| CPC H04L 9/3213 (2013.01) [H04L 9/0861 (2013.01); H04L 9/3247 (2013.01)] | 19 Claims |
|
1. A method comprising:
determining, by a token exchange system of an integrated identity management system of a cloud service, that an entity is authorized to access a first identity system,
wherein the entity is an application,
wherein the first identity system is in a first domain;
generating, by the token exchange system, a first request for the entity to access a second identity system,
wherein the first request includes a bearer token and a first public key associated with the entity;
verifying, by the token exchange system, that the bearer token is a valid bearer token;
verifying, by the token exchange system, whether a role of the entity is a role that is authorized to access the second identity system;
generating, by the token exchange system, a second token based on the bearer token and the first public key received in the first request;
sending, by the token exchange system to the entity, the second token that is generated based on the bearer token and the first public key received in the first request;
generating, by the token exchange system, a second request for the entity to access the second identity system, wherein the second request comprises the second token; and
verifying, by the token exchange system, the second token and authorizing the entity to access an application programming interface (API) of the second identity system based upon successfully verifying the second token, wherein authorizing the entity to access the API of the second identity system comprises granting entity privileges of a service principal or a resource principal,
wherein the second token is a Proof-of-Possession (POP) token associated with the second identity system, and the second token includes the first public key of the entity,
wherein the second identity system is in a second domain different from the first domain.
|