Some embodiments described herein relate generally to methods and apparatus for an authorization server to authenticate a user of an application installed on a mobile communication device before issuing an access token for the application and with the appropriate scope. In particular, but not by way of limitation, some embodiments described herein relate to methods and apparatus of authenticating the user of the application based on a scope identifier provided by the application that is associated with a level of access to a resource server requested by the application. The authorization server selects the appropriate user authentication mode from multiple predefined authentication modes based on the scope identifier.
Open Authorization (OAuth) is an open standard protocol for authorization, and allows a user, such as an enterprise employee, to grant a third-party application access to information associated with that user stored at a given location (e.g., on given website), without sharing that user's account credentials (e.g., password) or the full extent of that user's data. While OAuth 2.0 defines a browser-based interaction comparable to Single Sign-On (SSO) protocols such as Security Assertion Markup Language (SAML) and OpenID, OAuth 2.0 is not an SSO protocol. Rather, OAuth 2.0 is typically used more for authorization rather than authentication.
Because OAuth 2.0 is not focused on authentication, OAuth 2.0 provides no syntax by which the specifics of how a user is authenticated can be indicated by the application requesting authorization. In some instances, however, the strength of a user authentication step can be important if the resource for which access is being sought by an application is particularly sensitive (e.g., data related to online banking, stock trade, health records, etc.). In such instances, it may be important to obtain the user's authorization for such access only after implementing a strong user authentication step.
Accordingly, a need exists for methods and apparatus for an OAuth Authorization Server to authenticate the user of an application installed on a mobile communication device before issuing an access token with the appropriate scope to the application.