1. Field of the Invention
The present invention relates to an authentication system, a control method thereof, a service provision device, and a storage medium.
2. Description of the Related Art
A business that provides services by disclosing the services as a cloud service on Internet has been developed. The print server becomes to be required to provide functions as a print service on the Internet. Provision of services as the cloud service enables location of the print server on a large data center so that hardware management for each customer is eliminated. Also, this provides various advantages such as a simple way of supplementing resources depending on a load imposed on a server. By utilizing this function, there has been proposed a printing system enabling pull printing in which a printer acquires print data over the Internet so as to execute printing.
Up to now, accesses to the print server that has been operated on an Intranet are limited to the Intranet, and thus it was very difficult for a user to illegally access the print server. However, when the print server is disclosed as the cloud service on the Internet, a user can access the print server from anywhere in the world, and secure security is required. In recent years in which importance of security is increased, a standard protocol called “OAuth” for authorization cooperation has been developed and is being applied for communication between the cloud service and a client. In OAuth, information called “token” is utilized as information for proving an authority that is transferred from a user or a client. The cloud service prevents an illegal access by the client by verifying validity of the token notified by a client.
When the image forming device cooperates with the print server by using OAuth, a user transfers, to the image forming device, an authority for accessing a print job held by the print server. In this manner, the image forming device can downloads print data of the print job stored by the print server, and executes printing.
Also, when a plurality of users shares and uses the image forming device, the image forming device is required for queue control for print jobs of the plurality of users. In the case where the authority transfer to the image forming device is performed for each user, the image forming device retains the token for each queued print job.
Although the image forming device performs print processing by sequentially executing the queued print job, subsequent queued print jobs become a waiting state if printing is not executed due to paper out or the like. An expiration date is generally set to the token for preventing abuse, and the expiration date set to the token may be expired if printing is not executed for a long time. When the expiration date is expired, the image forming device cannot download print data from the print server. Since the image forming device cannot upload the token for the user authority, it is contemplated that the image forming device executes download of the print data from the print server by using not the user authority but the printer authority of the image forming device. The printer authority enables update of the token and print continuation by the image forming device even if the expiration date is expired.
However, when the image forming device downloads the print data using the token issued by the printer authority, printer information or user information is not transmitted to the print server. Hence, a malicious third party may download print data for other user using the token issued by the printer authority. As a result, information for other user is leaked, and security is not ensured.
Japanese Patent Laid-Open No. 2012-191270 discloses a system that specifies an image forming device in a secure manner by using a first common key for creating a token, and a second common key for identifying a device ID of the image forming device. However, there remains a large security risk causing an illegal access to all print data if the common keys are leaked. In a system disclosed in Japanese Patent Laid-Open No. 2012-181844, a server retains a device identifier by associating it with a user, and verifies the device identifier upon a login by the user to thereby prevent the illegal access. However, the illegal access is not prevented when the user does not perform the login.