Authorizing application access to secure resources

摘要

An application submits a permission request to a resource server. In response to receiving the request, the resource server generates a user interface that asks the user to grant or deny the requested permissions. If the permissions are granted, data is stored indicating that the application has the requested permissions. When a runtime request for a resource is received, the resource server determines whether the request has been made by a user, by an application, or by an application on behalf of a user. If the request is made by an application only, the request is granted only if the application has permission to access the resource by way of a direct call not on behalf of a user. If the request is made by an application on behalf of a user, the request is granted only if both the user and the application have sufficient permission.

主权项

1. A computer-implemented method for authorizing access to a secure resource in a document repository system, the method comprising performing computer-implemented operations for:
receiving a request to perform an action on a secure resource in a document repository system; in response to receiving the request, determining whether the request has been made by a user only, by an application only, or by an application on behalf of a user; in response to determining that the request has been made by an application on behalf of the user, granting the request if the application and the user both have permission to access the secure resource, wherein, if the application has a different access privilege level than the user, the request is granted to an extent permitted by an access privilege level granted to the user; and in response to determining that the request has been made by the application only, granting the request if the application has been granted permission to access the secure resource by way of a direct call that is not on behalf of the user.