In recent years' services provided on the Internet, the services are provided not via generalized applications such as Web browsers, but via applications dedicated to the services. In such service provision, a service providing side performs authentication of permission by an application for access (application authentication) in addition to authentication of permission for connection by a user to a service (user authentication) by using the application.
In the authentication of the permission by the application for access, for example, a provider or creator of the application preregisters authentication information of the application used by the user with the service providing side, and the service providing side issues an identification ID and password of the application. The service providing side then performs authentication using the identification ID and password of the application upon connection from the application to the service. When the authentication is complete, the service providing side issues a token. The application uses the token to access the service in response to operations of the user. OAuth2 is known as the application authentication method (see Japanese Laid-open Patent Publication No. 2012-194722).
In some cases, a service providing side provides a service over a plurality of sites, and the authentication information of an application is not shared between the plurality of sites. In such a case, for example, a provider of the application registers the authentication information of the application to be used with every site to be used and therefore there is a problem that the app authentication becomes complicated.
The problem that the app authentication becomes complicated will be described here with reference to FIGS. 11 and 12. FIG. 11 is a diagram illustrating services using OAuth2. FIG. 12 is a diagram illustrating the problem that the app authentication becomes complicated.
As illustrated in FIG. 11, for example, an application provider on a service providing side registers with an authentication server, for example, an app list as authentication information of apps A, B, C, and D in services using OAuth2. The authentication server can perform app authentication of the applications of the apps A, B, C, and D with OAuth 2.
As illustrated in FIG. 12, the service may be provided over a plurality of sites on the service providing side. If the authentication information is not shared between the authentication servers of the plurality of sites, for example, the application provider on the service providing side needs to register the application used with each authentication server, which leads to complicated app authentication.
If the service providing side does not have the authentication information of the application to avoid the complication of the app authentication, there is a problem that a user does not detect that the application that the user is using is not performing legitimate communication. For example, the user may be deceived by an illegitimate application. An example of a case of being deceived by an illegitimate application will be described with reference to FIG. 13. FIG. 13 is a diagram illustrating the example of the case of being deceived by an illegitimate application.
A screen illustrated in the left of FIG. 13 is a screen displayed by a legitimate application. A screen illustrated in the right of FIG. 13 is a screen displayed by an illegitimate application pretending to be the legitimate application (for example, a phishing application). A difference between them is only their URLs and their display contents are the same. Therefore, the user may input his/her password without noticing. In other words, the user does not detect that the application is not performing legitimate communication.