Device authorization systems

Abstract

A method of distributed authorization of one or more client applications to one or more connected devices. The method comprises: receiving at a connected device, from a browser executing a client application, a client token and an access request. The client token has been provided to the client application by a process comprising generating one or more client tokens, one for each of one or more client applications (a client token defines permissions for a client application and a domain hosting the client application); signing the client tokens with a private key of a client token issuer, and distributing the client tokens to the client applications; verifying a signature of the client token using a public key of the client token issuer; determining whether the client token grants the client application permission for the access request and, if permission is granted: replying to the browser with a redirect response including an access token granting permission for the client application to access the connected device and identification of the domain hosting the client application from the client token; and executing the redirect response with the browser to make the access token available to the client application for use by the client application when requesting the connected device to perform a task.