초록 ▼

An access authorizing apparatus includes a receiving unit, a first transmitting/receiving unit, a token issuer and a transmitting unit. A receiving unit receives first approval information indicating that access to the resource in the device has been approved by an access approver, from the first ap

An access authorizing apparatus includes a receiving unit, a first transmitting/receiving unit, a token issuer and a transmitting unit. A receiving unit receives first approval information indicating that access to the resource in the device has been approved by an access approver, from the first application via the network. A first transmitting/receiving unit transmits an access approval request including the first approval information to the access approving apparatus, and receives access enable/disable information indicating whether the access to the resource by the first application is permitted, from the access approving apparatus. A token issuer, when the access enable/disable information indicates that the access to the resource is permitted, issues token information that gives authority to access the resource to the first application. A transmitting unit transmits the token information issued by the token issuer, to the first application.

대표청구항 ▼

1. An access authorizing apparatus that is connected to a device having a resource used by a first application, and an access approving apparatus, respectively, via a network, the access authorizing apparatus comprising: a receiving unit configured to receive a token issuance request including first

1. An access authorizing apparatus that is connected to a device having a resource used by a first application, and an access approving apparatus, respectively, via a network, the access authorizing apparatus comprising: a receiving unit configured to receive a token issuance request including first approval information indicating that access to the resource in the device has been approved by a user of the device, from the first application via the network;a first transmitting/receiving unit configured to transmit an access approval request including the first approval information to the access approving apparatus, and receive access enable/disable information indicating whether the access to the resource by the first application is permitted, from the access approving apparatus, wherein the access approving apparatus is configured to previously store approval information for one or more applications that have been approved by the user to access the resource and, upon receiving approval information from an access-seeking application via the access authorizing apparatus, permitting the access-seeking application to access the resource if the access approving apparatus previously holds approval information associated with the access-seeking application and the received approval information corresponds to the previously stored approval information associated with the access-seeking application;a token issuer configured to, when the access enable/disable information received by the first transmitting/receiving unit indicates that the access to the resource is permitted, issue token information that gives authority to access the resource to the first application; anda transmitting unit configured to transmit the token information issued by the token issuer, to the first application,wherein the access authorizing apparatus receives an access approval request which requests approval to access the resource of the device from the first application which has received a resource access request from the device, the access approval request including an URI of the access approving apparatus, and transmits a response including the URI of the access approving apparatus to the device via the first application,the access approving apparatus receives an approval screen request from the device redirecting to a redirection destination based on the URI, returns an access approval screen to the device, receives a user indication of access approval to the access approving apparatus from the device which has received the access approval screen, and transmits a response including the first approval information and an URI of the first application to the device, andthe first application is configured to transmit the token issuance request including the first approval information to the access authorizing apparatus when receiving a resource access request including the first approval information from the device redirecting to another redirection destination based on the URI of the first application. 2. The apparatus according to claim 1, further comprising: a token information storage configured to store the token information issued by the token issuer. 3. The apparatus according to claim 2, further comprising: a token information provider configured to provide the token information issued by the token issuer or the token information in the token information storage, to the device. 4. The apparatus according to claim 3, further comprising: a token invalidating unit configured to, in response to an invalidation request for the token information, from an external apparatus on the network or an operator of the apparatus, invalidate the token information in the token information storage. 5. The apparatus according to claim 3, further comprising: a token invalidating unit,wherein the token issuer sets a term of validity for the token information to be issued, andthe token invalidating unit invalidates the token information whose term of validity has expired in the token information storage. 6. The apparatus according to claim 4, wherein when the token information has been invalidated by the token invalidating unit, the token information provider notifies the device that the token information has been invalidated. 7. The apparatus according to claim 1, wherein the token information includes a token representing an identifier of the token information. 8. The apparatus according to claim 7, wherein the token information further includes at least one of device identification information that identifies the device, user identification information that identifies the first application, the first approval information, user information that is detailed information on the first application, device information that is detailed information on the device, information on a term of validity of the token information, and logical value information representing whether or not the token information is valid. 9. The apparatus according to claim 1, further comprising: a second transmitting/receiving unit configured to transmit a user authentication request including user identification information that identifies the first application, to a user authenticating apparatus via the network, and receive user authentication result information indicating whether or not authentication of the first application has succeeded, from the user authenticating apparatus,wherein when the user authentication result information indicating the success of the authentication of the first application is received by the second transmitting/receiving unit, the token issuer issues the token information. 10. The apparatus according to claim 1, further comprising: a second transmitting/receiving unit configured to transmit a user authentication request including user identification information that identifies the first application, to a user authenticating apparatus via the network, and receive user authentication result information indicating whether or not authentication of the first application has succeeded, from the user authenticating apparatus;an approval request permission information issuer configured to issue approval request permission information to the first application when the user authentication result information indicates the success of the authentication;an approval request permission information storage configured to store the approval request permission information issued to the first application; andan approval request permission information authenticating unit configured to receive an authentication request including the user identification information and the approval request permission information, from the access approving apparatus, and when the approval request permission information for the application in the user identification information included in the authentication request has been registered in the approval request permission information storage, return a response indicating the success of the authentication of the application, to the access approving apparatus. 11. The apparatus according to claim 1, wherein the first approval information includes an access enable/disable verification code that identifies the approval by the access approver. 12. The apparatus according to claim 11, wherein the first approval information further includes at least one of class information, attribute information and range information on the resource to which access has been approved. 13. The apparatus according to claim 8, wherein the user identification information includes at least one of confidential information that proves validity of the user identification information, a hash value of the confidential information, and signature information using the confidential information. 14. An access authorizing apparatus that is connected to a device having a resource used by a first application, via a network, the apparatus comprising: an approval information storage configured to store approval information for an application that has been approved by a user of the device to access the resource in the device;a receiving unit configured to receive a token issuance request including first approval information from the first application via the network;an approval determining unit configured to determine whether the first application is permitted to access the resource in the device, based on whether there is approval information conforming to the first approval information in the approval information storage;a token issuer configured to, when the access to the resource is permitted by the approval determining unit, issue token information that gives authority to access the resource, to the first application;a transmitting unit configured to transmit the token information to the first application via the network;a usage information provider; andan approval information issuer,wherein the first application is configured to receive a resource access request from the device of the user and return a response including an URI of the usage information provider to the device,the usage information provider receives an approval screen request from the device redirecting to a redirection destination based on the URI and returns an access approval screen to the device,the approval information issuer receives an indication of access approval to the access approval screen based on a user's instruction, registers the first approval information in the approval information storage and transmits a response including the first approval information and an URI of the first application to the device,the approval determining unit receives the token issuance request including the first approval information from the first application which has received a resource access request including the first approval information from the device redirecting to another redirection destination based on the URI of the first application. 15. The apparatus according to claim 14, further comprising: a token information storage configured to store the token information issued by the token issuer. 16. The apparatus according to claim 15, further comprising: a token information provider configured to provide the token information issued to the first application or the token information in the token information storage, to the device. 17. The apparatus according to claim 16, further comprising: a token invalidating unit configured to, in response to an invalidation request for the token information, from an external apparatus on the network or an operator of the apparatus, invalidate the token information in the token information storage. 18. The apparatus according to claim 16, further comprising: a token invalidating unit,wherein the token issuer sets a term of validity for the token information to be issued, andthe token invalidating unit invalidates the token information whose term of validity has expired in the information storage. 19. The apparatus according to claim 17, wherein when the token information has been invalidated by the token invalidating unit, the token information provider notifies the device that the token information has been invalidated. 20. The apparatus according to claim 14, wherein the token information includes a token representing an identifier of the token information. 21. The apparatus according to claim 20, wherein the token information further includes at least one of device identification information that identifies the device, user identification information that identifies the first application, the first approval information, user information that is detailed information on the first application, device information that is detailed information on the device, information on the term of validity of the token information, and logical value information representing whether or not the token information is valid. 22. The apparatus according to claim 14, further comprising: an approval information issuer configured to receive approval by the access approver showing that the first application is permitted to access the resource in the device, from the device, issue the first approval information based on the approval, and transmit the issued first approval information to the device,wherein the approval information storage stores the first approval information issued by the approval information issuer. 23. The apparatus according to claim 22, further comprising: a usage information provider configured to transmit usage information to query the access approver whether or not the first application is permitted to access the resource in the device, to the device. 24. The apparatus according to claim 23, wherein the usage information includes user information that is detailed information on the first application, developer information on the first application, device information that is detailed information on the device, and information on the resource to which access is requested by the first application. 25. The apparatus according to claim 22, further comprising: a receiving unit configured to receive user identification information that identifies the first application, from the first application;a user authenticating unit configured to perform authentication based on the user identification information on the first application;an approval request permission information issuer configured to, when the authentication in the user authenticating unit has succeeded, issue approval request permission information to the first application, and transmit the issued approval request permission information to the device;an approval request permission information storage configured to store the approval request permission information issued to the first application; andan approval determining unit configured to receive the user identification information and the approval request permission information from the device, and when the approval request permission information for the application in the user identification information has been registered in the approval request permission information storage, permit a usage information provider to provide the usage information, and when the registration has not been performed, not give the permission. 26. The apparatus according to claim 14, further comprising: a user authenticating unit configured to perform authentication based on user identification information that identifies the first application,wherein the receiving unit receives the user identification information from the first application, andwhen the authentication of the first application by the user authenticating unit has succeeded, the token issuer issues the token information. 27. The apparatus according to claim 14, wherein the first approval information includes an access enable/disable verification code that identifies the approval by the access approver. 28. The apparatus according to claim 27, wherein the first approval information further includes at least one of class information, attribute information and range information on the resource to which access has been approved. 29. The apparatus according to claim 21, wherein the user identification information includes at least one of confidential information that proves validity of the user identification information, a hash value of the confidential information, and signature information using the confidential information. 30. The apparatus according to claim 25, wherein the approval request permission information includes at least an approval request permission identifier that identifies the approval for the first application. 31. The apparatus according to claim 21, further comprising: a user identification information issuer configured to receive the user information that is the detailed information on the first application, from the external apparatus on the network, and issue the user identification information on the first application. 32. The apparatus according to claim 31, further comprising: a user information storage configured to store the user identification information and the user information to be associated with each other. 33. The apparatus according to claim 32, further comprising: a user information provider configured to retrieve and provide the user information from the user information storage, in response to a request to provide the user information. 34. The apparatus according to claim 31, further comprising: a user information invalidating unit configured to, in response to an invalidation request for the user identification information, from the external apparatus on the network or the operator of the apparatus, invalidate the user identification information in a user information storage. 35. The apparatus according to claim 14, further comprising: a developer information storage configured to store developer information related to a developer of an application; anda developer information registering unit configured to receive the developer information on the first application from an external apparatus on the network, and register the developer information on the first application into the developer information storage. 36. The apparatus according to claim 14, further comprising: an approver information storage configured to store approver information on the access approver; andan approver information registering unit configured to receive the approver information on the access approver from an external apparatus on the network, and register the approver information on the access approver into the approver information storage. 37. The apparatus according to claim 36, further comprising: a device information registering unit configured to receive device information on the device for which the access approver has authority to perform the access approval, from the external apparatus on the network, and register the device information into the approver information storage.