Method to delegate OAuth2 resource authorization to agents of authorized application clients
Publication Date: 2014-May-29
The IP.com Prior Art Database
A method to delegate OAuth2 resource authorization to agents of authorized application clients is disclosed.
Page 01 of 2
Method to delegate OAuth 2 resource authorization to agents of authorized application clients
Disclosed is a method to delegate OAuth2 resource authorization to agents of authorized application clients.
A trust relationship is utilized to support a scenario whereby trust is propagated beyond a single client. It is a way to leverage the OAuth2 security protocol (which provides an access token to endorse a user's identity and credentials) while extending the trust model to allow the user to not only grant a provider the authority to trust a client, but also to authorize a provider to extend that trust to agents of the client.
The OAuth2 security protocol gives a user the ability to grant a service provider the authority to provide an access token to a third-party client, thereby providing a solution that allows users to grant third-party access to their protected web resources without sharing their passwords. Instead of sharing a password, the user grants a service provider the authority to issue an access token which provides access to the user's protected resources that are stored with the service provider. The user gives this authorization token to the client, which the client uses to access the user's protected resources.
The existing OAuth2 protocol allows only the third-party client access to the protected resources. The disclosed method proposes extending the OAuth2 model beyond the client as the only third party and to include third-parties to the client itself, thereby allowing them use the protected resources on the client's behalf.
The OAuth2 authorization protocol standard, lets a user give a service client access to selected protected resources of a resource provider based on trust relationship.
The following example is a typical usage scenario of the OAuth2 protocol:
A user keeps photos at a social networking provider and wants to print out a few copies on one of his many photos. The user authorizes a photo print shop access to the specific photo at the social networking site. Using OAuth2 protocol, the user does not need to reveal his social network user id and password to the photo print shop and can authorize the print photo shop access to the exact photo and nothing more.
The proposed extension would let the user give the service (the social networking site) the ability to grant the client (the photo shop) privileges to access the user's resources and would additionally allow the client (the photo shop) the ability to authorize an associated contractor (a framing shop or a photo-retouching specialist, for example) to use the protected resource(s) on the client's behalf. The proposed extension allows the client to grant a third-party agent access to the user's protected resources.
The scope of the access privilege extends beyond the client and includes any users who the client authorizes to act as agents on the client's behalf. Not only is the client granted the authority to access the user resources, but the clien...