds the client, following one of the next options: o
  • the Access Token sent to the client may be the one received from the OAuth 1 .0 Authorization Server, or it may be another value generated by the bridge itself. Additionally, the bridge also generates further details for the OAuth 2.0 side, such as token type, expiration information and, in case the token type requires a secret on the OAuth 2.0 side (e.g. MAC tokens [4]), it also includes the secret (e.g. as mac_key).
  • the Refresh Token sent to the client may be the Access Token received from the OAuth 1 .0
  • the Bridge then generates, on its own, an OAuth 2.0 Access Token value and associated expiration time and secret, in case this latter secret is necessary depending on the Access Token type.
  • the OAuth 2.0 Bridge stores the Access Token details, for both communication sides, in its mapping table.
  • the following diagram shows how the OAuth 2.0 Bridge makes it possible to offer the standard OAuth 2.0 - implicit grant flow on top of an OAuth 1.0 infrastructure.
  • the first step is to redirect the user (via the user-agent) to the authorization endpoint, in this case, the AA Portal.
  • the AA portal In order to later authorize the access on the OAuth 1.0 infrastructure, the AA portal immediately sends a message to the OAuth 2.0 Bridge signaling the need to obtain an OAuth 1.0 Request Token.
  • This message includes the clientjd and, optionally, the redirect_uri.
  • OAuth 2.0 Bridge If the OAuth 2.0 Bridge does not have the client_secret in its cache (as stored from previous accesses), it queries that information from the OAuth 1 .0 Authorization Server. It also queries the redirect_uri if not sent from the AA
  • the OAuth 1.0 Authorization Server responds with the requested information.
  • the OAuth 2.0 Bridge temporarily caches the clientjd and the redirect_uri for later usages. The time this information will be maintained in the cache should be reconfigurable, so that the performance can be optimized against memory usage.
  • the OAuth 2.0 Bridge may also need to know further information on the client, such as signature method to be used against OAuth 1.0 infrastructure, allowed Protected Resources and other details typically set up during client registration. All this information is actually handled by the OAuth 1.0 and should also be queried and cached by the bridge, along with the client_secret and redirect_uri, as explained above.
  • the OAuth 2.0 Bridge uses the information received from the AA Portal ⁇ clientjd, redirect_uri) plus the client_secret, the OAuth 2.0 Bridge sends a standard OAuth 1.0 Request Token requests towards the OAuth 1 .0 Authorization Server. The server responds with the Request Token and associated secret.
  • the OAuth 2.0 Bridge temporarily caches the received Request Token, and the secret, in association with the clientjd.
  • the time for caching this token/secret should also be configurable, independently from the caching time for the clientjd.
  • the OAuth 2.0 Bridge immediately responds the AA portal with the obtained Request Token.
  • the AA Portal indicates the user that it must authenticate. The user authenticates. If this process fails, the flow is blocked here. Otherwise, proceed with next steps.
  • the user is asked for authorization for the application identified by clientjd. If included in step 1 , the AA Portal considers the scope parameter to inform the user of the access scope requested by the application (e.g. access only to some APIs or specific functionalities within APIs). If the user denies the authorization, the flow is blocked here. If the user grants the authorization, proceed with next steps.
  • the AA Portal informs the OAuth 1 .0 Authorization Sever about the authorization provided by the end user, including the granted access scope.
  • the OAuth 1.0 Authorization Server responds with the associated Authorization
  • OAuth 2.0 Bridge acts as a proxy or relay between the two entities. Since the client signaled the Implicit Grant flow, the AA portal now sends a message to the OAuth 2.0 Bridge to trigger the procedure to obtain an OAuth 1.0 Access Token. This message includes the clientjd, the Authorization Code and the Request Token.
  • the OAuth 2.o Bridge gets the Request Token secret and the redirect_uri from its cache and it sends and OAuth 1.o Access Token request towards the OAuth 1.0 Authorization
  • the OAuth 1.0 Authorization Server answers with the Access Token and associated secret.
  • the OAuth 2.0 Bridge may choose to generate a new value for OAuth 2.0 Access Token (i.e. a value different from the value received from the OAuth 1 .0 Authorization Server). Additionally, the bridge also generates further details for the OAuth 2.0 side, such as token type, expiration information and, in case the token type requires a secret on the OAuth 2.0 side (e.g. MAC tokens), it also includes the secret (e.g. as mac_key). All this information, in addition to the OAuth 1.0 Access Token details, is stored in the bridge's mapping table. 15. In response to 12, the OAuth 2.0 Bridge sends the Access Token details (value, expiration time, type, etc) back to the AA Portal.
  • token type e.g. MAC tokens
  • the secret e.g. as mac_key
  • the AA Portal sends the Access Token to the client via the user-agent.
  • the Access Token For further details on this procedure, please, refer to [2]. Accessing Protected Resources
  • the following diagram shows how the OAuth 2.0 Bridge makes it possible to access, via OAuth 2.0, protected resources exposed by OAuth 1.0 infrastructure.
  • the client sends a request for a protected resource URL exposed by the OAuth 2.0 Bridge.
  • This URL corresponds with the URL of a Protected Resource exposed by the OAuth 1.0 infrastructure.
  • OAuth 2.0 Bridge does not have the OAuth 2.0 Access Token details (value, secret, access scope and associated clientjd) in its mapping table, as stored from previous accesses, it queries that information from the OAuth 1 .0 Authorization Server.
  • the OAuth 1.0 Authorization Server responds with the requested information (note this will only work if Token values are the same on both OAuth 1.0 and 2.0 ends; that is the reason for permanently storing Access Token details in the mapping tables whenever token values differ on both sides). If the Access Token details cannot be recovered from the OAuth 1.0 infrastructure, the request is rejected with the appropriate error code, following OAuth 2.0 specifications. Otherwise, proceed with the rest of the steps
  • the OAuth 2.0 Bridge checks that the OAuth 2.0 Access Token is still valid. If so, it also checks that the received request is correctly signed in accordance to the Access Token type being used. If any of these validations fails, the request is rejected with the appropriate error code, following OAuth 2.0 specifications. Otherwise, proceed with the rest of the steps.
  • the OAuth 2.0 Bridge adds the Access Token details (value, secret, access scope, etc) in its mapping table for later usages.
  • this step may be used to refresh the Access Token entry within the mapping table, in order to extend its expiration time. The details on this fully depend on the specific implementation.
  • the OAuth 2.0 Bridge needs the client_secret to correctly form the OAuth 1.0 request. Therefore, if the OAuth 2.0 Bridge does not have the client_secret in its cache (as stored from previous accesses), it queries that information from the OAuth 1.0 Authorization Server. The OAuth 1.0 Authorization Server responds with the requested information.
  • the OAuth 2.0 Bridge temporarily caches the clientjd for later usages. The time this information will be maintained in the cache should be reconfigurable, so that the performance can be optimized against memory usage.
  • the OAuth 2.0 Bridge may also need to know further information on the client, such as signature method to be used against OAuth 1.0 infrastructure, allowed Protected Resources and other details typically set up during client registration. All this information is actually handled by the OAuth 1.0 and should also be queried and cached by the bridge, along with the client_secret, as explained above. Now, based on the received request, the OAuth 2.0 Bridge builds the corresponding OAuth 1 .0 request to consume the Protected Resource. Note this is done by reusing the request body and headers excluding only the OAuth information (usually contained in the Authorization header), which needs to be updated to correctly build the OAuth 1.0 request.
  • the OAuth 1 .0 Protected Resource After receiving the request, the OAuth 1 .0 Protected Resource responds and the bridge simply passes that response to the client, in response to step 1 .
  • the bridge upon a 401 Unauthorized response, the bridge queries the Access Token details information from the OAuth 1.0 Authorization Server. In case the response indicates that the Access Token does not longer exist or is no longer valid, the Bridge will eliminate all the Access Token details from its mapping table. In the end, as it can be observed, the OAuth 1 .0 infrastructure is the final responsible for accepting or denying the access based on the Access Token and for managing these Access Tokens.
  • the Client wants to refresh an Access Token, so, following OAuth 2.0 standard procedures, it sends a Refresh Token request to the OAuth 2.0 Bridge.
  • the OAuth 2.0 Bridge does not have the client_secret in its cache (as stored from previous accesses), it queries that information from the OAuth 1 .0 Authorization Server. The OAuth 1.0 Authorization Server responds with the requested information.
  • the OAuth 2.0 Bridge temporarily caches the client_secret for later usages. The time this information will be maintained in the cache should be reconfigurable, so that the performance can be optimized against memory usage.
  • the OAuth 2.0 Bridge authenticates the client and checks whether the Refresh Token is valid for that client d, according to the information stored in its mapping table. If not, the request received in step one is rejected with an appropriate error code (see [2]). Otherwise, proceed with next step. 5.
  • the OAuth 2.0 Bridge generates a new OAuth 2.0 Access Token and associated details (expiration time, etc). It may also choose to generate a new Refresh token.
  • the OAuth 2.0 Bridge updates the mapping table with this new information, without modifying the corresponding information for the OAuth 1 .0 side.
  • the OAuth 2.0 Bridge responds the client with the new Access Token and associated details, which may also include a new Refresh Token.
  • This invention is applicable for any enterprise already offering open APIs protected by OAuth 1 .0 and willing to evolve to support OAuth 2.0 while keeping backwards support for OAuth 1 .0. This is especially important for API environments or scenarios where a relevant amount of final applications are installed in final-user's devices, instead of network-side entities, since updating and re-installing these applications to support OAuth 2.0 seems an almost impossible task (updates must be done by individual developers and there are no automatic procedures for re- installation).
  • a significant example for the application of this invention is the Telco operators market, and especially the WAC initiative [7], where applications are typically installed in user's handsets.
  • WAC initiative different players are offering mature APIs protected by OAuth 1 .0 [5], while others are beginning to use the newer protocol version.
  • OAuth 1 .0 In order to provide a homogeneous mechanism for developers to access the APIs of all the operators, evolving to OAuth 2.0 seems the best solution, but keeping support for already working and profitable OAuth 1 .0 applications.
  • Further examples for potential applicability are Internet companies, such as Twitter [6], which are also offering OAuth 1.0 APIs reachable from different kinds of applications, in many cases installed in users' mobile handsets or desktop devices.
  • Cost reduction as it is not necessary to build a complete OAuth 2.0 infrastructure, but only the OAuth 2.0 Bridge on top of it.
  • Faster OAuth 2.0 adoption not only development effort is lower, but also test and deployment-related activities are simplified, since work is focused on an individual entity on top of an already working infrastructure.
  • the OAuth 1 .0 infrastructure remains as the main responsible for handling applications, token, user information and other system information.
  • the OAuth 2.0 Bridge does not need to be provisioned with this information or to take the responsibility on these processes; it simply queries the OAuth 1.0 infrastructure and behaves accordingly to adapt between both protocols versions. As result, existing provision and operation processes are kept unmodified, avoiding the complexity of handling two parallel systems.
  • the present invention allows to efficiently providing support for both protocol versions, thus, keeping "legacy” applications working and giving developers broader options to build applications.
  • HTTP Authentication MAC Access Authentication, http ://tools . ietf. org/htm l/d raft- ietf-oauth-v2-http-mac-00

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The method, comprising providing access to protected resources to an application of a computing device through an OAuth 1.0 infrastructure; the method comprises providing said access to protected resources through an OAuth 1.0 infrastructure to said application supporting OAuth 2.0 protocol by means of an intermediary entity adapting OAuth 2.0 protocol to OAuth 1.0 protocol, and vice versa. The system is adapted for implementing the method.

Description

A method and a system for providing access to protected resources via an
OAuth protocol
Field of the art
The present invention generally relates, in a first aspect, to a method for providing access to protected resources via an OAuth protocol, and more particularly to a method which provides a solution for migrating from OAuth 1.0 to OAuth 2.0 infrastructures.
A second aspect of the invention relates to a system arranged to implement the method of the first aspect.
Prior State of the Art
In the last years the Internet world has experienced an explosion of web APIs/web services that open up service providers' functionalities to other sites and, in many cases, to individual developers, thus, allowing them to quickly build new services or enrich already existing ones through the inclusion and combination of remotely exposed functionalities. Nowadays, this is one of the major trends in the Internet and it is expected to keep growing and evolving, progressively addressing more sophisticated and dynamic scenarios.
Opening up APIs implies different issues that must be properly solved from a technical point of view in order to achieve really useful and suitable results. One of the main problems to be solved is security and, especially, end-user's privacy. Basically, Internet applications should only access service providers' functionalities after having correctly authenticated and after having received the explicit consent or authorization from the owner of the resources to be accessed, without the need for the resource owner (typically an end-user) to share his/her identity or credentials with the application. As a solution to this problem, the new OAuth 1.0 [1] standard has emerged in the last years and now the Internet community and IETF are working in the second version (OAuth 2.0 [2]) of this standard, which is expected to also become an official standard very soon. Although OAuth 2.0 maintains the overall approach established by OAuth 1.0, it must be noted that it replaces and obsoletes the previous protocol version. Hence, the second version is not backward, nor forward compatible with the first version, meaning that OAuth 1 .0 clients cannot directly access OAuth 2.0 servers and vice versa. In this scenario with two parallel versions of the OAuth protocol, enterprises already supporting OAuth 1.0, but wanting to evolve and support the new OAuth 2.0 standard, face different technical and economic issues. One of the major issues is that the support for "legacy" applications using OAuth 1.0 must be maintained. These applications are already working and generating profits and, in many cases, they are installed in end-user devices, therefore, updating and re-installing them to support OAuth 2.0 is not an easy option. After acknowledging that the OAuth 1 .0 support has to be maintained, enterprises also need to find ways to add OAuth 2.0 support in the shortest possible time, with the less possible cost and with the highest possible re- usage of its already existing OAuth 1.0 infrastructure, in order to reduce duplicated provisioning, operation and maintenance procedures and costs.
The main current existing technologies are the OAuth 1.0 Protocol [1] that is standardized by the IETF (http://www.ietf.org/) and the OAuth 2.0 Protocol [2] which is under standardization process by the IETF, but (at the time of writing this document) expected to become an official standard very soon.
Both OAuth 1.0 and 2.0 define an open protocol to allow secure API authorization in a simple and standard method for native and web applications, available both for Trusted and Non-Trusted Consumers (Clients). OAuth, as specified, is directly applicable to grant access to resources in REST [8] web services, but may also be used for example in SOAP-based web services.
In order for the client to access resources, it first has to obtain by means of the OAuth API, permission from the resource owner (e.g. final user). This permission is expressed in the form of a token and matching shared-secret. The purpose of the token is to make it unnecessary for the resource owner to share its credentials with the client. Unlike the resource owner credentials, tokens can be issued with a restricted scope and limited lifetime, and can be revoked independently.
In short, the main purpose of the OAuth API is to provide the means for the consumer to gain a valid Access Token.
The interactions followed by OAuth 1 .0 are summarized in Figure 1 .
In this 3-legged access mode, there are two tokens with crucial roles:
- In the first place, Request Token is used as a reference within the delegated authorization procedures. More concretely, according to [1], Request Tokens are used by the Consumer to ask the User to authorize access to the Protected Resources. Then, the User-authorized Request Token, that is recommended to have a limited lifetime, is exchanged for an Access Token.
- Finally, this Access Token is used by the Consumer to access the APIs on behalf of the User, instead of using the User's credentials (e.g. user and password). Access Tokens may limit access to certain APIs or even resources within a given API.
In OAuth 2.0, the Request Token concept disappears. Thus, the flow starts with the Authorization Request to the Service. In this request, instead of including the Request Token, the consumer identification is sent, as shown in Figure 2.
The flow in Figure 2 describes the OAuth 2.0 scenario called "Authorization
Code". In addition, OAuth 2.0 is specifying other scenarios:
- Implicit Grant: The implicit grant type is suitable for clients incapable of maintaining their client credentials confidential (for authenticating with the authorization server) such as client applications residing in a user- agent (e.g. browser).
- Resource Owner password credentials: The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as its computer operating system or a highly privileged application.
- Client Credentials: The client can request an Access Token using only its client credentials when the client is requesting access to the protected resources under its control, or those of another resource owner which has been previously arranged with the authorization server (the method of which is beyond the scope of the OAuth 2.0 specification).
Existing solutions
Many work, solutions and tools have been developed on both versions of the protocol, but OAuth 1.0 and 2.0 are systematically considered as parallel, independent and non-compatible solutions. No solutions for re-using OAuth 1.0 support in order to expose OAuth 2.0 have been identified in current, public state-of-the-art so far.
Problems with existing solutions
As already explained, when evolving to OAuth 2.0, backwards support for OAuth 1.0 is a must in many cases. Considering the support of OAuth 1.0 and OAuth 2.0 as independent issues presents different problems and drawbacks derived from the need to build, manage and operate two parallel infrastructures and their associated processes. The main drawbacks are:
- Increased time for migrating to the newer version.
- Increased costs associated to the migration to OAuth 2.0.
- Increased complexity and reduced homogeneity, as two parallel solutions must be maintained.
Re-using current OAuth 1.0 infrastructures as much as possible helps solving the above problems. The present invention provides a technical solution for making it possible.
Description of the Invention
It is necessary to offer an alternative to the state of the art which covers the gaps found therein, particularly related to the lack of proposals which really allows exposing OAuth 2.0 infrastructures using the existing OAuth 1.0 infrastructures without modifying these 1.0 infrastructures in any way and with the possibility of maintaining them as the main point for security control, operation and maintenance.
To that end, the present invention provides, in a first aspect, a method for providing access to protected resources via an OAuth protocol, the method comprising providing access to protected resources to an application of a computing device through an OAuth 1 .0 infrastructure.
The method comprises providing said access to protected resources through an OAuth 1.0 infrastructure to said application supporting OAuth 2.0 protocol by means of an intermediary entity adapting OAuth 2.0 protocol to OAuth 1 .0 protocol, and vice versa.
In a preferred embodiment, the method comprises providing said access to said protected resources without modifying said OAuth 1.0 infrastructure.
Other embodiments of the method of the first aspect of the invention are described according to appended claims 2 to 14, and in a subsequent section related to the detailed description of several embodiments.
A second aspect of the present invention concerns to a system for providing access to protected resources via an OAuth protocol, said system comprising a OAuth 1.0 infrastructure providing said access to said protected resources and a computing device with an application supported by OAuth protocol, for accessing said protected resources. The system wherein said application is supported by OAuth 2.0 protocol it further comprises an intermediary entity arranged between said computing device and said OAuth 1.0 infrastructure and configured for providing to said application of said computing device said access to said protected resources by adapting OAuth 2.0 protocol to OAuth 1.0 protocol, and vice versa.
The system of the second aspect of the invention is adapted to implement the method of the first aspect.
An embodiment of the system of the second aspect of the invention is described according to appended claim 16, and in a subsequent section related to the detailed description of several embodiments.
Brief Description of the Drawings
The previous and other advantages and features will be more fully understood from the following detailed description of embodiments, with reference to the attached drawings, which must be considered in an illustrative and non-limiting manner, in which:
Figure 1 shows an example of the interactions followed by OAuth 1 .0.
Figure 2 shows an example of the interactions followed by OAuth 2.0.
Figure 3 shows the OAuth 2.0 Bridge architecture, according to an embodiment of the present invention.
Figure 4 shows the diagram of the authorization code flow on top of an OAuth
1.0 infrastructure, according to an embodiment of the present invention.
Figure 5 shows the diagram of the implicit grant flow on top of an OAuth 1 .0 infrastructure, according to an embodiment of the present invention.
Figure 6 shows the diagram of accessing protected resources exposed by OAuth 1 .0 infrastructure, according to an embodiment of the present invention.
Figure 7, shows the flow diagram for refreshing an access token with the help of the OAuth 2.0 Bridge, according to an embodiment of the present invention.
Detailed Description of Several Embodiments
The present invention provides a solution to expose OAuth 2.0 on top of existing OAuth 1 .0 infrastructures, without having to modify the OAuth 1 .0 support within the existing infrastructure (i.e. without modifying existing Authorization and
Resources Servers).
The basic concept of the invention is to use an intermediary entity (i.e. a bridge) that adapts standard OAuth 2.0 into standard OAuth 1.0. To perform such adaptation, the OAuth Bridge basically behaves as the external client from OAuth 1.0 infrastructure's perspective, while it behaves as OAuth 2.0 Authorization and Resource Server from external OAuth 2.0 client's perspective. The final responsibility of generating, maintaining and validating identifiers, credentials and tokens as well as enforcing the adequate access scope to protected resources remains at the existing OAuth 1.0 infrastructure. In summary, the OAuth 2.0 Bridge behaves as an intermediary enabling OAuth 2.0 without having to modify existing OAuth 1.0 Authorization and Resource Servers, as graphically summarized in Figure 3.
In addition, OAuth 1.0 clients will still use the existing Oauth 1.0 infrastructure, without passing through the bridge. Thus no change on existing Oauth 1.0-based services is required.
More specifically, to achieve the above goals, the OAuth 2.0 Bridge has to:
Intermediate and adapt between the flows of the two OAuth versions, as explained in the following table:
PROTOCOL OAuth 2.o OAuth 1.0
STEPS
This step does not exist in The OAuth Bridge performs
Obtain OAuth 2.0. It is hidden from this operation towards the ; Temporary external OAuth 2.0 clients by OAuth 1.0 infrastructure as the credentials (i.e. the OAuth Bridge very first step when an OAuth request token) 2.0 access authorization
request is received.
Performed following the This step, comprising final user OAuth 2.0 standard towards authentication and : external clients and end authorization, is shared among ; users. The OAuth Bridge the two protocol flows. It is actually encapsulates the done only once through an following OAuth 1.0 steps authentication and behind it: authorization web page.
Obtain • Obtain Request As result, after authenticating
the user and receiving her authorization Token
authorization, OAuth 1.0
• Obtain authorization Request Tokens are authorized ;
at the OAuth 1.0 infrastructure
• Obtain Access Token, (Authorization Server) and an ; in case of the implicit associated Authorization Code : grant flow (known as verification code in
OAuth 1.0) is generated. This : code is valid for both protocol ; versions.
When applicable Performed by the OAuth ;
Obtain access
(authorization code flow), Bridge, within one of the token
performed following the following options: OAuth 2.0 standard towards
external clients. as direct result of
receiving an individual OAuth 2.0 Access Token request (i.e. authorization code flow), or
as part of the authorization step for the OAuth 2.0 implicit
Figure imgf000008_0001
Table 1.- Protocol flow adaptation from OAuth 2.0 to 1.0
Translate between the syntax of both protocol versions, considering the translation of requests coming from external clients into OAuth 1.0 requests, that are sent towards the existing infrastructure, as well as the adaptation of OAuth 1 .0 responses into OAuth 2.0 responses in the reverse direction (from the infrastructure towards external clients).
In order to limit the amount of unauthorized or malformed requests arriving at the OAuth 1 .0 infrastructure, the OAuth 2.0 Bridge validates OAuth 2.0 requests coming from external clients: validate the requests are well formed, check if the received access token is valid and was issued for the external client sending the request, validate signatures when applicable (depending on the access token type) and, optionally, make further access security checking, such as access scope validations, etc.
Correctly form and sign OAuth 1.0 requests, using appropriate credentials and token values and secrets, before sending them towards the OAuth 1 .0 infrastructure. To carry out its functionalities, the OAuth Bridge must be able of correctly interacting with the underlying OAuth 1 .0 infrastructure, especially with the Authorization Server, for querying, handling and, optionally, storing client identifiers, client credentials, client registration details, Token values, Token secrets and Authorization Codes. There are different options in this regard, for example, the OAuth Bridge can simply query the OAuth 1.0 infrastructure for client and token information whenever a new OAuth 2.0 request arrives. Alternatively, in order to improve performance, it may query and then cache this information temporarily or permanently. This document, as an example, considers the option of temporarily caching the information queried from the OAuth 1.0 infrastructure (client identifiers and credentials, token values and secrets, etc), but the overall concept of the invention is the same independently of the option chosen in this regard or the means used to interact with the underlying OAuth 1.0 infrastructure.
Moreover, OAuth 2.0 tokens may be of different types and may have the same or different values (and secrets, when applicable depending on the token type) than those generated in the OAuth 1.0 infrastructure. In any case, there must always exist a 1 to 1 mapping between OAuth 1 .0 and OAuth 2.0 Access Tokens, as both are the expression of the same delegated access authorization provided by the final user. The OAuth 2.0 Bridge must therefore be ready to correctly handle this mapping and, as result, use the correct Access Token on both communication sides (OAuth 2.0 Access Tokens towards external client vs OAuth 1.0 Access Tokens towards the existing infrastructure). In any case, the overall concept of the invention is the same independently of reusing token values (and secrets when applicable) or generating new values for the OAuth 2.0 side.
As explained previously, it is worth highlighting that the OAuth 2.0 Bridge also needs to provide the OAuth 2.0 authorization endpoint: a web page that interacts with the existing OAuth 1.0 Authorization Server in order to authenticate final users and authorize the access for external applications (also known as AA Portal: Authentication and Authorization Portal). As a matter of implementation, this web page can be implemented as an integral part of the OAuth 2.0 Bridge, or it can be implemented using an external web server, provided that it can correctly interact and pass information between the OAuth 1.0 Authorization Server and the OAuth 2.0 Bridge. The present document explicitly considers the option of providing this web page at an external web server, detailing how it has to interact and pass information between the different involved elements. Anyway, the overall concept of the invention is the same independently of the option chosen in this regard.
Finally, proxy the access to OAuth 1.0 Protected Resources from the URLs exposed by the bridge itself, which are protected by OAuth 2.0. The bridge must therefore know how the URLs it exposes map to OAuth 1.0 Protected Resource URLs as well as how to use the OAuth 1.0 Temporary Credentials and Token endpoints. This can be achieved in different ways, not affecting the basic idea of the present invention. For example, manual URL configuration could be used, or automatic rules may be applied to convert one set of URLs into another set of URLs, etc.
The operation details of operation of the OAuth 2.0 Bridge for the different protocol flows are explained in the following. This description uses OAuth 2.0 terminology for referring to entities and protocol elements. In order to correctly understand it, also from OAuth 1.0 perspective, the following terminology mapping is to be considered:
Figure imgf000010_0001
Table 2.- Map of OAuth terms
It must be noted that the client_secret can be any kind of credential, as configured during client registration process (textual password, HMAC-SHA1 key, a certificate or others).
This section specifies the detailed technical operation of the OAuth 2.0 Bridge, considering:
How to map and handle Access Tokens on both communications sides. Diagrams and associated descriptions for the following OAuth 2.0 protocol flows: o Authorization code o Implicit grant - Additionally, two further diagrams are provided: o Refreshing OAuth 2.0 Access Tokens (this is an optional flow) o Accessing protected resources, once the client has obtained a valid Access Token
For the sake of clarity, within the following flow diagrams, OAuth 2.0 standard messages [2] are represented by non-dotted lines, OAuth 1.0 standard messages [1] are represented by single dotted-lines and, finally, double dotted lines (with dots of two different lengths) are used to represent non-standard interactions among the OAuth 2.0 Bridge, the Authentication&Authorization Portal and the OAuth 1 .0 infrastructure. These latter interactions can be implemented following different messages syntax, but its semantics is as specified in the diagrams and associated descriptions.
It is assumed that the client needs to be registered with the OAuth 1 .0 infrastructure before the next procedures can take place. This registration may be done through different approaches, out of the scope, but compatible with the present invention.
Mapping Access Tokens between OAuth 1.0 and 2.0
The OAuth 2.0 Bridge must be capable of mapping Access Tokens, and associated details, between both communication sides. To do so, the OAuth 2.0 Bridge maintains a set of mapping tables that interrelate: - Each clientjd with its corresponding client_secret.
Each clientjd with one or more Access Tokens generated on the OAuth 1 .0 side. For each Access Token generated on the OAuth 1.0 side, the following details are stored: o Token value o Token secret o Expiration time (optional) o Access scope (optional) o Signing schemes associated to the Access Token - Each Access Token generated on the OAuth 1 .0 side with an associated Access Token generated on the OAuth 2.0 side [3] [4]. For each Access Token generated on the OAuth 2.0 side, the following details are stored: o Token value o Token type o Token secret (if applicable for the Token type) o Expiration time (optional) o Refresh Token associated to the Access Token (optional) o Access scope (optional) o Signing schemes associated to the Access Token (optional)
In general, if token values are re-used between both sides, then this table can be stored permanently of just cached for a freely chosen period of time, as Access Token details can be queried from OAuth 1.0 Authorization Server when received from the OAuth 2.0 side. On the other hand, if token values differ on each side, the table needs to be stored at least for a period of time equal or greater than the expiration time of the OAuth 1 .0 Access Token (meaning permanent storage for perpetual OAuth 1.0 Access Tokens). Note that when Refresh Tokens are used, then Access Token values are never the same on both sides.
As later explained in the following procedures, entries in this table may be deleted whenever the OAuth 1.0 Access Token is known to have expired or have been revoked, as directly indicated by the OAuth 1.0 Authorization Server when trying to recover Access Token details or as inferred from 401 error responses from OAuth 1 .0 Protected Resources. Authorization code flow
The following diagram shows how the OAuth 2.0 Bridge makes it possible to offer the standard OAuth 2.0 - authorization code flow on top of an OAuth 1.0 infrastructure.
1. As considered by OAuth 2.0 specification, the first step is to redirect the user (via the user-agent) to the authorization endpoint, in this case, the AA Portal. This redirection includes query parameters as considered by OAuth 2.0 specifications. More specifically, it indicates response type = code to signal that the OAuth 2.0 Authorization Code flow must be used.
2. In order to later authorize the access on the OAuth 1.0 infrastructure, the AA portal immediately sends a message to the OAuth 2.0 Bridge signaling the need to obtain an OAuth 1.0 Request Token. This message includes the clientjd and, when included by the client in the previous step, the redirect_uri. 3. If the OAuth 2.0 Bridge does not have the client_secret in its cache (as stored from previous accesses), it queries that information from the OAuth 1 .0 Authorization Server. It also queries the redirect_uri if not sent from the AA Portal and also not in cache. The OAuth 1.0 Authorization Server responds with the requested information. 4. The OAuth 2.0 Bridge temporarily caches the clientjd and the redirect_uri for later usages. The time this information will be maintained in the cache should be reconfigurable, so that the performance can be optimized against memory usage.
NOTE: the OAuth 2.0 Bridge may also need to know further information on the client, such as signature method to be used against OAuth 1.0 infrastructure, allowed Protected Resources and other details typically set up during client registration. All this information is actually handled by the OAuth 1.0 and should also be queried and cached by the bridge, along with the client_secret and redirect_uri, as explained above. 5. Using the information received from the AA Portal {clientjd, redirect_uri) plus the client_secret, the OAuth 2.0 Bridge sends a standard OAuth 1.0 Request Token request towards the OAuth 1.0 Authorization Server. The server responds with the Request Token and associated secret. The OAuth 2.0 Bridge temporarily caches the received Request Token, and the secret, in association with the clientjd. The time for caching this token/secret should also be configurable, independently from the caching time for the clientjd. The OAuth 2.0 Bridge immediately responds the AA portal with the obtained Request Token. Now, in response for step 1 , the AA Portal indicates the user must authenticate. The user authenticates. If this process fails, the flow is blocked here. Otherwise, proceed with next steps. The user is asked for authorization for the application identified by clientjd. If included in step 1 , the AA Portal considers the scope parameter to inform the user of the access scope requested by the application (e.g. access only to some resources or specific parts of resources). If the user denies the authorization, the flow is blocked here. If the user grants the authorization, proceed with next steps.
The AA Portal informs the OAuth 1 .0 Authorization Sever about the authorization provided by the end user, including the granted access scope. The OAuth 1.0 Authorization Server responds with the associated Authorization Code. All this communication takes places through the OAuth 2.0 Bridge, which acts as a proxy or relay between the two entities, so that the OAuth 2.0 Bridge can also get the Authorization Code generated by the OAuth 1.0 Authorization Server. The OAuth 2.0 Bridge caches the Authorization Code in association to the Request Token and the corresponding Token Secret and Clientjd.
As specified by OAuth 2.0, the AA Portal redirects the user (via the user-agent) back to the external client. This redirection includes the Authorization Code and the state parameter (this latter, if provided by the client itself in step 1 ). 14. Following OAuth 2.0 specs, the client sends an Access Token Request towards the OAuth 2.0 Bridge (to the Token endpoint), signaling the "authorization_code" grant type and the other standard parameters (including the Authorization Code). 15. The OAuth 2.0 Bridge validates the request is syntactically valid and, based on the information stored in its cache, it also validates that the client_secret and the redirect_uri are valid for that clientjd. Additionally, it also validates that the received Authorization Code was actually issued for that clientjd.
16. Following OAuth 1 .0 standards, the OAuth 2.0 Bridge sends an Access Token request towards the OAuth 1 .0 Authorization server. All the information required to correctly sign the request (cliendjd, client_secret, Request Token and Request Token secret) is taken from bridge internal cache. Specifically, the Request Token and the Request Token Secret to be used are those associated to the received Authorization Code, as stored in previous steps. If the Request Token has already expired or it is not present, the request received in step 14 is rejected with an appropriate error code. The OAuth 2.0 Bridge also has to include the Authorization Code received in step 14. If the Authorization Code is valid, the OAuth 1.o Authorization server responds with a valid Access Token plus an associated secret. If the Authorization Code is invalid, the request is rejected and this error is sent back to the client by the bridge.
17. The OAuth 2.0 Bridge responds the client, following one of the next options: o In case no Refresh Tokens are to be used, the Access Token sent to the client may be the one received from the OAuth 1 .0 Authorization Server, or it may be another value generated by the bridge itself. Additionally, the bridge also generates further details for the OAuth 2.0 side, such as token type, expiration information and, in case the token type requires a secret on the OAuth 2.0 side (e.g. MAC tokens [4]), it also includes the secret (e.g. as mac_key). o In case Refresh Tokens are to be used, the Refresh Token sent to the client may be the Access Token received from the OAuth 1 .0
Authorization Server, or it may be another value generated by the bridge itself. Furthermore, the bridge then generates, on its own, an OAuth 2.0 Access Token value and associated expiration time and secret, in case this latter secret is necessary depending on the Access Token type.
18. The OAuth 2.0 Bridge stores the Access Token details, for both communication sides, in its mapping table.
Implicit grant flow
The following diagram shows how the OAuth 2.0 Bridge makes it possible to offer the standard OAuth 2.0 - implicit grant flow on top of an OAuth 1.0 infrastructure.
1. As considered by OAuth 2.0 specification, the first step is to redirect the user (via the user-agent) to the authorization endpoint, in this case, the AA Portal.
This redirection includes query parameters as considered by OAuth 2.0 specifications. More specifically, it indicates response_type = token to signal that the OAuth 2.0 Implicit Grant flow must be used.
2. In order to later authorize the access on the OAuth 1.0 infrastructure, the AA portal immediately sends a message to the OAuth 2.0 Bridge signaling the need to obtain an OAuth 1.0 Request Token. This message includes the clientjd and, optionally, the redirect_uri.
3. If the OAuth 2.0 Bridge does not have the client_secret in its cache (as stored from previous accesses), it queries that information from the OAuth 1 .0 Authorization Server. It also queries the redirect_uri if not sent from the AA
Portal and also not in cache. The OAuth 1.0 Authorization Server responds with the requested information.
4. The OAuth 2.0 Bridge temporarily caches the clientjd and the redirect_uri for later usages. The time this information will be maintained in the cache should be reconfigurable, so that the performance can be optimized against memory usage.
NOTE: the OAuth 2.0 Bridge may also need to know further information on the client, such as signature method to be used against OAuth 1.0 infrastructure, allowed Protected Resources and other details typically set up during client registration. All this information is actually handled by the OAuth 1.0 and should also be queried and cached by the bridge, along with the client_secret and redirect_uri, as explained above. Using the information received from the AA Portal {clientjd, redirect_uri) plus the client_secret, the OAuth 2.0 Bridge sends a standard OAuth 1.0 Request Token requests towards the OAuth 1 .0 Authorization Server. The server responds with the Request Token and associated secret. The OAuth 2.0 Bridge temporarily caches the received Request Token, and the secret, in association with the clientjd. The time for caching this token/secret should also be configurable, independently from the caching time for the clientjd. The OAuth 2.0 Bridge immediately responds the AA portal with the obtained Request Token. Now, in response for step 1 , the AA Portal indicates the user that it must authenticate. The user authenticates. If this process fails, the flow is blocked here. Otherwise, proceed with next steps. The user is asked for authorization for the application identified by clientjd. If included in step 1 , the AA Portal considers the scope parameter to inform the user of the access scope requested by the application (e.g. access only to some APIs or specific functionalities within APIs). If the user denies the authorization, the flow is blocked here. If the user grants the authorization, proceed with next steps. The AA Portal informs the OAuth 1 .0 Authorization Sever about the authorization provided by the end user, including the granted access scope. The OAuth 1.0 Authorization Server responds with the associated Authorization
Code. All this communication takes places through the OAuth 2.0 Bridge, which acts as a proxy or relay between the two entities. Since the client signaled the Implicit Grant flow, the AA portal now sends a message to the OAuth 2.0 Bridge to trigger the procedure to obtain an OAuth 1.0 Access Token. This message includes the clientjd, the Authorization Code and the Request Token.
13. In addition to the information received from the AA Portal, the OAuth 2.o Bridge gets the Request Token secret and the redirect_uri from its cache and it sends and OAuth 1.o Access Token request towards the OAuth 1.0 Authorization
Server. The OAuth 1.0 Authorization Server answers with the Access Token and associated secret.
14. The OAuth 2.0 Bridge may choose to generate a new value for OAuth 2.0 Access Token (i.e. a value different from the value received from the OAuth 1 .0 Authorization Server). Additionally, the bridge also generates further details for the OAuth 2.0 side, such as token type, expiration information and, in case the token type requires a secret on the OAuth 2.0 side (e.g. MAC tokens), it also includes the secret (e.g. as mac_key). All this information, in addition to the OAuth 1.0 Access Token details, is stored in the bridge's mapping table. 15. In response to 12, the OAuth 2.0 Bridge sends the Access Token details (value, expiration time, type, etc) back to the AA Portal.
16. Following the OAuth 2.0 standard Implicit Grant flow, the AA Portal sends the Access Token to the client via the user-agent. For further details on this procedure, please, refer to [2]. Accessing Protected Resources
The following diagram shows how the OAuth 2.0 Bridge makes it possible to access, via OAuth 2.0, protected resources exposed by OAuth 1.0 infrastructure.
1. As result from user activity, the client sends a request for a protected resource URL exposed by the OAuth 2.0 Bridge. This URL corresponds with the URL of a Protected Resource exposed by the OAuth 1.0 infrastructure.
2. If the OAuth 2.0 Bridge does not have the OAuth 2.0 Access Token details (value, secret, access scope and associated clientjd) in its mapping table, as stored from previous accesses, it queries that information from the OAuth 1 .0 Authorization Server. The OAuth 1.0 Authorization Server responds with the requested information (note this will only work if Token values are the same on both OAuth 1.0 and 2.0 ends; that is the reason for permanently storing Access Token details in the mapping tables whenever token values differ on both sides). If the Access Token details cannot be recovered from the OAuth 1.0 infrastructure, the request is rejected with the appropriate error code, following OAuth 2.0 specifications. Otherwise, proceed with the rest of the steps
The OAuth 2.0 Bridge checks that the OAuth 2.0 Access Token is still valid. If so, it also checks that the received request is correctly signed in accordance to the Access Token type being used. If any of these validations fails, the request is rejected with the appropriate error code, following OAuth 2.0 specifications. Otherwise, proceed with the rest of the steps.
If not already stored, the OAuth 2.0 Bridge adds the Access Token details (value, secret, access scope, etc) in its mapping table for later usages. When temporal caching is used, this step may be used to refresh the Access Token entry within the mapping table, in order to extend its expiration time. The details on this fully depend on the specific implementation.
The OAuth 2.0 Bridge needs the client_secret to correctly form the OAuth 1.0 request. Therefore, if the OAuth 2.0 Bridge does not have the client_secret in its cache (as stored from previous accesses), it queries that information from the OAuth 1.0 Authorization Server. The OAuth 1.0 Authorization Server responds with the requested information.
The OAuth 2.0 Bridge temporarily caches the clientjd for later usages. The time this information will be maintained in the cache should be reconfigurable, so that the performance can be optimized against memory usage.
NOTE: the OAuth 2.0 Bridge may also need to know further information on the client, such as signature method to be used against OAuth 1.0 infrastructure, allowed Protected Resources and other details typically set up during client registration. All this information is actually handled by the OAuth 1.0 and should also be queried and cached by the bridge, along with the client_secret, as explained above. Now, based on the received request, the OAuth 2.0 Bridge builds the corresponding OAuth 1 .0 request to consume the Protected Resource. Note this is done by reusing the request body and headers excluding only the OAuth information (usually contained in the Authorization header), which needs to be updated to correctly build the OAuth 1.0 request. This implies: o Based on the mapping table and the received OAuth 2.0 Access Token, get the Access Token to be used on the OAuth 1.0 side. o Resigning the request using the client_secret and one of the appropriate signing schemes, as configured for the client during registration phase (all this information has been consulted during previous steps of this flow).
After receiving the request, the OAuth 1 .0 Protected Resource responds and the bridge simply passes that response to the client, in response to step 1 .
8. If the request is rejected by the OAuth 1 .0 Protected Resource with an 401 Unauthorized response, that may imply that the Access Token was already expired or is invalid due to other reasons. To learn if the reason is that the Access Token is no longer valid, and in order to avoid storing non-valid
Access/Refresh Tokens, upon a 401 Unauthorized response, the bridge queries the Access Token details information from the OAuth 1.0 Authorization Server. In case the response indicates that the Access Token does not longer exist or is no longer valid, the Bridge will eliminate all the Access Token details from its mapping table. In the end, as it can be observed, the OAuth 1 .0 infrastructure is the final responsible for accepting or denying the access based on the Access Token and for managing these Access Tokens.
Refreshing an Access Token
The following flow explains how to refresh Access Token with the help of the OAuth 2.0 Bridge.
1. The Client wants to refresh an Access Token, so, following OAuth 2.0 standard procedures, it sends a Refresh Token request to the OAuth 2.0 Bridge. This request includes the grant type = refresh_token, the refresh token itself and further parameters (see [2] for more details). 2. If the OAuth 2.0 Bridge does not have the client_secret in its cache (as stored from previous accesses), it queries that information from the OAuth 1 .0 Authorization Server. The OAuth 1.0 Authorization Server responds with the requested information.
3. The OAuth 2.0 Bridge temporarily caches the client_secret for later usages. The time this information will be maintained in the cache should be reconfigurable, so that the performance can be optimized against memory usage.
4. The OAuth 2.0 Bridge authenticates the client and checks whether the Refresh Token is valid for that client d, according to the information stored in its mapping table. If not, the request received in step one is rejected with an appropriate error code (see [2]). Otherwise, proceed with next step. 5. The OAuth 2.0 Bridge generates a new OAuth 2.0 Access Token and associated details (expiration time, etc). It may also choose to generate a new Refresh token. The OAuth 2.0 Bridge updates the mapping table with this new information, without modifying the corresponding information for the OAuth 1 .0 side.
6. The OAuth 2.0 Bridge responds the client with the new Access Token and associated details, which may also include a new Refresh Token.
This invention is applicable for any enterprise already offering open APIs protected by OAuth 1 .0 and willing to evolve to support OAuth 2.0 while keeping backwards support for OAuth 1 .0. This is especially important for API environments or scenarios where a relevant amount of final applications are installed in final-user's devices, instead of network-side entities, since updating and re-installing these applications to support OAuth 2.0 seems an almost impossible task (updates must be done by individual developers and there are no automatic procedures for re- installation).
A significant example for the application of this invention is the Telco operators market, and especially the WAC initiative [7], where applications are typically installed in user's handsets. Within the WAC initiative different players are offering mature APIs protected by OAuth 1 .0 [5], while others are beginning to use the newer protocol version. In order to provide a homogeneous mechanism for developers to access the APIs of all the operators, evolving to OAuth 2.0 seems the best solution, but keeping support for already working and profitable OAuth 1 .0 applications. Further examples for potential applicability are Internet companies, such as Twitter [6], which are also offering OAuth 1.0 APIs reachable from different kinds of applications, in many cases installed in users' mobile handsets or desktop devices. Advantages of the Invention
The basic idea of re-using existing OAuth 1.o infrastructure when evolving to OAuth 2.0 provides different benefits:
Cost reduction: as it is not necessary to build a complete OAuth 2.0 infrastructure, but only the OAuth 2.0 Bridge on top of it. - Faster OAuth 2.0 adoption: not only development effort is lower, but also test and deployment-related activities are simplified, since work is focused on an individual entity on top of an already working infrastructure.
Simpler provisioning and operation: the OAuth 1 .0 infrastructure remains as the main responsible for handling applications, token, user information and other system information. On the other hand, the OAuth 2.0 Bridge does not need to be provisioned with this information or to take the responsibility on these processes; it simply queries the OAuth 1.0 infrastructure and behaves accordingly to adapt between both protocols versions. As result, existing provision and operation processes are kept unmodified, avoiding the complexity of handling two parallel systems.
The present invention allows to efficiently providing support for both protocol versions, thus, keeping "legacy" applications working and giving developers broader options to build applications.
ACRONYMS
AA Authentication & Authorization API Application Program Interface HTTP Hypertext Transfer Protocol REST Representational State Transfer SOAP Simple Object Access Protocol URL Uniform Resource Locator
REFERENCES
[1] OAuth 1.0, http://tools.ietf.org/html/rfc5849
[2] OAuth 2.0. http://tools.ietf.org/html/draft-ietf-oauth-v2-22
[3] The OAuth 2.0 Protocol: Bearer Tokens, http://tools.ietf.org/html/draft-ietf-oauth-v2- bearer-08
[4] HTTP Authentication: MAC Access Authentication, http ://tools . ietf. org/htm l/d raft- ietf-oauth-v2-http-mac-00
[5] BlueVia developers OAuth guides, https://bluevia.com/en/knowledge/APIs.API- Guides.OAuth
[6] Twitter developers information, http://dev.twitter.com/pages/auth
[7] WAC - Wholesale Application Community, http://www.wacapps.net
[8] Roy Thomas Fielding, "REpresentational State Transfer (REST)", http://www.ics.uci.edu/~fielding/pubs/dissertation/rest arch style.htm

Claims

Claims
\ - A method for providing access to protected resources via an OAuth protocol, comprising providing access to protected resources to an application of a computing device through an OAuth 1 .0 infrastructure;
wherein the method is characterised in that said application supports OAuth 2.0 protocol, and in that the method comprises providing said access to protected resources through an OAuth 1.0 infrastructure to said application supporting OAuth 2.0 protocol by means of an intermediary entity adapting OAuth 2.0 protocol to OAuth 1.0 protocol, and vice versa.
2.- The method of claim 1 , comprising providing said access to said protected resources to said application supporting OAuth 2.0 protocol without modifying said OAuth 1 .0 infrastructure.
3.- The method of claim 2, comprising not modifying Authorization and Resource Servers of said OAuth 1.0 infrastructure.
4.- The method of claim 1 , wherein said intermediary entity for performing said adapting between said protocols is a bridge.
5. - The method of claim 4, wherein said bridge is perceived as an OAuth 2.0 infrastructure by said application supporting OAuth 2.0 protocol..
6. - The method of claim 4, wherein said bridge works on top of said OAuth 1.0 infrastructure.
7. - The method of claim 1 , comprising keeping supporting said applications using OAuth 1 .0 protocol.
8. - The method of claim 4, wherein said bridge further comprises:
a) intermediating and adapting flows between said OAuth 2.0 and said OAuth 1 .0 protocols;
b) translating syntax between said OAuth 2.0 and said OAuth 1 .0 protocols; c) validating OAuth 2.0 requests from said clients using said application supporting OAuth 2.0 protocol;
d) configuring and signing as OAuth 1 .0 requests such OAuth 2.0 requests coming from the clients using said application supporting OAuth 1 .0 protocol;
e) mapping Access Tokens between said OAuth 2.0 and said OAuth 1.0 protocols;
f) providing to said OAuth 2.0 protocol, comprising an authorization endpoint, a frontend such a web page interacting with the bridge which in turn interacts with said Authorization Server from said OAuth 1.0 infrastructure; and g) giving access to said protected resources from said OAuth 1.0 infrastructure from a URL exposed by said bridge, protected by said OAuth 2.0 protocol.
9. - The method of claim 8, wherein said step e) comprises storing token values at least for a period of time, if said token values are the same between both of said OAuth 2.0 and said OAuth 1 .0 protocols.
10. - The method of claim 9, wherein said at least period of time is a permanent period of time.
1 1. - The method of claim 8, wherein said URL exposed by said bridge corresponds with a URL of said protected resources from said OAuth 1.0 infrastructure.
12.- The method of claim 8, wherein the OAuth 2.0 intermediated and adapted flows are an Authorization Code and an Implicit Grant.
13. - The method of claim 8, wherein the bridge issues an OAuth 2.0 Refresh Token to said application supporting OAuth 2.0.
14. - The method of claim 13, wherein the bridge provides the OAuth 2.0 token refresh functionality, generating a new OAuth 2.0 Access Token and maintaining the mapping of Access Tokens between said OAuth 2.0 and said OAuth 1 .0 protocols.
15. - A system for providing access to protected resources via an OAuth protocol, said system comprising a OAuth 1.0 infrastructure providing said access to said protected resources and a computing device with an application supported by OAuth protocol, for accessing said protected resources, wherein said system is characterized in that said application supports OAuth 2.0 protocol; and in that the system further comprises an intermediary entity arranged between said computing device and said OAuth 1 .0 infrastructure and configured for providing to said application of said computing device said access to said protected resources by adapting OAuth 2.0 protocol to OAuth 1.0 protocol, and vice versa.
16. - The system of claim 15, wherein said system implementing a method according to any of the previous claims.
PCT/EP2013/061359 2012-06-12 2013-06-03 A method and a system for providing access to protected resources via an oauth protocol WO2013186070A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ES201230909 2012-06-12
ESP201230909 2012-06-12

Publications (1)

Publication Number Publication Date
WO2013186070A1 true WO2013186070A1 (en) 2013-12-19

Family

ID=48577006

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2013/061359 WO2013186070A1 (en) 2012-06-12 2013-06-03 A method and a system for providing access to protected resources via an oauth protocol

Country Status (1)

Country Link
WO (1) WO2013186070A1 (en)

Cited By (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657140A (en) * 2017-01-18 2017-05-10 北京小米移动软件有限公司 Application authorization method and apparatus
US10341410B2 (en) 2016-05-11 2019-07-02 Oracle International Corporation Security tokens for a multi-tenant identity and data security management cloud service
US10348858B2 (en) 2017-09-15 2019-07-09 Oracle International Corporation Dynamic message queues for a microservice based cloud service
US10425386B2 (en) 2016-05-11 2019-09-24 Oracle International Corporation Policy enforcement point for a multi-tenant identity and data security management cloud service
EP3553718A1 (en) * 2018-04-11 2019-10-16 Barclays Services Limited System for efficient management and storage of access tokens
US10454915B2 (en) 2017-05-18 2019-10-22 Oracle International Corporation User authentication using kerberos with identity cloud service
US10454940B2 (en) 2016-05-11 2019-10-22 Oracle International Corporation Identity cloud service authorization model
US10484382B2 (en) 2016-08-31 2019-11-19 Oracle International Corporation Data management for a multi-tenant identity cloud service
US10484243B2 (en) 2016-09-16 2019-11-19 Oracle International Corporation Application management for a multi-tenant identity cloud service
US10505941B2 (en) 2016-08-05 2019-12-10 Oracle International Corporation Virtual directory system for LDAP to SCIM proxy service
US10516672B2 (en) 2016-08-05 2019-12-24 Oracle International Corporation Service discovery for a multi-tenant identity and data security management cloud service
US10530578B2 (en) 2016-08-05 2020-01-07 Oracle International Corporation Key store service
US10567364B2 (en) 2016-09-16 2020-02-18 Oracle International Corporation Preserving LDAP hierarchy in a SCIM directory using special marker groups
US10579367B2 (en) 2016-08-05 2020-03-03 Oracle International Corporation Zero down time upgrade for a multi-tenant identity and data security management cloud service
US10585682B2 (en) 2016-08-05 2020-03-10 Oracle International Corporation Tenant self-service troubleshooting for a multi-tenant identity and data security management cloud service
US10594684B2 (en) * 2016-09-14 2020-03-17 Oracle International Corporation Generating derived credentials for a multi-tenant identity cloud service
US10616224B2 (en) 2016-09-16 2020-04-07 Oracle International Corporation Tenant and service management for a multi-tenant identity and data security management cloud service
US10693861B2 (en) 2016-05-11 2020-06-23 Oracle International Corporation Task segregation in a multi-tenant identity and data security management cloud service
US10705823B2 (en) 2017-09-29 2020-07-07 Oracle International Corporation Application templates and upgrade framework for a multi-tenant identity cloud service
US10715564B2 (en) 2018-01-29 2020-07-14 Oracle International Corporation Dynamic client registration for an identity cloud service
US10791087B2 (en) 2016-09-16 2020-09-29 Oracle International Corporation SCIM to LDAP mapping using subtype attributes
US10831789B2 (en) 2017-09-27 2020-11-10 Oracle International Corporation Reference attribute query processing for a multi-tenant cloud service
US10834137B2 (en) 2017-09-28 2020-11-10 Oracle International Corporation Rest-based declarative policy management
US10846390B2 (en) 2016-09-14 2020-11-24 Oracle International Corporation Single sign-on functionality for a multi-tenant identity and data security management cloud service
US10878079B2 (en) 2016-05-11 2020-12-29 Oracle International Corporation Identity cloud service authorization model with dynamic roles and scopes
US10904074B2 (en) 2016-09-17 2021-01-26 Oracle International Corporation Composite event handler for a multi-tenant identity cloud service
US11012444B2 (en) 2018-06-25 2021-05-18 Oracle International Corporation Declarative third party identity provider integration for a multi-tenant identity cloud service
US11023555B2 (en) 2016-09-16 2021-06-01 Oracle International Corporation Cookie based state propagation for a multi-tenant identity cloud service
US11050761B2 (en) 2018-04-11 2021-06-29 Barclays Execution Services Limited System for efficient management of grant tokens for identifying a client system
US11048812B2 (en) 2018-04-11 2021-06-29 Barclays Execution Services Limited System for reliably accessing a protected resource
US11061929B2 (en) 2019-02-08 2021-07-13 Oracle International Corporation Replication of resource type and schema metadata for a multi-tenant identity cloud service
US11271969B2 (en) 2017-09-28 2022-03-08 Oracle International Corporation Rest-based declarative policy management
US11321343B2 (en) 2019-02-19 2022-05-03 Oracle International Corporation Tenant replication bootstrap for a multi-tenant identity cloud service
US11321187B2 (en) 2018-10-19 2022-05-03 Oracle International Corporation Assured lazy rollback for a multi-tenant identity cloud service
US11341258B2 (en) 2018-04-11 2022-05-24 Barclays Execution Services Limited System for efficient management of invalid access tokens
US11423111B2 (en) 2019-02-25 2022-08-23 Oracle International Corporation Client API for rest based endpoints for a multi-tenant identify cloud service
US11601411B2 (en) 2016-08-05 2023-03-07 Oracle International Corporation Caching framework for a multi-tenant identity and data security management cloud service
US11611548B2 (en) 2019-11-22 2023-03-21 Oracle International Corporation Bulk multifactor authentication enrollment
US11651357B2 (en) 2019-02-01 2023-05-16 Oracle International Corporation Multifactor authentication without a user footprint
US11669321B2 (en) 2019-02-20 2023-06-06 Oracle International Corporation Automated database upgrade for a multi-tenant identity cloud service
US11687378B2 (en) 2019-09-13 2023-06-27 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration and bridge high availability
US11693835B2 (en) 2018-10-17 2023-07-04 Oracle International Corporation Dynamic database schema allocation on tenant onboarding for a multi-tenant identity cloud service
US11792226B2 (en) 2019-02-25 2023-10-17 Oracle International Corporation Automatic api document generation from scim metadata
US11870770B2 (en) 2019-09-13 2024-01-09 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"A How To Guide to OAuth and API Security", LAYER7 TECHNOLOGIES WHITEPAPER, 1 January 2011 (2011-01-01), pages 1 - 14, XP055074043, Retrieved from the Internet <URL:http://www.layer7tech.com/resources/files/white_papers/A How-to Guide to OAuth and API Security.pdf> [retrieved on 20130802] *
TRAVIS SPENCER: "Calling an OAuth 1.0a API from an OAuth 2.0 API", TRAVIS SPENCER'S BLOG, 28 October 2011 (2011-10-28), pages 1 - 16, XP055074041, Retrieved from the Internet <URL:http://travisspencer.com/blog/2011/10/calling-an-oauth-10a-api-from.html> [retrieved on 20130802] *

Cited By (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10454940B2 (en) 2016-05-11 2019-10-22 Oracle International Corporation Identity cloud service authorization model
US10341410B2 (en) 2016-05-11 2019-07-02 Oracle International Corporation Security tokens for a multi-tenant identity and data security management cloud service
US10693861B2 (en) 2016-05-11 2020-06-23 Oracle International Corporation Task segregation in a multi-tenant identity and data security management cloud service
US10425386B2 (en) 2016-05-11 2019-09-24 Oracle International Corporation Policy enforcement point for a multi-tenant identity and data security management cloud service
US10848543B2 (en) 2016-05-11 2020-11-24 Oracle International Corporation Security tokens for a multi-tenant identity and data security management cloud service
US10878079B2 (en) 2016-05-11 2020-12-29 Oracle International Corporation Identity cloud service authorization model with dynamic roles and scopes
US11088993B2 (en) 2016-05-11 2021-08-10 Oracle International Corporation Policy enforcement point for a multi-tenant identity and data security management cloud service
US10579367B2 (en) 2016-08-05 2020-03-03 Oracle International Corporation Zero down time upgrade for a multi-tenant identity and data security management cloud service
US10505941B2 (en) 2016-08-05 2019-12-10 Oracle International Corporation Virtual directory system for LDAP to SCIM proxy service
US10516672B2 (en) 2016-08-05 2019-12-24 Oracle International Corporation Service discovery for a multi-tenant identity and data security management cloud service
US10530578B2 (en) 2016-08-05 2020-01-07 Oracle International Corporation Key store service
US10721237B2 (en) 2016-08-05 2020-07-21 Oracle International Corporation Hierarchical processing for a virtual directory system for LDAP to SCIM proxy service
US10585682B2 (en) 2016-08-05 2020-03-10 Oracle International Corporation Tenant self-service troubleshooting for a multi-tenant identity and data security management cloud service
US11356454B2 (en) 2016-08-05 2022-06-07 Oracle International Corporation Service discovery for a multi-tenant identity and data security management cloud service
US11601411B2 (en) 2016-08-05 2023-03-07 Oracle International Corporation Caching framework for a multi-tenant identity and data security management cloud service
US10484382B2 (en) 2016-08-31 2019-11-19 Oracle International Corporation Data management for a multi-tenant identity cloud service
US11258797B2 (en) 2016-08-31 2022-02-22 Oracle International Corporation Data management for a multi-tenant identity cloud service
US11258786B2 (en) 2016-09-14 2022-02-22 Oracle International Corporation Generating derived credentials for a multi-tenant identity cloud service
US10846390B2 (en) 2016-09-14 2020-11-24 Oracle International Corporation Single sign-on functionality for a multi-tenant identity and data security management cloud service
US10594684B2 (en) * 2016-09-14 2020-03-17 Oracle International Corporation Generating derived credentials for a multi-tenant identity cloud service
US10567364B2 (en) 2016-09-16 2020-02-18 Oracle International Corporation Preserving LDAP hierarchy in a SCIM directory using special marker groups
US10791087B2 (en) 2016-09-16 2020-09-29 Oracle International Corporation SCIM to LDAP mapping using subtype attributes
US11023555B2 (en) 2016-09-16 2021-06-01 Oracle International Corporation Cookie based state propagation for a multi-tenant identity cloud service
US10484243B2 (en) 2016-09-16 2019-11-19 Oracle International Corporation Application management for a multi-tenant identity cloud service
US10616224B2 (en) 2016-09-16 2020-04-07 Oracle International Corporation Tenant and service management for a multi-tenant identity and data security management cloud service
US10904074B2 (en) 2016-09-17 2021-01-26 Oracle International Corporation Composite event handler for a multi-tenant identity cloud service
CN106657140B (en) * 2017-01-18 2020-02-28 北京小米移动软件有限公司 Application authorization method and device
CN106657140A (en) * 2017-01-18 2017-05-10 北京小米移动软件有限公司 Application authorization method and apparatus
US10454915B2 (en) 2017-05-18 2019-10-22 Oracle International Corporation User authentication using kerberos with identity cloud service
US10348858B2 (en) 2017-09-15 2019-07-09 Oracle International Corporation Dynamic message queues for a microservice based cloud service
US10831789B2 (en) 2017-09-27 2020-11-10 Oracle International Corporation Reference attribute query processing for a multi-tenant cloud service
US11308132B2 (en) 2017-09-27 2022-04-19 Oracle International Corporation Reference attributes for related stored objects in a multi-tenant cloud service
US10834137B2 (en) 2017-09-28 2020-11-10 Oracle International Corporation Rest-based declarative policy management
US11271969B2 (en) 2017-09-28 2022-03-08 Oracle International Corporation Rest-based declarative policy management
US10705823B2 (en) 2017-09-29 2020-07-07 Oracle International Corporation Application templates and upgrade framework for a multi-tenant identity cloud service
US11463488B2 (en) 2018-01-29 2022-10-04 Oracle International Corporation Dynamic client registration for an identity cloud service
US10715564B2 (en) 2018-01-29 2020-07-14 Oracle International Corporation Dynamic client registration for an identity cloud service
WO2019197572A1 (en) * 2018-04-11 2019-10-17 Barclays Services Limited System for efficient management and storage of access tokens
US11048812B2 (en) 2018-04-11 2021-06-29 Barclays Execution Services Limited System for reliably accessing a protected resource
US11050761B2 (en) 2018-04-11 2021-06-29 Barclays Execution Services Limited System for efficient management of grant tokens for identifying a client system
US11341258B2 (en) 2018-04-11 2022-05-24 Barclays Execution Services Limited System for efficient management of invalid access tokens
EP3553718A1 (en) * 2018-04-11 2019-10-16 Barclays Services Limited System for efficient management and storage of access tokens
US11012444B2 (en) 2018-06-25 2021-05-18 Oracle International Corporation Declarative third party identity provider integration for a multi-tenant identity cloud service
US11693835B2 (en) 2018-10-17 2023-07-04 Oracle International Corporation Dynamic database schema allocation on tenant onboarding for a multi-tenant identity cloud service
US11321187B2 (en) 2018-10-19 2022-05-03 Oracle International Corporation Assured lazy rollback for a multi-tenant identity cloud service
US11651357B2 (en) 2019-02-01 2023-05-16 Oracle International Corporation Multifactor authentication without a user footprint
US11061929B2 (en) 2019-02-08 2021-07-13 Oracle International Corporation Replication of resource type and schema metadata for a multi-tenant identity cloud service
US11321343B2 (en) 2019-02-19 2022-05-03 Oracle International Corporation Tenant replication bootstrap for a multi-tenant identity cloud service
US11669321B2 (en) 2019-02-20 2023-06-06 Oracle International Corporation Automated database upgrade for a multi-tenant identity cloud service
US11423111B2 (en) 2019-02-25 2022-08-23 Oracle International Corporation Client API for rest based endpoints for a multi-tenant identify cloud service
US11792226B2 (en) 2019-02-25 2023-10-17 Oracle International Corporation Automatic api document generation from scim metadata
US11687378B2 (en) 2019-09-13 2023-06-27 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration and bridge high availability
US11870770B2 (en) 2019-09-13 2024-01-09 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration
US11611548B2 (en) 2019-11-22 2023-03-21 Oracle International Corporation Bulk multifactor authentication enrollment

Similar Documents

Publication Publication Date Title
WO2013186070A1 (en) A method and a system for providing access to protected resources via an oauth protocol
US10810515B2 (en) Digital rights management (DRM)-enabled policy management for an identity provider in a federated environment
US10397239B2 (en) Secure access to cloud-based services
US8386776B2 (en) Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program
US11140146B2 (en) Method and system for seamless single sign-on (SSO) for native mobile-application initiated open-ID connect (OIDC) and security assertion markup language (SAML) flows
US8196177B2 (en) Digital rights management (DRM)-enabled policy management for a service provider in a federated environment
US9165134B2 (en) Method for providing authorized access to a service application in order to use a protected resource of an end user
US8151317B2 (en) Method and system for policy-based initiation of federation management
KR100644616B1 (en) Method for single-sign-on based on markup language, and system for the same
EP2643955B1 (en) Methods for authorizing access to protected content
EP3069493B1 (en) Authentication system
JP5292712B2 (en) Authentication linkage system, relay device, authentication linkage method, and authentication linkage program
CN101567878B (en) Method for improving safety of network ID authentication
JP2008506139A (en) System and method for managing user authentication and service authorization, realizing single sign-on, and accessing multiple network interfaces
JP2016115260A (en) Authority transfer system, authorization server used for authority transfer system, resource server, client, mediation device, authority transfer method and program
James Web single sign-on systems
Tanmoy Single Sign-On Feature for Customer Life-Cycle Management Application
Wisniewski et al. SAML V2. 0 executive overview
Liberty SAML Implementation Guidelines
Lutz et al. Harmonizing service and network provisioning for federative access in a mobile environment
Neumann et al. Diameter webauth: An aaa-based identity management framework for web applications
Kemp et al. Liberty ID-FF Implementation Guidelines
Mills A sasl and gss-api mechanism for oauth draft-mills-kitten-sasl-oauth-04. txt
EP1990969A1 (en) Method for data communication and device as well as communication system comprising such device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13727127

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13727127

Country of ref document: EP

Kind code of ref document: A1