Browse Prior Art Database

EXPLICIT TIME-BOUND OAUTH AUTHORIZATIONS

IP.com Disclosure Number: IPCOM000250072D
Publication Date: 2017-May-26
Document File: 4 page(s) / 303K

Publishing Venue

The IP.com Prior Art Database

Related People

Owen Friel: AUTHOR [+3]

Abstract

New OAuth Authorization Code Grant Flow and Implicit Grant Flow mechanisms are presented herein. These mechanisms enable a client to specify the length of time for which access to resource owner resources is desired. This allows a resource owner to have visibility to and explicit control over the length of time for which a client is granted access to the resources.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 50% of the total text.

Copyright 2017 Cisco Systems, Inc. 1

EXPLICIT TIME-BOUND OAUTH AUTHORIZATIONS

AUTHORS: Owen Friel

Qingwen Cheng Hua Cui

CISCO SYSTEMS, INC.

ABSTRACT

New OAuth Authorization Code Grant Flow and Implicit Grant Flow mechanisms

are presented herein. These mechanisms enable a client to specify the length of time for

which access to resource owner resources is desired. This allows a resource owner to have

visibility to and explicit control over the length of time for which a client is granted access

to the resources.

DETAILED DESCRIPTION

The OAuth2 Authorization Code Grant Flow (described at

https://tools.ietf.org/html/rfc6749#section-1.3.1) enables a client (typically a service) to

request access to resources from the resource owner by redirecting the resource owner User

Agent (UA), typically a browser, to an authorization service. The authorization service

prompts the resource owner to grant or deny client access to the resources. If the resource

owner grants access, the authorization service provides the client with an OAuth “code,”

which the client can use to obtain an OAuth refresh token (RT) and access token (AT).

The Implicit Grant Flow (described at https://tools.ietf.org/html/rfc6749#section-

4.2.1) is a simplified flow optimized for clients implemented in a browser using a scripting

language such as JavaScript. The client (i.e. the browser JavaScript) is issued an AT

directly with the Implicit Grant Flow. Similar to the Authorization Code Grant Flow, the

authorization service prompts the resource owner to grant or deny the client access to

resources with the Implicit Grant Flow.

Figure 1 below illustrates an example grant confirmation page.

Copyright 2017 Cisco Systems, Inc. 2

Figure 1

Clients can include third-party integrations, support / debugging / technical

assistance services in which a support engineer requires temporary access to customer data,

partner administrative / support services in which a partner administrator requires

temporary access to tenant data, etc.

Conventionally, resource access duration is completely under the control of the

authorization service, and the resource owner has no visibility into these access duration

policies. As such, techniques provided herein enable a client to indicate the length of time

for which the client desires access to the resources. These techniques may also permit the

resource owner to grant client access for the indicated length of time desired by the client

(or for a different (e.g., shorter) length of time).

More specifically, the Authorization Code Grant Flow request that is initiated by

the client is enhanced to include an additional parameter, “access_duration.” This

parameter specifies the length of time (e.g., in seconds) for which the client is requesting

access to the resource owner resources. An example Authorization Code Grant Flow

request application programming interface (API) uniform resource identifier (URI) is

provided as follows:

Copyright 2017 Cisco Systems, Inc. 3

/a...