Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for performing delegated authorization, including: maintaining resources associated with a resource owner; receiving an access request from a client application requesting access to the resources; performing a first authentication of the resource owner; determining that the first authentication was successful, and providing to the resource owner a request to delegate access to the resources to the client application; receiving a selection of one or more delegated access permissions for the one or more resources to be delegated to the client application; determining that at least one of the one or more delegated access permissions is for a critical resource, and performing a second authentication by requesting multi-factor credentials from the resource owner; authenticating the multi-factor credentials; determining that the second authentication was successful; and granting an access token to the client application

Abstract: Systems, methods, and computer program products for distributed validation of credentials are described. Upon receiving a request to perform an action by a user, a system performs a multi-part authentication where in each part, only a portion of authentication information is passed. In a first stage, an application manager of the system receives a first token than specifies partial access rights. In a second stage, a cloud controller of the system requests and receives privileges of the user separately from the first token. An API is presented with a token that only contains the authorities that the API needs, while still allowing validation of cloud controller permissions without having to escalate the user's privileges.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for performing delegated authorization, including: maintaining resources associated with a resource owner; receiving an access request from a client application requesting access to the resources; performing a first authentication of the resource owner; determining that the first authentication was successful, and providing to the resource owner a request to delegate access to the resources to the client application; receiving a selection of one or more delegated access permissions for the one or more resources to be delegated to the client application; determining that at least one of the one or more delegated access permissions is for a critical resource, and performing a second authentication by requesting multi-factor credentials from the resource owner; authenticating the multi-factor credentials; determining that the second authentication was successful; and granting an access token to the client application

Abstract: Systems, methods, and computer program products for distributed validation of credentials are described. Upon receiving a request to perform an action by a user, a system performs a multi-part authentication where in each part, only a portion of authentication information is passed. In a first stage, an application manager of the system receives a first token than specifies partial access rights. In a second stage, a cloud controller of the system requests and receives privileges of the user separately from the first token. An API is presented with a token that only contains the authorities that the API needs, while still allowing validation of cloud controller permissions without having to escalate the user's privileges.