In recent years, many kinds of web services, e.g., Social Network Service (SNS), are provided. For an increasing number of such web services, an authentication protocol that is called OAuth (Open Authorization) is widely used.
OAuth is an authentication protocol according to which user's authorization information is delivered from one service to another service. The system of OAuth includes a provider server that provides the authorization information to a consumer server, the consumer server that receives the authorization information from the provider server and provides a service to the user, and a user terminal that authorizes the provider server to provide the authorization information to the consumer server. According to OAuth, the service provided by the consumer server can use, under authorization by the user, information (in many cases, information relating to the user) that is managed by another service provided by the provider server.
With reference to FIG. 8, the following explains basic operation of a conventional provider server that employs OAuth. FIG. 8 is a schematic view showing how a display of a user terminal changes as the conventional provider server, the conventional consumer server, and the conventional user terminal communicate with each other.
A user uses a browser on the user terminal in order to make access to an authentication page (login screen) of a target service provided by the consumer server (D10), and then the user selects “login” on the page. In response to this, the consumer server transfers (redirects) a display of the browser to an authentication page of an authorization service provided by the provider server (D11).
Upon user's input of user identification information (hereinafter, referred to as “user ID”) and a password for the authorization service, the provider server authenticates the user. After the user is authenticated properly and the user authorizes information (user information) relating to the user and being held by the provider server to be made usable by the target service, the provider server redirects the display of the browser to a top page of the target service (D12). A process indicated by the arrow “E” in FIG. 8 corresponds to the above description.
With reference to FIG. 9, the following provides a more detailed description of the above process. FIG. 9 is a timing chart showing details of an authorization process carried out according to conventional OAuth.
As shown in FIG. 9, transferring the authorization information between the user terminal (browser), the consumer server, and the provider server allows the consumer server to obtain authorization for access to the user information held by the provider server.
That is, the consumer server transfers, to the provider server, authority of (i) authentication of the user and (ii) access to the user information. This allows the consumer server to provide each user with a respective suitable service without carrying out troublesome processes of (i) registering the user, (ii) authenticating the user, and (iii) managing the user information. Further, this allows the user to use the target service provided by the consumer server only by carrying out user registration on the authorization service provided by the provider server.
Meanwhile, in a case where the user is not registered on the authorization service (i.e., in a case where the user selects “initial registration” on the authentication page), the consumer server redirects the display of the browser to a registration page of the authorization service (D13). Then, the user inputs a user ID, a password, and an email address on the registration page. In response to this, the provider server carries out registration of the user (D14 through D16). A process indicated by the arrow C in FIG. 8 corresponds to the above description.
With reference to FIG. 10, the following provides a more detailed description of the above process. FIG. 10 is a timing chart showing details of a conventional user registration process.
As shown in FIG. 10, when the user requests, to the provider server, user registration on the authorization service, the user information is transferred between the user terminal and the provider server. This process requires no involvement of a process carried out by the consumer server.
In addition to the above-described OAuth, there are many techniques for authentication in web services. For example, Patent Literature 1 (shown below) describes a content service providing system, which is a simple method, for allowing a user who is not a member of a certain members-only content site to browse the content of the site.