The present invention relates generally to the field of selectively authorizing users to access data, and more particularly to authorization systems and methods that provide for secure delegated access (for example, authorization under the Oauth standard).
The Wikipedia entry for “OAuth” (http://en.wikipedia.org/wiki/OAuth) currently states as follows: “OAuth is an open standard for authorization.” OAuth provides client applications a ‘secure delegated access’ to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials . . . . OAuth is commonly used as a way for web surfers to log into third party web sites using their [other] accounts, without worrying about their access credentials being compromised.”
In today's interconnected data and communication environment, a resource owner sometimes needs to delegate authorization to a third party application, such that the third party application can access the resource owner's data. However, in delegating authorization to the third party application, the resource owner does not wish to divulge their authorization credentials needed to access the resource.
An illustrative case is the ability to share a cloud based calendar. In such cases, it is common for the calendar data owner to consent to authorize a third party application or service upon receipt of an access request notification. The notification typically includes information about the requesting third party and the scope or permissions requested for access. The consent prompt may include options to approve or deny zero or more of the requested scopes before the consent is approved by the owner. Once the resource owner has consented, the requester is notified and then proceeds to obtain an access token. The access token represents the resource owner's delegated authorization to the requester, enabling access to the owner's calendar data. An authorization system typically defines message flow protocols (standard or non-standard) for these types of delegated authorization and data sharing cases.