Abstract: Embodiments are directed to a method and system for performing stateless authentication and authorization in a distributed computer network, by receiving, in an authentication and authorization service (AAS) component, a user request to network clients from a client user for data access served by an application, wherein the request comprises user credentials; providing the user credentials to an identity authenticator; performing, in the AAS component, client authorization for the user validated by the identity authenticator; encapsulating a token with the client authorization; and transmitting the token to an application service that services the user request to return results based on the client authorization.

Abstract: Embodiments are directed to a method and system for managing token keys in an authentication and authorization process for a multi-tenant computer network by receiving a user request from a user through a user agent for data access to network clients, generating a key to encrypt and sign a data string to encapsulate a token, passing the token as part of the request to the network clients to receive a response from a client to the user request, notifying, in the event of a key state change, user agents of the key state change asynchronously to other events, and generating a refreshed key for subsequent user requests to encapsulate subsequent tokens for the user.

Abstract: A user is authenticated based on user credentials obtained from a request in response to the request received from a client device. A plurality of tenants is identified in which the user is a member and, for each of the tenants associated with the user, one or more roles of the user are determined within the tenant. For each of the one or more roles, one or more privileges the user is entitled within a capacity of the role are determined. An authorization token is generated based on information identifying the tenants associated with the user, one or more roles of the user within each tenant, and one or more privileges associated with each role. The authorization token is transmitted to the client device to allow the client device to determine whether the user is authenticated and allowed to access the resource of a particular tenant.

Abstract: A first request is received from a first user to revoke an access right of a second user of a first tenant for accessing data of a second tenant, where the first tenant is a parent tenant of the second tenant. In one embodiment, in response to the first request, a first role of the first user within the second tenant and a second role of the first user within the first tenant are determined. A first and second access privileges of the first role and second role of the first user, respectively, are determined to allow the first user to revoke the access right to the second tenant. In response to the first user having a revoke privilege in the first and second tenant, the first user is allowed to remove the second tenant from the first tenant.

Abstract: In response to a request received from a client device, the user is authenticated based on user credentials extracted from the request. Upon having successfully authenticated the user, tenants and one or more roles of each of the tenants associated with the user are identified. In one embodiment, an authorization token having information identifying the plurality of tenants and their respective one or more roles of the user is generated. The information of each of the tenants and its respective roles are encrypted with a specific key corresponding to the tenant. The authorization token containing the encrypted tenants and the roles of the user is transmitted to the client device to allow the client device to determine whether the user is allowed to access a requested resource based on the authorization token.