Abstract: An authority transfer system includes a transmitting unit configured to transmit an authorization code request from a client to an authorization server and a receiving unit configured to receive an authorization code response, and a responding unit configured to return, by the authorization server, the authorization code response based on the destination information included in the authorization code request.

Abstract: An authorization code response is transmitted to a client, and the client uses a parameter included in the authorization code response and a parameter included in the authorization code response transmitted by a transmitting unit to verify that the authorization code response corresponds to an authorization code request.

Abstract: During execution of authority transfer, a scope group obtained by grouping a plurality of scopes is used to perform authority transfer. Performing authority transfer with a scope group enables continuing the use of an application programming interface (API) without requiring a user to re-perform authorization confirmation even in a case where a scope is added to or removed from the scope group.

Abstract: An authorization server, comprises: receiving from a client an authorization request in which a scope group, with which one or a plurality of scopes that define an extent for using a Web service are associated, is designated; presenting to a user, in a case where one or more scopes among the one or a plurality of scopes associated with the scope group are included in an extent of an authority that the user has, a screen for accepting an authorization operation corresponding to the authorization request; issuing to the client, in accordance with accepting the authorization operation of the user corresponding to the authorization request via the screen, authorization information relating to the scope group; and issuing, in accordance with accepting an authorization token request based on the issued authorization information, an authorization token corresponding to the scope group.

Abstract: A device transmits an acquisition request for first authorization information indicating that a user's authority to create a tenant-dedicated client is delegated to a vendor client on the basis of first authentication information provided from an authorization server in response to the registration of the vendor client. The device registers the tenant-dedicated client in the authorization server on the basis of the first authorization information, and transmits an acquisition request for second authorization information indicating that the user's authority in a service of a resource server is delegated to the tenant-dedicated client on the basis of second authentication information provided from the authorization server in response to the registration of the tenant-dedicated client. Then the device uses the service of the resource server on the basis of the second authorization information.

Abstract: An authorization code response is transmitted to a client, and the client uses a parameter included in the authorization code response and a parameter included in the authorization code response transmitted by a transmitting unit to verify that the authorization code response corresponds to an authorization code request.

Abstract: An authority transfer system includes a transmitting unit configured to transmit an authorization code request from a client to an authorization server and a receiving unit configured to receive an authorization code response, and a responding unit configured to return, by the authorization server, the authorization code response based on the destination information included in the authorization code request.

Abstract: An authorization delegation system includes a resource server that provides a service and an authorization server that performs authorization delegation for authorizing a cooperation server, which is a client apparatus, access to user data that the resource server has based on authorization information. The authorization server receives an authorization delegation request for requesting the authorization delegation, and retrieves a refresh token based on the received authorization delegation request. Additionally, the authorization server determines whether or not the retrieved refresh token is valid, and if it is determined that the refresh token is valid, invalidates the refresh token.

Abstract: An authorization server, comprises: receiving from a client an authorization request in which a scope group, with which one or a plurality of scopes that define an extent for using a Web service are associated, is designated; presenting to a user, in a case where one or more scopes among the one or a plurality of scopes associated with the scope group are included in an extent of an authority that the user has, a screen for accepting an authorization operation corresponding to the authorization request; issuing to the client, in accordance with accepting the authorization operation of the user corresponding to the authorization request via the screen, authorization information relating to the scope group; and issuing, in accordance with accepting an authorization token request based on the issued authorization information, an authorization token corresponding to the scope group.

Abstract: During execution of authority transfer, a scope group obtained by grouping a plurality of scopes is used to perform authority transfer. Performing authority transfer with a scope group enables continuing the use of an application programming interface (API) without requiring a user to re-perform authorization confirmation even in a case where a scope is added to or removed from the scope group.

Abstract: To prevent a transfer of an authority from being useless as much as possible, an authority transfer unit includes a decision unit for making a decision that an authority of a user with respect to a management unit is transferred to a processing request unit.

Abstract: A device transmits an acquisition request for first authorization information indicating that a user's authority to create a tenant-dedicated client is delegated to a vendor client on the basis of first authentication information provided from an authorization server in response to the registration of the vendor client. The device registers the tenant-dedicated client in the authorization server on the basis of the first authorization information, and transmits an acquisition request for second authorization information indicating that the user's authority in a service of a resource server is delegated to the tenant-dedicated client on the basis of second authentication information provided from the authorization server in response to the registration of the tenant-dedicated client. Then the device uses the service of the resource server on the basis of the second authorization information.

Abstract: An authorization delegation system includes a resource server that provides a service and an authorization server that performs authorization delegation for authorizing a cooperation server, which is a client apparatus, access to user data that the resource server has based on authorization information. The authorization server receives an authorization delegation request for requesting the authorization delegation, and retrieves a refresh token based on the received authorization delegation request. Additionally, the authorization server determines whether or not the retrieved refresh token is valid, and if it is determined that the refresh token is valid, invalidates the refresh token.

Abstract: An authority delegate system, including a server system which provides a service to a device having an application, and an authorization server system which performs authorization processing to delegate user authority in the service to a usage source of the service, includes a management unit, and a providing unit. The management unit identifies authority of the application, in accordance with having received a request to register the application as the usage source, and manages the identified authority, and an identifier of the application, in an associated manner. The providing unit provides the service, in a case where an authorization operation has been performed to permit delegating of the user authority to the application transmitting a request to use the service, and an authority which the application uses is included in authorities associated with the identifier of the application.

Abstract: When a request for acquiring authorization information is received from a resource service application that is a request source, an image forming apparatus transmits a request for further delegating an authorization delegated from a user to the resource service application to an authorization server system together with first authorization information, and acquires second authorization information issued based on the first authorization information from the authorization server system.

Abstract: An authorization server system configured to restrict the usage of a service provided via a network includes an authorization processing unit, a verification processing unit, a determination unit, and a restriction unit. The determination unit is configured to determine whether the number of uses of the mathematical function called by the client to use the service is greater than the upper limit when the authorization information is issued by the authorization processing unit and when the authorization information is verified by the verification processing unit.

Abstract: A method for realizing Single Sign-On (SSO) includes verifying, using prior information, whether authorization information issued by a first information processing system in response to successfully authenticating a user satisfies security requirements, providing, in a case where the authorization information is verified as satisfying the security requirements, a service without performing the user authentication, and performing, if an instruction to register a first information processing system that performs user authentication is received from the user, the registration by a method different from a method according to a management method of the prior information in the first information processing system.

Abstract: In order to prevent leakage of data possessed by a tenant to other tenants in multitenant service, it is necessary to control access. However, the conventional access control method is designed and developed to meet a specified request. Thus, costs for a dedicated design, development, administration, and maintenance need to be considered. Such costs can be reduced by using role information for each of a plurality of services and determining whether to allow or not allow access in a uniform manner.

Abstract: An authority delegate system, including a server system which provides a service to a device having an application, and an authorization server system which performs authorization processing to delegate user authority in the service to a usage source of the service, includes a management unit, and a providing unit. The management unit identifies authority of the application, in accordance with having received a request to register the application as the usage source, and manages the identified authority, and an identifier of the application, in an associated manner. The providing unit provides the service, in a case where an authorization operation has been performed to permit delegating of the user authority to the application transmitting a request to use the service, and an authority which the application uses is included in authorities associated with the identifier of the application.

Abstract: To prevent a transfer of an authority from being useless as much as possible, an authority transfer unit includes a decision unit for making a decision that an authority of a user with respect to a management unit is transferred to a processing request unit.