PLUGGABLE AUTHORIZATION POLICIES

摘要

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

主权项

1. A computer-implemented method comprising:
storing, by a resource server, a first mapping between a first authorization policy and a first identity domain of a plurality of identity domains; receiving, at an OAuth authorization server, a first token request from a first client application contained in the first identity domain; in response to receiving the first token request, determining, based on the first mapping, that the first authorization policy is associated with the first identity domain in which the first client application is contained; in response to determining based on the first mapping that the first authorization policy is associated with the first identity domain, the OAuth authorization server producing first scope of access information determined based on the first authorization policy; and sending, from the OAuth authorization server to the first client application, a first token that specifies the first scope of access information.