Field of the Invention
The present invention relates to an authority transfer system, a method, and an authentication server system for authorizing a transfer of a user's authority to another entity.
Description of the Related Art
In recent years, there have been provided, for example, a service that generates an electronic document in Portable Document Format (PDF) on the Internet, and a service that stores electronic documents on the Internet. Use of such services allows a user to generate a PDF document even if a terminal owned by the user itself does not have a PDF generation function, and to also store electronic documents beyond the storage capacity of the terminal. Further, the recent popularization of cloud computing has led to a further increase in opportunities to create an added value from cooperation between a plurality of services, like the above-described services. A service provider can provide the user with the added value from the cooperation between the services. For example, the user becomes able to even store the generated electronic document in the PDF format directly on the Internet without transferring it via the terminal owned by the user. On the other hand, the cooperation between the services raises several problems.
More specifically, such cooperation involves an exchange of more information than desired by the user between the services, thereby posing a risk of leakage of user data and personal information. For example, a plurality of services exists on the Internet, and the service cooperation is achieved between various services. It is, however, undesirable that a service other than a service that provides a result desired by the user acquires the user data, the personal information, and the like. On the other hand, for the service provider, an easily implementable mechanism is favorable as the mechanism for the service cooperation.
Under these circumstances, there has been formulated a standard protocol for realizing cooperation of an authorization, called Open Authorization (OAuth). Japanese Patent Application Laid-Open No. 2013-145505 discusses a technique for issuing an access token with use of OAuth.
According to OAuth, for example, user's data managed by a service A can be accessed by an external service B authorized by this user. At this time, the service A is supposed to acquire a user's explicit authorization to the access by the external service B after clearly indicating a range to be accessed by the external service B. The term “authorization operation” is used to refer to a user's operation of explicitly granting the authorization.
Once the user performs the authorization operation, the external service B receives a token proving that the access is authorized (hereinafter referred to as the access token) from the service A. The access after that can be realized with use of this access token. At this time, the use of the access token enables the external service B to access the service A under an authority of the user having granted the authorization without information indicating that the user is authenticated. Thus, the external service B authorized by the user and having acquired the access token bears a responsibility to strictly and properly manage this access token.
Further, some of recent devices provide the user with the added value by cooperating with a cloud service using OAuth. For example, there are services called social networking services (hereinafter referred to as “SNSs”). These services can be used from a smartphone. There are various SNSs, and installation of a particular application into the smartphone and use of the application may facilitate use of such an SNS. For example, a user who wants to periodically post the user's location to the SNS may feel convenient by using a positioning function of the smartphone and using an application that periodically measures a position and posts information to the SNS. At this time, the application installed in the smartphone operates to access the SNS on behalf of the user. OAuth may be used in such a case. The user becomes able to use the SNS via the application by permitting the application to perform a minimum function required for using the SNS, for example, posting an article.
On the other hand, a flow for acquiring the access token that is called an implicit grant is defined in OAuth. The implicit grant is optimized for a client implemented on a browser with use of a script language such as JavaScript (registered trademark). The client based on the implicit grant type does not receive an authorization code, which is an intermediate credential for acquiring the access token, but directly receives the access token after being authorized by a resource owner. This grant type is called the implicit grant due to no use of the intermediate credential that mediates the acquisition of the access token, such as the authorization code. Currently, there is also performed such implementation that, when the above-described service is used from a web browser, a login session is succeeded to with use of a cookie or the like as information indicating that the user is authenticated without explicitly carrying out authorization confirmation like OAuth. Further, currently, a configuration that uses a service cooperating with the cloud service based on Application Programming Interface (API) access using jQuery or the like even from the web browser is becoming a de facto standard. The reason behind that is an influence of such a trend that mobile apparatuses have become widely used and browser operating systems (OSs) have appeared.