JP6237868B2 - Cloud service providing system and cloud service providing method - Google Patents

Description

The present invention relates to a cloud service providing system and a cloud service providing method .

  Access to centrally manage settings related to access control and authority delegation for the purpose of reducing information exchanged between devices when a device performs proxy access to another device with authority delegated by the user An authority management system is conventionally known (see, for example, Patent Document 1).

  A conventional access authority management system includes an authentication apparatus that manages conditions for delegating authority, a service providing apparatus that provides a service in response to a service request, and a service proxy access apparatus that performs access to the service providing apparatus. It was.

  2. Description of the Related Art In recent years, attention has been focused on usage forms that provide functions of Web applications and server-side applications represented by cloud services as services. In such a usage mode, the user needs to be authenticated in order to receive provision of a service according to his / her authority.

  In addition, a usage form in which a plurality of services such as mashups are linked is also attracting attention. In such a usage mode, authorization is required when one service is provided with another service according to the authority delegated by the user.

  In such a usage mode in which a plurality of services are linked, a user must perform an authorization procedure for each of the other services when the other service is provided according to the authority delegated by the user. did not become.

Embodiments of the present invention have been made in view of the above points, and an object of the present invention is to provide a cloud service providing system and a cloud service providing method capable of reducing the number of authorization procedures by a user for using a service. To do.

To achieve the above object, the present claim 1 is a cloud service providing system including one or more information processing apparatus mounting the application providing cloud services, external services authentication infrastructure with the cloud service providing system is different in the cloud service providing system connected with, the first device first user operates the second user accepting an authorization request for using the external service, connection of the first device a connection destination changing means Ru is changed earlier to the external service, from the connection destination change means by the connection destination is the first that has changed the external service device, the authorization of the second user in the external service receiving authorization information indicating that the recognized result, and transmits the authorization information to the external service, the external service And authority information obtaining means for obtaining authority information after authorization to utilize bis from the external service, the second second equipment or we said application a request for processing using the external service operated by a user features There When it based on the fact that received receives a request sent from the application, in that it has, and authority information providing means for providing the second the authority information after authorization tied to a user of the application And

  According to the embodiment of the present invention, the number of authorization procedures by a user for using a service can be reduced.

It is a block diagram of an example of the system which concerns on this embodiment. It is a hardware block diagram of an example of the computer system which concerns on this embodiment. It is a process block diagram of an example of the service provision system which concerns on this embodiment. It is a process block diagram of an example of the management setting service application concerning this embodiment. It is a process block diagram of an example of the authentication processing part concerning this embodiment. It is a processing block diagram of an example of a service application according to the present embodiment. It is a process block diagram of an example of the data processing part which concerns on this embodiment. It is a block diagram of an example of organization management information. It is a block diagram of an example of user management information. It is a block diagram of an example of apparatus management information. It is a block diagram of an example of authorization setting information. It is a block diagram of an example of external service information. It is a block diagram of an example of authorization token information. It is a sequence diagram showing an example of a processing procedure for registration of authorization setting information and storage of authorization token information. It is an image figure of an example of a login screen. It is an image figure of an example of an authorization screen. It is a sequence diagram showing an example of a processing procedure using an external service. It is an image figure of an example of an external service cooperation request screen. It is a sequence diagram showing an example of the processing procedure in which an asynchronous process and an external service system cooperate.

Next, embodiments of the present invention will be described in detail.
[First Embodiment]
<System configuration>
FIG. 1 is a configuration diagram of an example of a system according to the present embodiment. 1 includes, for example, a network N1 such as an intra-office network, a network N2 of a service providing system typified by a cloud service, a network N3 of an external service typified by a cloud service, the Internet, etc. Network N4.

  The network N1 is a private network inside the firewall FW. The firewall FW is installed at the contact point between the network N1 and the network N4, and detects and blocks unauthorized access. The network N1 is connected to a client terminal 11, a portable terminal 12, an image forming apparatus 14 such as a multifunction peripheral, a projector 15, and other devices 16 such as an electronic blackboard.

  The client terminal 11 is an example of a terminal device. The client terminal 11 can be realized by an information processing apparatus (computer system) equipped with a general OS or the like. The client terminal 11 has a wireless communication means or a wired communication means. The client terminal 11 is a terminal that can be operated by the user, such as a tablet PC or a notebook PC.

  The mobile terminal 12 is an example of a terminal device. The portable terminal 12 has a wireless communication means or a wired communication means. The mobile terminal 12 is a terminal that can be carried by the user, such as a smartphone, a mobile phone, a tablet PC, or a notebook PC.

  The image forming apparatus 14 is an apparatus having an image forming function such as a multifunction peripheral. The image forming apparatus 14 includes a wireless communication unit or a wired communication unit. The image forming apparatus 14 is an apparatus that performs processing related to image formation, such as a multifunction peripheral, a copier, a scanner, a printer, or a laser printer. The projector 15 is a device that projects an image. The projector 15 includes a wireless communication unit or a wired communication unit.

  FIG. 1 shows an example in which the client terminal 11, the mobile terminal 12, the image forming apparatus 14, the projector 15, and other devices 16 are each one as an example, but there may be a plurality.

  The network N2 is connected to a network N4 such as the Internet by an access control device 21. The network N2 is protected by the access control device 21. A print service providing device 22, a scan service providing device 23, a management setting service providing device 24, and another service providing device 25 are connected to the network N2. In the system 1 of FIG. 1, the access control device 21, the print service providing device 22, the scan service providing device 23, the management setting service providing device 24, and the other service providing device 25 implement a service providing system.

  The access control device 21 controls login to each service such as a print service provided by the print service providing device 22, a scan service provided by the scan service providing device 23, and a management setting service provided by the management setting service providing device 24.

  The access control device 21, the print service providing device 22, the scan service providing device 23, the management setting service providing device 24, and the other service providing device 25 are realized by one or more information processing devices (computer systems).

  Note that the print service providing device 22, the scan service providing device 23, the management setting service providing device 24, and the other service providing device 25 of the system 1 in FIG. It may be realized by being distributed to computers.

  The network N3 is connected to a network N4 such as the Internet by an access control device 31. The network N3 is protected by the access control device 31. One or more external service providing devices 32 are connected to the network N3. In the system 1 of FIG. 1, an access control device 31 and an external service providing device 32 realize an external service system.

  The access control device 31 controls login to an external service provided by the external service providing device 32. The access control device 31 and the external service providing device 32 are realized by one or more information processing devices (computer systems). The external service providing device 32 of the system 1 in FIG. 1 may be realized by being integrated into one computer or may be realized by being distributed to a plurality of computers.

  Some of the services on the network N2 side may be outside the network N2. The mobile terminal 12 may be other than the network N1 such as an intra-office network. In the system 1 of FIG. 1, an example is shown in which the mobile terminal 12 is in a network N1 and a network N4 such as the Internet. In the system 1 of FIG. 1, an example of one external service system is shown, but a plurality of external service systems may be used.

  In the system 1 of FIG. 1, it is assumed that a standard technology of API authorization called OAuth is used. The service providing system corresponds to an OAuth consumer. The external service system corresponds to an OAuth service provider (SP).

  Assume that the external service system publishes a Web API (Application Programming Interface). A user can access a resource stored in an external service system and a service handling the resource within a range of his / her authority through the Web API.

  Further, the print service providing apparatus 22 of the service providing system uses an authorization token based on the authority delegated by the user, so that resources stored in the external service system within the authority delegated by the user can be obtained. , Access to the service that handles the resource becomes possible.

<Hardware configuration>
The client terminal 11, the mobile terminal 12, the access control device 21, the print service providing device 22, the scan service providing device 23, the management setting service providing device 24, and the other service providing device 25 are, for example, a computer system having a hardware configuration shown in FIG. It is realized by. The access control device 31 and the external service providing device 32 are also realized by a computer system with a hardware configuration shown in FIG. 2, for example.

  FIG. 2 is a hardware configuration diagram of an example of a computer system according to the present embodiment. The computer system 500 shown in FIG. 2 includes an input device 501, a display device 502, an external I / F 503, a RAM (Random Access Memory) 504, a ROM (Read Only Memory) 505, a CPU (Central Processing Unit) 506, a communication I / O. F507, HDD (Hard Disk Drive) 508, and the like are connected to each other via a bus B.

  The input device 501 includes a keyboard, a mouse, a touch panel, and the like, and is used by a user to input each operation signal. The display device 502 includes a display or the like, and displays a processing result by the computer system 500.

  The communication I / F 507 is an interface that connects the computer system 500 to the networks N1 to N4. Thereby, the computer system 500 can perform data communication via the communication I / F 507.

  The HDD 508 is a non-volatile storage device that stores programs and data. The stored programs and data include, for example, an OS (Operating System) that is basic software for controlling the entire computer system 500, and application software that provides various functions on the OS. The HDD 508 manages stored programs and data by a predetermined file system and / or DB (database).

  The external I / F 503 is an interface with an external device. The external device includes a recording medium 503a. Accordingly, the computer system 500 can read and / or write the recording medium 503a via the external I / F 503. The recording medium 503a includes a flexible disk, a CD (Compact Disk), a DVD (Digital Versatile Disk), an SD memory card (SD Memory card), a USB memory (Universal Serial Bus memory), and the like.

  The ROM 505 is a nonvolatile semiconductor memory (storage device) that can retain programs and data even when the power is turned off. The ROM 505 stores programs and data such as BIOS (Basic Input / Output System), OS settings, and network settings that are executed when the computer system 500 is started. The RAM 504 is a volatile semiconductor memory (storage device) that temporarily stores programs and data.

  The CPU 506 is an arithmetic device that realizes control and functions of the entire computer system 500 by reading a program and data from a storage device such as the ROM 505 and the HDD 508 onto the RAM 504 and executing processing.

  The client terminal 11, the mobile terminal 12, the access control device 21, the print service providing device 22, the scan service providing device 23, the management setting service providing device 24, and the other service providing device 25 will be described later depending on the hardware configuration of the computer system 500. Various kinds of processing can be realized. Further, the access control device 31 and the external service providing device 32 can also realize various processes as described later by the hardware configuration of the computer system 500.

<Software configuration>
《Service provision system》
The service providing system according to the present embodiment is realized by, for example, the processing blocks shown in FIG. FIG. 3 is a processing block diagram of an example of the service providing system according to the present embodiment. The service providing system 50 in FIG. 3 realizes a service application 51, a platform 52, a management data storage unit 53, and a platform API (Application Programming Interface) 54 by executing a program.

  The service application 51 of FIG. 3 includes a print service application 61, a scan service application 62, a management setting service application 63, and one or more other service applications 64 as an example. The print service application 61 is an application that provides a print service. The scan service application 62 is an application that provides a scan service. The management setting service application 63 is an application that provides a management setting service. The other service application 64 is an application that provides some service.

  The platform API 54 is an interface for the service application 51 such as the print service application 61, the scan service application 62, the management setting service application 63, and other service applications 64 to use the platform 52. The platform API 54 is a predefined interface provided for the platform 52 to receive a request from the service application 51, and is configured by a function, a class, or the like, for example. When the service providing system 50 is configured to be distributed among a plurality of information processing apparatuses, for example, a web API that can be used via a network can be used as the platform API 54.

  3 includes an authentication processing unit 71, a device communication unit 72, a session management unit 73, and a data processing unit 74 as an example. The authentication processing unit 71 performs authentication based on a login request from an office device such as the client terminal 11 or the image forming apparatus 14. Office equipment is a generic term for the client terminal 11, the mobile terminal 12, the image forming apparatus 14, the projector 15, and other equipment 16. The device communication unit 72 executes communication with office devices and external service systems. The session management unit 73 manages a session with an office device or an external service system. The data processing unit 74 executes data processing based on a request from the service application 51.

  The management data storage unit 53 includes an organization management information storage unit 81, a user management information storage unit 82, a device management information storage unit 83, an authorization setting information storage unit 84, an external service information storage unit 85, an authorization token information storage unit 86, a data management An information storage unit 87 and a data storage 88 are included as an example.

  The organization management information storage unit 81 stores organization management information described later. The user management information storage unit 82 stores user management information described later. The device management information storage unit 83 stores device management information described later. The authorization setting information storage unit 84 stores later-described authorization setting information. The external service information storage unit 85 stores external service information described later. The authorization token information storage unit 86 stores later-described authorization token information. The data management information storage unit 87 stores data management information. The data storage 88 stores other data.

  The service providing system 50 includes, for example, a cloud platform having functions such as authentication and asynchronous conversion, a service group that provides services such as a print service using the cloud platform functions, and a management setting service that performs management settings for each service. Function.

  The cloud platform is configured by, for example, a platform 52, a management data storage unit 53, and a platform API 54. The service group is configured by, for example, a service application 51. The management setting service is configured by, for example, a management setting service application 63.

  The authentication function of the cloud platform of the service providing system 50 is configured by, for example, an authentication processing unit 71 and an authentication database. The authentication database includes an organization management information storage unit 81, a user management information storage unit 82, a device management information storage unit 83, an authorization setting information storage unit 84, an external service information storage unit 85, an authorization token information storage unit 86, and the like. .

  The asynchronous conversion function of the cloud platform of the service providing system 50 includes, for example, a data processing unit 74, a data management information storage unit 87, and a data storage 88.

  A service group such as the service application 51 provides services by using functions such as authentication and asynchronous conversion that the cloud platform of the service providing system 50 has. When the service group provides a service in cooperation with the function of the external service system, the service group acquires an authorization token for accessing the external service system via the authentication function of the cloud platform.

  The management settings performed by the management setting service application 63 include management settings for authorization processing. The management setting service application 63 includes a UI for performing an authorization procedure. The management setting service application 63 cooperates with the authentication processing unit 71 to register later-described authorization setting information.

  The external service system is a system other than the service providing system 50 and provides services such as a cloud service. In this embodiment, a service (function) provided by an external service system is called an external service. External services include online storage services provided as cloud services, scanned document storage and management services, and so on.

  The external service system has a function as an authorization server that issues an authorization token in response to a request from the authentication processing unit 71 of the service providing system 50. The external service system has a Web API. The Web API of the external service system receives a processing request using an authorization token and is used to provide a service to the service application 51 of the service providing system 50.

  The service providing system 50 of FIG. 3 has the function as an authorization client in the authentication processing unit 71, so that the organization management information, user management information, device management information, authorization setting information, external setting information shared by a plurality of service applications 51 are externally used. Service information and authorization token information can be managed in an integrated manner, improving security and reducing management costs.

  In addition, the service providing system 50 unifies the management process of authorization information such as authorization setting information, external service information, and authorization token, and the authorization process into the authentication processing unit 71, so that the service application can be performed by a single authorization procedure by the user. Regardless of 51, various mashup services that link a plurality of services can be provided.

  Note that the service providing system 50 in FIG. 3 stores information that needs to be permanently stored, such as organization management information, user management information, device management information, authorization setting information, and external service information, in the HDD 508, for example. Further, the service providing system 50 of FIG. 3 has an expiration date such as authorization token information, and has a shorter life cycle than other information such as organization management information, user management information, device management information, authorization setting information, and external service information. The information may be stored in the RAM 504 (on-memory) instead of the HDD 508, for example. By storing on-memory, the reading / writing of the authorization token information becomes faster and the response becomes faster.

<< Management setting service application 63 >>
The management setting service application 63 is realized by, for example, the processing block shown in FIG. FIG. 4 is a processing block diagram of an example of the management setting service application according to the present embodiment. The management setting service application 63 causes the computer system 500 to function as the screen processing unit 101 and the information registration request unit 102.

  The screen processing unit 101 performs processing related to a screen such as generation of a setting screen for an administrator who sets management setting information. The information registration request unit 102 requests the authentication processing unit 71 to register information input on a screen such as a setting screen generated by the screen processing unit 101.

<< Authentication processing unit 71 >>
The authentication processing unit 71 is realized by the processing block shown in FIG. 5, for example. FIG. 5 is a processing block diagram of an example of the authentication processing unit according to the present embodiment. The authentication processing unit 71 includes an authentication unit 111, an information registration unit 112, a redirect request unit 113, an authorization token acquisition unit 114, an authorization token storage unit 115, and an authorization token provision unit 116.

  The authentication unit 111 accepts an authentication request and issues an authentication ticket. The information registration unit 112 accepts an information registration request and registers information. The redirect request unit 113 requests the office device such as the client terminal 11 operated by the administrator to redirect to a predetermined screen. The authorization token acquisition unit 114 acquires the authorization token from the external service system using the authorization setting information stored in the authorization setting information storage unit 84 and the external service information stored in the external service information storage unit 85. The authentication token storage unit 115 stores the authorization token acquired from the external service system in the authorization token information storage unit 86.

  The authorization token providing unit 116 accepts a request for obtaining an authorization token and provides an authorization token that can be provided to the authorization token information storage unit 86, if any. If there is no authorization token that can be provided, the authorization token providing unit 116 requests the authorization token obtaining unit 114 to obtain an authorization token and provides the obtained authorization token.

<< Service application 51 >>
The service application 51 is realized by, for example, the processing block illustrated in FIG. FIG. 6 is a processing block diagram of an example of the service application according to the present embodiment. The service application 51 causes the computer system 500 to function as an authentication request unit 121, a screen processing unit 122, an authorization token acquisition request unit 123, and a processing request unit 124.

  The authentication request unit 121 requests the authentication processing unit 71 for authentication. The screen processing unit 122 performs processing related to the screen such as generation of a login screen. The authorization token acquisition request unit 123 requests the authentication processing unit 71 to acquire an authorization token that is necessary for using the Web API of the external service system. The processing request unit 124 uses the authorization token to request processing from the Web API of the external service system. The processing request unit 124 can request the data processing unit 74 to perform asynchronous processing such as asynchronous conversion.

<< Data Processing Unit 74 >>
The data processing unit 74 is realized by, for example, the processing block shown in FIG. FIG. 7 is a processing block diagram of an example of the data processing unit according to the present embodiment. The data processing unit 74 includes an asynchronous front (front) unit 131 and an asynchronous worker (worker) unit 132.

  The asynchronous front unit 131 accepts a request for asynchronous processing from the service application 51 as a job, and stores it in the data management information storage unit 87 as a job. The data management information storage unit 87 functions as a message queue.

  The asynchronous worker unit 132 sequentially acquires jobs from the data management information storage unit 87 and executes asynchronous processing. When using an external service system, the asynchronous worker unit 132 requests an authorization token of the external service system from the authentication processing unit 71 and acquires the authorization token.

<Management data>
FIG. 8 is a configuration diagram of an example of organization management information. The organization management information in FIG. 8 has id, organization ID, organization name, etc. as data items. id is information that uniquely identifies a record of organization management information. The organization ID is information that uniquely identifies an organization such as a company or a department. The organization ID is not limited to the language of organization, and may be information for identifying a contract, for example. The service providing system 50 manages various services to be provided in units of organization IDs. Accordingly, each service used by the organization is registered in association with the organization ID, and the user of the organization can use the service registered in association with the organization ID. Therefore, the organization ID has a role as service provision target management information for managing a service provision target for which the service provision system 50 provides a service. The organization name is the name of the organization.

  FIG. 9 is a configuration diagram of an example of user management information. The user management information in FIG. 9 has id, organization ID, user ID, password, user name, etc. as data items. id is information for uniquely identifying a record of user management information. The user ID and password are information for identifying the user in the authentication infrastructure of the service providing system 50. The user name is the name of the user. A password is not required.

  Further, as the user ID, an identification number of an electronic medium (for example, an IC card) possessed by the user may be used instead. The user ID and password associated with the organization ID are unique, but may be duplicated if the organization ID is different.

  FIG. 10 is a configuration diagram of an example of the device management information. The device management information in FIG. 10 has data items such as id, organization ID, device authentication information, business office information, and capabilities. id is information for uniquely identifying a record of device management information. The device authentication information is information for device authentication that determines that the office device has a specific condition. The device authentication information may be an ID indicating that a specific application is installed, a device number indicating a specific device, or the like. The office information represents, for example, an office where office equipment is installed. The capability represents, for example, the capability of office equipment.

  FIG. 11 is a configuration diagram of an example of the authorization setting information. The authorization setting information in FIG. 11 includes an authorization setting information ID, an external service ID (SP_ID), a scope, a client ID, a refresh token, an organization ID, a user ID, and the like as data items.

  The authorization setting information ID is information that uniquely identifies a record of authorization setting information. The external service ID is information that uniquely identifies the external service system. The scope is information for specifying the service range of the external service system. The client ID is information that identifies a service group of the service providing system 50. The client ID is issued in advance by the external service system. The refresh token is a token necessary for reissuing the authorization token.

  FIG. 12 is a configuration diagram of an example of external service information. The external service information in FIG. 12 includes data items such as an external service ID, a client ID, a client secret, a product name, an authorization server URL, and a redirect destination URL.

  The client secret is secret information as a password existence for guaranteeing the identity of the client ID. The product name is information specifying the service application 51 registered in advance in a form associated with the client ID. The authorization server URL is a URL (a URL of a function as an authorization server of the external service system) that is redirected before the administrator makes an authorization decision. The redirect destination URL is the URL to be redirected after authorization determination (the URL of the function as the authorization client of the authentication processing unit 71).

  FIG. 13 is a configuration diagram of an example of authorization token information. The authorization token information in FIG. 13 includes data items such as id, organization ID, user ID, external service ID, scope, authorization token, and expiration date. id is information that uniquely identifies a record of authorization token information. The authorization token is an access token acquired from the external service system. The expiration date is the expiration date of the authorization token.

<Details of processing>
Below, the detail of the process of the system 1 which concerns on this embodiment is demonstrated.

<< Registration of authorization setting information and storage of authorization token information >>
FIG. 14 is a sequence diagram illustrating an example of a processing procedure for registering authorization setting information and storing authorization token information. In step S1, the authentication processing unit 71 accepts a login request using account information such as an organization ID, a user ID, and a password from an office device such as the client terminal 11 operated by the administrator.

  When the authentication processing unit 71 receives a request for authentication using account information such as an organization ID, a user ID, and a password, the authentication processing unit 71 refers to the user management information stored in the user management information storage unit 82 and authenticates the account information. Do. If the account information is successfully authenticated, the authentication processing unit 71 generates an administrator authentication ticket (administrator ticket).

  In step S2, the authentication processing unit 71 returns an administrator ticket to the office device that is the login request source. Thereafter, the office device can use the function of the service providing system 50 by using the authentication ticket. Note that the authentication processing unit 71 manages the administrator ticket and account information in association with each other.

  In step S3, the management setting service application 63 receives a setting screen display request using an administrator ticket from an office device operated by the administrator. The management setting service application 63 identifies from the administrator ticket that the setting screen display request source is the administrator. In step S4, the management setting service application 63 displays a setting screen for the administrator on the office device operated by the administrator. On the setting screen for the administrator, authorization setting information that can be registered is displayed.

  In step S5, the administrator operates the office device and selects the user ID of the user to whom the authorization setting is to be applied, the external service ID of the external service to be used, and the scope from the setting screen for the administrator. In step S <b> 6, the management setting service application 63 requests the authentication processing unit 71 to register the authorization setting information selected by the administrator.

  In step S <b> 7, the authentication processing unit 71 assigns an authorization setting information ID to the authorization setting information for which a registration request has been made, and registers the authorization setting information in the authorization setting information storage unit 84. In steps S8 and S9, the authorization setting information ID is returned as a return to the office device operated by the administrator. The management setting service application 63 may acquire the authorization setting information ID by making an inquiry to the authentication processing unit 71 and provide it to the office device.

  In step S10, the administrator operates the office device and requests an authentication procedure from the authentication processing unit 71 using the administrator ticket, the user ID of the target user, and the authorization setting information ID.

  In step S11, the authentication processing unit 71 stores the authorization setting information stored in the authorization setting information storage unit 84 and the external service information storage unit 85 using the user ID and the authorization setting information ID included in the request for the authorization procedure as keys. Get at least some of the parameters required for authorization from the external service information.

  Parameters required for authorization include an external service ID, a scope, a client ID that uniquely identifies the service application 51, a redirect destination URL that is redirected after the administrator makes an authorization decision, and an arbitrary session key for maintaining the session and so on. In step S12, the authentication processing unit 71 acquires the authorization server URL from the external service information stored in the external service information storage unit 85, and redirects parameters necessary for authorization to the authorization server URL as a GET request query.

  An arbitrary session key for maintaining a session is necessary for the following reason. An authorization screen for authorization by the administrator is displayed by the external service system. Since the authentication processing unit 71 is redirected after the authorization judgment by the administrator, the session at the HTTP level is interrupted. The authentication processing unit 71 uses an arbitrary session key in order to execute a series of flows for acquiring an authorization code within the same session.

  Note that OAuth is a protocol that allows an arbitrary session key to be specified because of its mechanism. In the system 1 of the present embodiment, since the authorization setting information ID is passed when redirected by specifying the authorization setting information ID in the session key, the user authorized by the administrator and the contents of the authorization can be known. .

  The redirected external service system confirms the administrator ticket from the cookie information or the like in order to verify that the requesting administrator is a registered user. For example, when the administrator has already logged in to the external service system, the administrator ticket exists because the administrator ticket is cached in the browser. On the other hand, when the administrator has not logged in to the external service system, there is no administrator ticket. In this case, the external service system prompts login by displaying a login screen 1000 as shown in FIG. 15 on the office device operated by the administrator.

  FIG. 15 is an image diagram of an example of a login screen. The login screen 1000 in FIG. 15 includes a field 1001 for inputting an e-mail address as an example of a user ID of an external service, a password for the external service, and a login button 1002. The administrator operates the office device, inputs the column 1001 of the login screen 1000, and then presses the login button 1002.

  When the login button 1002 is pressed, the office device operated by the administrator requests the external service system to log in using the external service user ID and password in step S13. If the login is successful, in step S14, the external service system prompts an authorization decision by displaying an authorization screen 1010 as shown in FIG. 16 on the office device operated by the logged-in administrator. Note that the processing in step S13 is omitted when the administrator has logged in.

  The administrator confirms what is to be authorized from the product name and scope registered in advance as a part of the authorization setting information or external service information in a form associated with the client ID, and determines authorization. In the case of authorization, the administrator presses the authorization button 1011 on the authorization screen 1010.

  When the authorization button 1011 is pressed, the office device operated by the administrator notifies the external service system of authorization determination using the client ID, scope, redirect destination URL, user ID, and authorization setting information ID in step S15. . When the authorization decision is notified, the external service system redirects to the redirect destination URL in step S16 by attaching an authorization code indicating that authorization is authorized and an authorization setting information ID as an example of a session key to the query. Let

  In step S17, the office device operated by the administrator transmits the administrator ticket, the authorization code, and the authorization setting information ID to the redirect destination URL that is the redirect destination after the authorization determination. FIG. 14 shows an example in which the redirect destination URL is the authentication processing unit 71.

  In step S18, the authentication processing unit 71 uses the authorization setting information ID as a key, and from the authorization setting information stored in the authorization setting information storage unit 84 and the external service information stored in the external service information storage unit 85, the authorization token ( At least a part of the parameters necessary for acquiring the access token in FIG. 14 is acquired. For example, in step S18, the authentication processing unit 71 acquires a user ID, an external service ID, a client ID, and a client secret. The parameters necessary for obtaining the authorization token include, for example, a client ID, a client secret, an authorization code, and the like.

  In step S19, the authentication processing unit 71 acquires, as request information, a client ID, a client secret, and an authorization code given as a query in order to acquire an authorization token necessary for accessing the Web API of the external service system from the external service system. Send to external service system. In step S <b> 20, the external service system verifies the authorization code, issues an authorization token, a refresh token, and an expiration date to the authentication processing unit 71 and provides them to the authentication processing unit 71.

  The authorization token is a token necessary for accessing the WebAPI. Generally, an authorization token has an expiration date, and when the expiration date expires, the Web API cannot be accessed. The refresh token is a token necessary for reissuing the authorization token.

  In step S21, the authentication processing unit 71 associates the authorization token and the expiration date provided from the external service system with the user information (organization ID, user ID) and the external service ID in the authorization token information storage unit 86. Save as information. Further, the authentication processing unit 71 stores the refresh token in the authorization setting information stored in the authorization setting information storage unit 84 in a form associated with the user information and the external service ID. In step S22, the authentication processing unit 71 redirects the URL of the management setting service application 63 as a query with a user ID and a value indicating the authorization result.

  In step S23, the office device operated by the administrator sends a value representing the administrator ticket, company ID, user ID, and authorization result to the URL of the management setting service application 63, and requests display of the result screen. In step S24, the management setting service application 63 displays a result screen on the office device operated by the administrator.

<< Use of external services >>
FIG. 17 is a sequence diagram illustrating an example of a processing procedure using an external service. The sequence diagram of FIG. 17 illustrates a process in which the service application 51 acquires an authorization token and uses an external service.

  The service application 51 receives a login request using account information such as an organization ID, user ID, and password from an office device such as the client terminal 11 operated by the user. In step S31, the service application 51 requests authentication from the authentication processing unit 71 using the organization ID, user ID, and password included in the accepted login request.

  When the authentication processing unit 71 receives a request for authentication using account information such as an organization ID, a user ID, and a password, the authentication processing unit 71 refers to the user management information stored in the user management information storage unit 82 and authenticates the account information. Do. If the account information is successfully authenticated, the authentication processing unit 71 generates a user authentication ticket. In step S <b> 32, the authentication processing unit 71 returns an authentication ticket to the service application 51. The service application 51 returns an authentication ticket to the login requesting office device.

  Thereafter, the office device can use the function of the service providing system 50 by using the authentication ticket. Note that the authentication processing unit 71 manages the authentication ticket and user information in association with each other.

  In step S33, the service application 51 receives a request for cooperation with an external service from an office device operated by the user. In step S33, the service application 51 generates an external service cooperation request screen as shown in FIG. 18, for example, and displays the external service cooperation request screen on the office device operated by the user.

  FIG. 18 is an image diagram of an example of an external service cooperation request screen. The external service cooperation request screen 1030 in FIG. 18 shows a file upload cooperation screen as an example. The external service cooperation request screen 1030 includes a radio button 1031 that allows the user to select an external service to cooperate with, and an upload button 1032. The user operates the office device and selects an external service to be linked, and then presses the upload button 1032.

  The external service cooperation request screen 1030 in FIG. 18 represents an example in which the user selects an external service to cooperate. When the upload button 1032 is pressed, the service application 51 starts processing from step S34 onward in FIG. In step S14, the service application 51 requests the authentication processing unit 71 to acquire an authorization token using the external service ID of the external service selected from the external service cooperation request screen 1030 and the authentication ticket acquired in step S32.

  In step S35, the authentication processing unit 71 uses the authentication ticket included in the request for acquiring the authorization token to acquire user information associated with the authentication ticket. In step S36, the authentication processing unit 71 stores the authorization token information to acquire the authorization token associated with the user information associated with the authentication ticket and the external service ID of the external service selected by the user from the external service cooperation request screen 1030. Request to section 86.

  If the authorization token associated with the user information and the external service ID is stored in the authorization token information storage unit 86, the authentication processing unit 71 acquires the authorization token and the expiration date from the authorization token information storage unit 86 in step S37. .

  On the other hand, if the authorization token associated with the user information and the external service ID is not stored in the authorization token information storage unit 86, the authentication processing unit 71 does not have a corresponding authorization token from the authorization token information storage unit 86 in step S37. A false indicating that this is received.

  When the authentication processing unit 71 obtains an authentication token within the expiration date from the authorization token information storage unit 86, in step S43, the authentication processing unit 71 provides the authorization token to the service application 51 that has requested acquisition of the authorization token.

  On the other hand, if the authentication processing unit 71 cannot acquire an authentication token within the expiration date from the authorization token information storage unit 86, in step S38, the authentication processing unit 71 requests the authorization token acquisition unit 114 to acquire an authorization token.

  In step S <b> 39, the authorization token acquisition unit 114 acquires a refresh token associated with the user information and the external service ID from the authorization setting information storage unit 84. The authorization token acquisition unit 114 requests an authorization token from the external service system using the refresh token.

  In step S40, the authorization token acquisition unit 114 acquires an authorization token and an expiration date from the external service system. In step S41, the authorization token acquisition unit 114 provides the authentication processing unit 71 with the authorization token acquired from the external service system and the expiration date.

  In step S42, the authentication processing unit 71 stores the authorization token and the expiration date provided from the authorization token acquisition unit 114 in the authorization token information storage unit 86 in association with the user information and the external service ID. Thereafter, in step S43, the authentication processing unit 71 provides the authorization token to the service application 51 that has requested acquisition of the authorization token. In step S44 and subsequent steps, the service application 51 can request processing from the Web API of the external service system using the provided authorization token.

  Since the authorization token associated with the same user information and external service ID can be shared between different service applications 51, session information with the external service system can be reduced, and the load on the external service system is also reduced. be able to.

<< Cooperation between asynchronous processing and external service system >>
FIG. 19 is a sequence diagram illustrating an example of a processing procedure in which asynchronous processing and an external service system cooperate. The sequence diagram of FIG. 19 shows a process of uploading to an external service system after performing an OCR conversion process as an example of an asynchronous process performed by the asynchronous worker unit 132 of the data processing unit 74.

  As shown in FIG. 19, when the external service system is used after performing the OCR conversion process as an example of the asynchronous process, the asynchronous worker unit 132 depends on the exchange with the external service system. Normally, when the service application 51 acquires an external service authorization token from the authentication processing unit 71, an authentication ticket for the authentication processing unit 71 is required.

  However, in the case of asynchronous processing, when the asynchronous worker unit 132 uses the authentication ticket to request the authentication processing unit 71 to obtain an external service authorization token, the authentication ticket may have expired. Therefore, the service providing system 50 according to the present embodiment trusts the asynchronous worker unit 132 and eliminates the need for an authentication ticket when requesting acquisition of an authorization token for an external service.

  For example, by placing the authentication processing unit 71 and the asynchronous worker unit 132 on the same network, the asynchronous worker unit 132 is trusted. Whether or not the asynchronous worker unit 132 is arranged in the same network can be determined by, for example, an IP address. Further, in order to establish a trust relationship between the authentication processing unit 71 and the asynchronous worker unit 132, it is possible to introduce an authentication function such as basic authentication in addition to network control.

  For example, when the user requests a process for uploading to the external service system after the OCR conversion process, the service application 51 uploads to the external service system after the OCR conversion process using the user information, external service ID, and job information in step S51. A request is made to the asynchronous front unit 131 for processing.

  In step S52, the asynchronous front unit 131 registers, in the data management information storage unit 87, a process of uploading to the external service system after the OCR conversion process requested by the service application 51.

  The asynchronous worker unit 132 that performs asynchronous processing sequentially acquires and processes jobs registered in the data management information storage unit 87. In step S <b> 53, the asynchronous worker unit 132 acquires a job for processing to be uploaded to the external service system after the OCR conversion processing registered in the data management information storage unit 87.

  In step S55, the asynchronous worker unit 132 reads the data specified by the job information from the data storage 88, and performs OCR conversion processing. In step S56, the asynchronous worker unit 132 requests the authentication processing unit 71 to obtain an authorization token using the user information and the external service ID.

  In step S57, the authentication processing unit 71 requests the authorization token information storage unit 86 to obtain an authorization token associated with the user information and the external service ID. In step S58, the authentication processing unit 71 acquires an authorization token associated with the user information and the external service ID. In step S59, the authentication processing unit 71 provides the authorization token associated with the user information and the external service ID to the asynchronous worker unit 132.

  In step S60, the asynchronous worker unit 132 can upload the data after the OCR conversion processing to the external service system using the authorization token provided from the authentication processing unit 71.

<Summary>
The system 1 according to the present embodiment can solve the following four problems, for example.

  As a first problem, conventionally, since the external service system side displays the authorization screen 1010, each service application 51 having a UI often has a client function of OAuth authentication. Therefore, conventionally, it is necessary to perform authentication processing for OAuth authentication for each service application 51, and the service application 51 individually manages security data.

  For this reason, there has conventionally been a problem that security data is dispersed due to an increase in the number of service applications 51 that support OAuth authentication, and security is lowered. Further, conventionally, the service application 51 has to individually take security measures, and there has been a problem that the management cost increases.

  The system 1 according to the present embodiment can centrally manage security data by consolidating the OAuth authentication client functions in one place, thereby improving the security and reducing the management cost.

  As a second problem, conventionally, since the scope is different for each service application 51, an authorization process for OAuth authentication has to be performed for each service application 51, resulting in a problem that usability is lowered.

  The system 1 according to the present embodiment unifies the management process of authorization information such as authorization setting information, external service information, and authorization token, and the authorization process into the authentication processing unit 71, so that the service can be performed by a single authorization procedure by the administrator. Various mashup services can be used regardless of the type of application 51.

  As a third problem, conventionally, authorization processing cannot be performed from an office device (device) that cannot display an HTML UI in accordance with the OAuth authentication protocol, and a mashup service cannot be used from a device that does not have an HTML UI.

  The system 1 according to the present embodiment can be used from a device without an HTML UI by separating the authorization process and the process using the external service.

  As a fourth problem, conventionally, when a company administrator wants a company user to access a shared resource of a designated external service system, the user himself / herself has a designated external service system account and is authorized by the user himself / herself. I had to go through the procedure.

  In the system 1 according to the present embodiment, since the administrator can perform the user authorization procedure, it is possible to perform management that allows access only to the designated external service system. For example, the system 1 according to the present embodiment can allow the user to use an authorization token in accordance with the management policy.

  As described above, the system 1 according to the present embodiment can reduce the complexity of the system and reduce the management cost by aggregating the client functions of the OAuth authentication even in the multi-tenant type application. In addition, the system 1 according to the present embodiment can easily manage security data in a unified manner, and can improve security.

  Further, the system 1 according to the present embodiment can improve usability by reducing the number of authorization procedures by the user. In addition, the system 1 according to the present embodiment can easily use the mashup service even from a device without a UI. Furthermore, since the system 1 according to the present embodiment can perform the authorization process of the user by the administrator, it is possible to perform management that allows the user to access only predetermined resources.

  The present invention is not limited to the specifically disclosed embodiments, and various modifications and changes can be made without departing from the scope of the claims.

  The first service providing system described in the claims corresponds to the service providing system 50, and the second service providing system corresponds to the external service system. The service providing apparatus corresponds to the service providing system 50. Authority information after authorization corresponds to an authorization token. Information necessary for reissuing authorized authority information is equivalent to a refresh token.

  The connection destination changing unit corresponds to the redirect request unit 113, the authority information acquiring unit corresponds to the authorization token acquiring unit 114, the authority information providing unit corresponds to the authorization token providing unit 116, and the authority information storing unit is the authentication token storing unit. 115. The first storage means corresponds to the authorization setting information storage unit 84, the external service information storage unit 85, and the authorization token information storage unit 86.

  The authority information acquisition request unit corresponds to the authorization token acquisition request unit 123, and the processing request unit corresponds to the processing request unit 124. The cooperation process accepting unit corresponds to the asynchronous front unit 131, and the cooperation process execution unit corresponds to the asynchronous worker unit 132.

DESCRIPTION OF SYMBOLS 1 System 11 Client terminal 12 Portable terminal 14 Image forming apparatus 15 Projector 16 Other apparatus 21, 31 Access control apparatus 22 Print service providing apparatus 23 Scan service providing apparatus 24 Management setting service providing apparatus 25 Other service providing apparatus 32 External service providing apparatus 50 Service providing system 51 Service application 52 Platform 53 Management data storage unit 53
54 Platform API (Application Programming Interface)
61 Print Service Application 62 Scan Service Application 63 Management Setting Service Application 64 Other Service Application 71 Authentication Processing Unit 72 Device Communication Unit 73 Session Management Unit 74 Data Processing Unit 81 Organization Management Information Storage Unit 82 User Management Information Storage Unit 83 Device Management Information Storage unit 84 Authorization setting information storage unit 85 External service information storage unit 86 Authorization token information storage unit 87 Data management information storage unit 88 Data storage 101 Screen processing unit 102 Information registration request unit 111 Authentication unit 112 Information registration unit 113 Redirect request unit 114 Authorization token acquisition unit 115 Authorization token storage unit 116 Authorization token provision unit 121 Authentication request unit 122 Screen processing unit 123 Authorization token acquisition request unit 124 Processing request unit 131 Asynchronous front (front) unit 1 32 Asynchronous worker unit 500 Computer system 501 Input device 502 Display device 503 External I / F
503a Recording medium 504 RAM
505 ROM
506 CPU
507 Communication I / F
508 HDD
B bus FW firewall N1-N4 network

International Publication No. 2009/084601

Claims (10)

A cloud service providing system including one or more information processing apparatus mounting the application providing cloud services, in the cloud service providing system authentication infrastructure with the cloud service providing system connected to the different external service,
From a first device a first user operates the second user accepting an authorization request for using the external service, connection Ru is changing the connection destination of the first device to the external service A destination change means,
Wherein from said first equipment connection destination is changed to the external service by the connection destination changing means receives the authorization information indicating that the approval of the second user is observed in the external service Then, the authorization information the send to the external service, and authority information obtaining means for obtaining the authority information after authorization to use the external service from the external service,
Upon receiving the request transmitted from the second second of the application based on the fact that the request for processing using the external service from the device received the application operated by the user, the second user Authority information providing means for providing the authorized authority information to be associated with the application ;
A cloud service providing system.   A cloud service providing system including one or more information processing devices, wherein the cloud service providing system connects to an external service having a different authentication platform from the cloud service providing system.
  When the second user receives an authorization request for using the external service from the first device operated by the first user, the connection destination is changed to change the connection destination of the first device to the external service. Means,
  When receiving the authorization information indicating that the authorization of the second user in the external service has been approved from the first device whose connection destination has been changed to the external service by the connection destination changing means, the authorization information Authority information acquiring means for acquiring authority information after authorization to use the external service from the external service,
  The application receives a request for processing using the external service from a second device operated by the second user, which is a request transmitted from a server device on which the application using the external service is installed. When receiving a request transmitted based on the above, authority information providing means for providing to the application by transmitting the authorized authority information associated with the second user to the server device,
A cloud service providing system. Authority information storage that saves the authorization information acquired from the external service by the authority information acquisition means in association with the user information of the second user and the identification information of the external service in the first storage means cloud service providing system according to claim 1 or 2, wherein further comprising means. The authority information obtaining unit, using the authorization information, authority information after the authorization, the expiration date of the authority information after the authorization information necessary to re-issue the authority information after the authorization, the external Obtained from the service ,
The authority information storage means includes the authorization information after authorization, an expiration date of the authorization information after authorization, information necessary for reissuing the authorization information after authorization, user information of the second user, and The cloud service providing system according to claim 3 , wherein the cloud service providing system is stored in the first storage unit in association with identification information of the external service . The authority information providing means is configured to store the first authorization information that has expired and is associated with the user information of the second user and the identification information of the external service in the first storage means. Using the information necessary for reissuing the authorized information stored in the storage means to cause the authorized information obtaining means to obtain the authorized information from the external service. The cloud service providing system according to claim 4 . Acquisition of authority information that receives a request for processing using the external service from a device operated by the second user and requests the authority information providing means to acquire authority information after authorization associated with the second user Request means;
The cloud service providing system according to any one of claims 3 to 5 , further comprising a processing request unit that requests processing from the external service using the authorized authority information associated with the acquired second user. A cooperative process accepting means for accepting a request for a cooperative process for linking the asynchronous process and the external service from the process requesting means, and registering information of the cooperative process in a second storage means;
Obtaining the information on the cooperation process from the second storage means, obtaining the authorized authority information associated with the second user from the first storage means after performing the asynchronous process, and obtaining The cloud service providing system according to claim 6 , further comprising cooperation processing execution means for requesting the external service to perform processing using the authorized authority information. The first storage means further stores information for specifying the authority range of the authorization information after authorization in association with the user information of the second user and the identification information of the external service. The cloud service providing system according to any one of claims 3 to 5 .   A cloud service providing system including one or more information processing apparatuses equipped with an application for providing a cloud service, the cloud service providing system connecting to an external service having a different authentication platform from the cloud service providing system A method,
  When the second user receives an authorization request for using the external service from the first device operated by the first user, the connection destination is changed to change the connection destination of the first device to the external service. Steps,
  When receiving authorization information indicating that authorization of the second user in the external service has been approved from the first device whose connection destination has been changed to the external service in the connection destination changing step, the authorization information Authority information acquisition step of acquiring authority information after authorization for using the external service from the external service,
  When receiving a request transmitted from the application based on the application receiving a request for processing using the external service from a second device operated by the second user, An authorization information providing step of providing authorization information to the application after the authorization is attached;
A cloud service providing method.   In a cloud service providing system including one or more information processing devices, the cloud service providing system connected to an external service having a different authentication platform from the cloud service providing system,
  When the second user receives an authorization request for using the external service from the first device operated by the first user, the connection destination is changed to change the connection destination of the first device to the external service. Steps,
  When receiving authorization information indicating that authorization of the second user in the external service has been approved from the first device whose connection destination has been changed to the external service in the connection destination changing step, the authorization information Authority information acquisition step of acquiring authority information after authorization for using the external service from the external service,
  The application receives a request for processing using the external service from a second device operated by the second user, which is a request transmitted from a server device on which the application using the external service is installed. When receiving a request to be transmitted based on the above, authority information providing step for providing the application with the authorization information associated with the second user by transmitting to the server device,
A cloud service providing method.

Images