Field of the Invention
The present invention relates to an authorization server system which performs authorization delegation, a control method thereof, and a storage medium.
Description of the Related Art
Servers that provide a service for generating electronic documents of Portable Document Format (PDF) format and a service for storing the electronic documents for terminals via the Internet have recently become prevalent. Users can use the services through their terminals to generate electronic documents even if the terminals do not have the function of generating an electronic document. The users can also store electronic documents more than the storage capacities of the terminals.
As cloud computing is attracting more and more attention, the opportunities to create new additional values through the cooperation of a plurality of services are ever increasing. Examples of possible forms of service cooperation include that an electronic document of PDF format generated by using a service is directly stored in another service without an intermediary of a terminal. Meanwhile, the cooperation of services can cause a problem.
The problem lies in that the risk of leakage of user data and personal information increases as information more than desired by the user is exchanged between services. It is undesirable for services other than those for providing a user-desired outcome to obtain user data and personal information during service cooperation. From the viewpoint of service providers, the mechanism of service cooperation is desirably easy to implement.
A standard protocol called OAuth (see Japanese Patent Application Laid-Open No. 2012-008958) has been developed for authorization cooperation. For example, suppose that OAuth is implemented in a plurality of services. If the user authorizes an external service B to access a service A by specific authorization, the external service B can access the service A without using authentication information about the user.
The service A is configured to provide the user with a clear description of the authorization such as the data to be accessed by the external service B and the range of services to be used. The service A then requests an explicit approval, i.e., authorization of the user about the access by the external service B. The user's action of explicitly giving authorization via an authorization screen will be referred to as an authorization operation.
If the user made an authorization operation, the service A gives specific authorization authorized by the user to the external service B. The external service B receives an authorization token directly or indirectly from the service A. The authorization token is a token that proves the approval of the access by the authorized authorization. The external service B subsequently can access the service A by using the authorization token.
The series of processes for storing the authorization token in the service-using subject, or the external service B in terms of the foregoing example, as a result of the user's authorization operation will be referred to as that the user delegates authorization to the external service B. As described above, it is the subject making the service available that delegates the actual authorization to the subject using the service. In terms of the foregoing example, the service A having confirmed that the user made an authorization operation gives the authorization.
This technique is used not only for the cooperation between the services, but is also known to be used in such a manner that an application of the terminal operated by the user cooperates with a service on the Internet by using OAuth.
For example, a plurality of applications can be installed in a smartphone capable of adding and removing applications. The applications may cooperate with a service or services on the Internet. Typical examples include that a service called social networking service (SNS) and the smartphone applications cooperate by using OAuth.
The applications installed in the smartphone access the SNS on behalf of the user. The user may delegate authorization to perform minimum functions needed to use the SNS, for example, authorization only to post an article to the applications. As a result, the applications can cooperate with the SNS by appropriate authorization without storing authentication information about the SNS in the smartphone.