Users commonly interact with a large number of service providers over the cloud, wherein each service provider specializes in providing a certain type of service, such as an email service, a chat service, a blogging service, a calendar service, a mapping service, a content sharing service, a location sharing service, etc. As part of providing the service, the given service provider maintains a set of resources on behalf of the user. Such resources can include, for example, personal information such as a profile, contacts, and pictures, and can also include basic capabilities offered by the service provider platform such as the ability to read or post messages on behalf of the user, obtaining a user location or status, etc. Service provider platforms often expose these resources to third parties through web-based application programming interfaces (APIs). Such APIs allow third parties to build applications (apps) that leverage service provider capabilities to provide add-on services to the user or otherwise enrich the user experience.
To protect privacy of the user, service providers hosting such resources commonly require the user to explicitly authorize access to third parties. The user is authenticated by the service provider and requested to delegate permissions to access a given resource to a third party. This allows the third party applications to make authorized calls to the service provider API to obtain the given resource for a limited time. However, such authorization approaches include challenges and drawbacks.
For example, a smartphone user commonly has a considerable number of third party applications downloaded from application stores on his or her smartphone. Many such applications require access to user resources such as identification (ID) information, a profile, user location, etc. for which such applications need to connect to multiple service providers. As such, the user is subject to an authentication and delegation workflow for each external service used by an application. Additionally, such a process has to be performed individually for each application installed by the user. Moreover, once the user has granted access to his or her resources to a third party application, he or she has limited control over the context in which the information may be accessed. It is desirable, therefore, that the user be permitted to specify the context in which the access be allowed.
Also, another drawback of the above-noted existing approaches includes the fact that each application is responsible for connecting with other domains and managing user identity across domains. Much of the effort in integrating with a new service can occur in implementing the handshake required for receiving end-user authorization for resources hosted by the service provider.
Further, third party applications commonly need to make multiple invocations to perform a single task. Not only are such low-level resource requests inefficient but also undesirable from a user privacy perspective. This often results in significantly more user information being exposed to the third party than is strictly necessary to execute a transaction.
Accordingly, a need exists for techniques to control access of user information by third party applications.