The invention relates to controlling access by a client acting on behalf of a user to a protected resource hosted on a server.
Current token-based access control systems have advantages but lack a capability for single website login for multiple sites with central control of operation. There is a need to allow a user to access protected resources across a network by means of a mobile application, however, the application may not be trusted with user credentials. There is a need for an improved and more secure system for granting controlled access to protected resources. The invention addresses at least some of the above problems.
A method is proposed for controlling user access to a protected resource, in which the method comprises: intercepting a request from a client browser directed to a server; requesting user credentials from the client browser; processing user credentials received from the client browser to authenticate the user; redirecting the client browser to a server configured to issue a token credential for indicating to a server configured to issue such a token, authorization of the user to obtain a token for indicating to a server hosting the protected resource authorization of the user to access the protected resource; intercepting an authorization request from the browser to the server configured to issue a token credential, and inserting into the authorization request an HTTP header variable indicating the authentication status of the user.
The method may further comprise receiving in response to the authorization request, a token credential and sending the received token credential to the browser.
A further method is proposed for controlling user access to a protected resource, in which the method comprises: intercepting a request from a client application directed to a server; obtaining user credentials; processing the user credentials to authenticate the user and sending to a server configured to issue a token for indicating to a server hosting the protected resource, authorization of the user to access the protected resource, a HTTP request comprising at least one HTTP header variable indicating authentication of the user; in which the user credentials are not present in the HTTP request.
The further method of may further comprise receiving in response to the HTTP request, a token and sending the received token to the client application.