Field of the Invention
The present invention relates to an authority delegate system which performs client registration, an authorization server system, a control method, and a program.
Description of the Related Art
There is a standard protocol to realize coordination of authorization, called OAuth 2.0 (“The OAuth 2.0 Authorization Framework”, [online] D. Hardt, May 2013 <URL http://tools.ietf.org/html/rfc6749>). OAuth 2.0 enables an application B which has been authorized by a user and which is installed in a terminal operated by the user, to access data of the user which a service A on the Internet manages, for example. OAuth 2.0 refers to a subject to which authority is delegated, like the application B, as an “OAuth client”, or simply “client”. The service A is supposed to obtain explicit user authorization regarding access by the application B, upon having clarified the range of access by the application B. The action of the user giving explicit authorization is called “authorization operation”.
Once the user has performed an authorization operation, the application B receives a token certifying that access has been permitted by service A (hereinafter referred to as “authorization token”). Access thereafter can be realized using this authorization token. The application B which uses the authorization token can access the service A under the authority of the user which has performed the authorization operation, without prompting the user for input of authorization information. Accordingly, the application B which has been authorized by the user and acquired the authorization token is bound responsible to manage the authorization token in a secure and proper manner.
OAuth 2.0 has to authenticate the application B and grant predefined authority before the authorization operation is performed, in order to prevent spoofing of the application B. In order to authenticate the application B, the service A has to issue and manage authentication information of the application B beforehand. This authentication information is a client ID and secret. Further, this authentication information has to be set in the application B. An online application registration protocol is being studied as a specification pertaining to OAuth 2.0, called Dynamic Client Registration Protocol. According to this Dynamic Client Registration Protocol, a requestor for each client registration is dynamically subjected to client registration by transmitting metadata to an endpoint for client registration, and thus authentication information can be obtained. The endpoint is an authorization service provided to a server side implementing OAuth 2.0. This mechanism enables the trouble of performing individual settings to be avoided, since each application subjectively obtains authentication information, rather than authentication information being set to each of a great number of applications which have been distributed. When confirming an authorization token, not only is the authority delegated from the user confirmed, but also the authority of the application B itself is confirmed, and whether to permit or deny usage of the user is thus decided.