Browse Prior Art Database

Method for combining OAuth protocol with identity scope to create an Identity Provider providing delegated authentication

IP.com Disclosure Number: IPCOM000198664D
Publication Date: 2010-Aug-11
Document File: 2 page(s) / 21K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is an invention which allows a website or Saas Provider to set itself up as an Identity Provider to other entities, such as other websites. A second website configures its security rules such that the only API that is in scope for the access token is the API to reveal user identification.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 56% of the total text.

Page 1 of 2

Method for combining OAuth protocol with identity scope to create an Identity Provider providing delegated authentication

As social networking usage increases, users are required to create more accounts with more login details than ever before. A new trend has started where a software as a service (SaaS) provider or website allows users to login to other websites using that website's login details and subsequently pulling in user's data from the site providing the identity credentials.

This means the user can connect to websites without having to create an account at that site or remember the account login details to that account. The website provides a link to a second website that validates the user's credentials and the first site can then log the user in with those validated credentials.

The invention is solving the problem of delegated authentication.

Website1 might decide to use Authentication Services provided by Website2. The core idea is to allow a user to login to Website1 by combining the Open Authorization (OAuth) protocol for retrieving a user's identity from Website2 and limiting the scope for the OAuth access token to be 'identity only' such that Website2 becomes a secure Identity Provider (IdP)

One known approach uses the OAuth protocol to sign in the user to a second site using their OAuth credentials. User logs in to the first site to provide an OAuth access token to a second site which can then call any of the first site's APIs using that token...