Cross-application authentication on a content management system

US 10,025,913 B2
Filed: 12/30/2015
Issued: 07/17/2018
Est. Priority Date: 02/27/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a communication channel through a content management system, between a client application at a client device and a website associated with the content management system, wherein establishing the communication channel comprises;

receiving, by the client application, from a browser application at the client device, a first message comprising a first nonce; and

sending, from the client application to the content management system, a second message comprising the first nonce, wherein the first nonce associates the client application with the browser application to yield an association, wherein the association enables the content management system to relay one or more communications between the client application and the website;

receiving, by the client application from the content management system via the communication channel, a request by the website for the client application to authenticate with the content management system under a user account used by the browser application at the client device to authenticate a current session between the browser application at the client device and the website with the content management system; and

sending, from the client application to the browser application, a command comprising a uniform resource locator (URL) and the first nonce, the command instructing the browser application to use the URL and the first nonce to authenticate the client application with the content management system under the user account used by the browser application to authenticate the current session between the browser application and the website and verify the association of client application and browser application to the content management system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable media for cross-application authentication on a content management system. A client application running at a client device that is not authenticated with a content management system can receive, from a web site associated with the content management system, a request to authenticate with the content management system under a user account used to authenticate a current session between a browser application at the client device and the website with the content management system. The client application can then obtain a uniform resource locator (URL) with a nonce associated with the client application, and send a command to the browser application including the URL and nonce. The command can trigger the browser application to use the URL and nonce to authenticate the client application with the content management system under the user account with which the current session between the browser application and the website is currently authenticated.

20 Citations

View as Search Results

20 Claims

1. A method comprising:
- establishing a communication channel through a content management system, between a client application at a client device and a website associated with the content management system, wherein establishing the communication channel comprises;
  
  receiving, by the client application, from a browser application at the client device, a first message comprising a first nonce; and
  
  sending, from the client application to the content management system, a second message comprising the first nonce, wherein the first nonce associates the client application with the browser application to yield an association, wherein the association enables the content management system to relay one or more communications between the client application and the website;
  
  receiving, by the client application from the content management system via the communication channel, a request by the website for the client application to authenticate with the content management system under a user account used by the browser application at the client device to authenticate a current session between the browser application at the client device and the website with the content management system; and
  
  sending, from the client application to the browser application, a command comprising a uniform resource locator (URL) and the first nonce, the command instructing the browser application to use the URL and the first nonce to authenticate the client application with the content management system under the user account used by the browser application to authenticate the current session between the browser application and the website and verify the association of client application and browser application to the content management system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - sending, by the client application, the first nonce to the content management system; and
      
      after sending the first nonce to the content management system, obtaining the URL from the content management system.
  - 3. The method of claim 1, wherein the command instructs the browser application to authenticate the client application with the content management system by:
    - opening a browser page and navigating to the URL with the browser page;
      
      providing the first nonce to the content management system via the browser page; and
      
      triggering a script configured to instruct the content management system to authenticate the client application based on the first nonce and validate a client session associated with the client application under the user account based on credentials used to authenticate the current session between the browser application and the website.
  - 4. The method of claim 1, wherein the command comprises an operating system (OS) command.
  - 5. The method of claim 1, wherein the first nonce is associated with a client identifier at the content management system, the client identifier being associated with the client application.
  - 6. The method of claim 1, wherein the request by the website for the client application to authenticate with the content management system comprises the first nonce.
  - 7. The method of claim 1, wherein the client application receives the request to authenticate in response to a determination that the client application is not authenticated and the current session between the browser application and the website is authenticated.
  - 8. The method of claim 1, further comprising receiving, by the client application from the content management system, a notification that the content management system has authenticated the client application.

9. A system comprising:
- one or more processors; and
  
  at least one computer-readable medium storing computer-readable instructions that when executed cause the one or more processors to;
  
  run a client application associated with a content management system in unauthenticated mode;
  
  establish a communication channel through the content management system between the client application and a website associated with the content management system, wherein establishing the communication channel comprises;
  
  receiving, by the client application, from a browser application on the system, a first message comprising a unique identifier associated with the browser application; and
  
  sending, from the client application to the content management system, a second message comprising the unique identifier, wherein the unique identifier associates the client application with the browser application to yield an association, wherein the association enables the content management system to relay one or more communications between the client application and the website;
  
  receive, via the communication channel, a request by the website for the client application to authenticate with the content management system under a user account used to authenticate a session between the browser application running at the system and the website with the content management system;
  
  obtain, by the client application, a uniform resource locator (URL) including a nonce comprising the unique identifier associated with the browser application; and
  
  send, from the client application to the browser application, a command comprising the URL and nonce, the command triggering the browser application to use the URL and nonce to authenticate the client application with the content management system under the user account.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, wherein the command triggers the browser application to authenticate the client application with the content management system by:
    - opening a browser page and navigating to the URL with the browser page;
      
      providing the nonce to the content management system via the browser page; and
      
      triggering a script configured to instruct the content management system to authenticate the client application based on the nonce and validate a client session associated with the client application under the user account based on credentials used to authenticate the current session between the browser application and the website.
  - 11. The system of claim 9, the at least one computer-readable medium storing computer-readable instructions that when executed cause the one or more processors to receive the URL from the content management system in response to sending the unique identifier to the content management system.
  - 12. The system of claim 9, wherein the nonce is associated with a client identifier at the content management system, the client identifier being associated with the client application.
  - 13. The system of claim 9, wherein the command comprises an operating system (OS) command.

14. A content management system comprising:
- one or more processors; and
  
  at least one computer-readable medium storing computer-readable instructions that when executed cause the content management system to;
  
  determine that a client application running at a client device is not authenticated with the content management system, to yield a first determination;
  
  determine that a session between a browser application at the client device and a website associated with the content management system is authenticated with the content management system, to yield a second determination;
  
  based on the first determination and the second determination, obtain, from the website, a first message for the client application at the client device, the first message requesting the client application to authenticate with the content management system under a user account used to authenticate the session between the browser application at the client device and the website with the content management system;
  
  relay at least part of the first message from the website to the client application;
  
  send, to the client application, a nonce associated with the client application;
  
  receive, from the website, a second message comprising the nonce and a request to authenticate the client application under the user account used to authenticate the session between the browser application and the website; and
  
  in response to the second message, authenticate the client application under the user account.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The content management system of claim 14, wherein the nonce is generated by the content management system to identify the client application.
  - 16. The content management system of claim 15, the computer-readable medium storing additional computer-readable instructions that when executed cause the content management system to:
    - associate the nonce with an identifier of at least one of the client device and the client application.
  - 17. The content management system of claim 14, wherein the nonce is sent to the client application with a uniform resource locator (URL) associated with a web page comprising a script configured to trigger the website to send the second message to the content management system.
  - 18. The content management system of claim 14, wherein the content management system receives the first message from the website and relays at least part of the first message to the client application by:
    - receiving, from the client application, a unique identifier that associates the client application with the browser application to yield an association;
      
      receiving, from the website, the first message along with a second unique identifier;
      
      determining that the first unique identifier and the second unique identifier match;
      
      based on the match, determining that the client application is to receive at least part of the first message from the website; and
      
      sending at least part of the first message to the client application.
  - 19. The content management system of claim 14, the computer-readable medium storing additional computer-readable instructions that when executed cause the content management system to:
    - receive, from the website, a username request directed to the client application, the username request comprising the nonce;
      
      send, to the client application, the username request from the website;
      
      receive, from the client application, a username associated with the user account used to authenticate the browser application and the nonce associated with the client application; and
      
      in response to receiving the username and nonce, sending the username to the website.
  - 20. The content management system of claim 14, wherein the content management system authenticates the client application by:
    - associating, based on the nonce, the client application with at least one of the browser application and the session between the browser application and the website, to yield an association; and
      
      based on the association, authenticating the client application based on credentials used to authenticate the session between the browser application and the website.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dropbox, Inc.
Original Assignee
Dropbox, Inc.
Inventors
Tian, Sang, Kaplan, Joshua, Akhawe, Devdatta
Primary Examiner(s)
Getachew, Abiy

Application Number

US14/985,072
Publication Number

US 20160253481A1
Time in Patent Office

930 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/00   Information retrieval; Data...

G06F 16/955   using information identifie...

G06F 21/00   Security arrangements for p...

G06F 21/10   Protecting distributed prog...

G06F 2221/2101   Auditing as a secondary aspect

H04L 2101/30   Types of network names

H04L 63/0236   Filtering by address, proto...

H04L 63/08   for authentication of entit...

H04L 63/1483   service impersonation, e.g....

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

Cross-application authentication on a content management system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-application authentication on a content management system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links