Abstract: A token relay system is provided that enables a client requester to acquire a properly scoped access token issued by a token issuer authority in a secure manner. The client requestor may be a non-confidential client (e.g., a JavaScript application). The token relay system is a trusted and confidential client of the token issuer authority. Upon receiving an access token request from a client, the token relay system is configured to send a request to the token issuer authority (e.g., OAuth server) requesting an access token on behalf of the requestor. The token issuer authority may then respond by issuing an access token with the appropriate scope to the token relay system. The token relay system may then forward the access token received from the token issuer to the requesting client, who may then use the access token to access a protected resource (e.g., a REST resource).

Abstract: A token relay system is provided that enables a client requester to acquire a properly scoped access token issued by a token issuer authority in a secure manner. The client requestor may be a non-confidential client (e.g., a JavaScript application). The token relay system is a trusted and confidential client of the token issuer authority. Upon receiving an access token request from a client, the token relay system is configured to send a request to the token issuer authority (e.g., OAuth server) requesting an access token on behalf of the requestor. The token issuer authority may then respond by issuing an access token with the appropriate scope to the token relay system. The token relay system may then forward the access token received from the token issuer to the requesting client, who may then use the access token to access a protected resource (e.g., a REST resource).

Abstract: A framework is provided for integrating Internet identities in enterprise identity and access management (IAM) infrastructures. A framework is provided for open authorization. A framework is also provided for relying party functionality. A mapping repository can be configured to store a mapping between applications and identity providers. The mapping associates each application of a plurality of applications with one or more identity providers. Identity management logic can be configured to use the mapping to determine that one or more identity providers of a first plurality of identity providers can be used to perform authentication activities on behalf of the first application in response to receiving a first request associated with a first application.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: A framework is provided for integrating Internet identities in enterprise identity and access management (IAM) infrastructures. A framework is provided for open authorization. A framework is also provided for relying party functionality.