Session management for internet of things devices

US 10,044,705 B2
Filed: 01/20/2016
Issued: 08/07/2018
Est. Priority Date: 01/20/2016
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computing system, comprising:

receiving, from a client computing device, a first request for provisioning a token that enables a specified computing device to communicate with an application executing at a server computing device;

generating the token for the specified computing device, wherein the token is associated with a set of functions that the specified computing device is allowed to execute;

sending the token to the client computing device;

causing the client computing device to send the token to the specified computing device;

receiving, at the server computing device and from the specified computing device, a request for performing a specified function;

determining whether the server computing device has a session data object associated with the specified computing device, the session data object having the token and an installation ID of the specified computing device and generated at the server computing device in response to generating the token;

permitting the specified computing device to perform the specified function in an event the session data object is available at the server computing device;

receiving, at the computing system, a revoke request from the client computing device to revoke access for a specified type of computing devices provisioned by the client computing device;

identifying session objects having tokens generated for the computing devices of the specified type; and

deleting the session objects to revoke the access for the specified type of computing devices.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure is directed to security management in communications involving computing devices, e.g. Internet of Things (IoT) devices. An IoT device can perform various activities, e.g., social networking activities, for or on behalf of a user. An IoT device is typically insecure, especially when accessing user data. To control the type of activities that can be performed by various types of devices, a server device (“server”) can issue different types of tokens to different IoT devices. Which token an IoT device has determines the types of activities the IoT device can perform. For example, the server can issue a restricted token, which restricts the type of activities an IoT device can perform, and an unrestricted token to a more secure device, e.g., a smartphone, that can perform a broader range of activities. For example, the restrictive token may not permit the IoT device to change the password of a user.

22 Citations

View as Search Results

18 Claims

1. A method performed by a computing system, comprising:
- receiving, from a client computing device, a first request for provisioning a token that enables a specified computing device to communicate with an application executing at a server computing device;
  
  generating the token for the specified computing device, wherein the token is associated with a set of functions that the specified computing device is allowed to execute;
  
  sending the token to the client computing device;
  
  causing the client computing device to send the token to the specified computing device;
  
  receiving, at the server computing device and from the specified computing device, a request for performing a specified function;
  
  determining whether the server computing device has a session data object associated with the specified computing device, the session data object having the token and an installation ID of the specified computing device and generated at the server computing device in response to generating the token;
  
  permitting the specified computing device to perform the specified function in an event the session data object is available at the server computing device;
  
  receiving, at the computing system, a revoke request from the client computing device to revoke access for a specified type of computing devices provisioned by the client computing device;
  
  identifying session objects having tokens generated for the computing devices of the specified type; and
  
  deleting the session objects to revoke the access for the specified type of computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising:
    - receiving, at the server computing device and from the specified computing device, a second request for performing a function;
      
      extracting, by the server computing device, the token from the second request;
      
      determining, at the server computing device, whether the token is associated with the function; and
      
      responsive to a determination that the token is associated with the function, permitting the specified computing device to execute the function.
  - 3. The method of claim 1, wherein the specified computing device includes an Internet of Things (IoT) device.
  - 4. The method of claim 1, wherein generating the token includes generating an unrestricted token that allows the specified computing device to execute any of a plurality of functions of the application.
  - 5. The method of claim 1, wherein generating the token includes generating a restricted token that restricts the specified computing device to a subset of a plurality of functions of the application.
  - 6. The method of claim 5 further comprising:
    - generating different restricted tokens for different specified computing devices, wherein at least some of the different restricted tokens are associated with different subsets of the plurality of the functions.
  - 7. The method of claim 1, wherein generating the token includes:
    - determining a type of the specified computing device, andassociating the token with the set of functions of the application that is defined for the type of the specified computing device.
  - 8. The method of claim 7, wherein determining the type of the specified computing device includes determining the type based on device identification information of the specified computing device provided by the client computing device.
  - 9. The method of claim 1, wherein generating the token includes:
    - determining if the client computing device is trusted by the server computing device, andresponsive to a determination that the client computing device is trusted by the server computing device, generating the token for provisioning by the client computing device.
  - 10. The method of claim 9, wherein determining if the client computing device is trusted includes confirming that the client computing device is authenticated by the server computing device.
  - 11. The method of claim 9, wherein determining if the client computing device is trusted includes confirming that the client computing device has an unrestricted token that allows the client computing device to execute all of a plurality of functions of the application.
  - 12. The method of claim 1 further comprising:
    - generating, at the computing system, a session data object, the session data object including the token, an installation identifier (ID) identifying the specified computing device for which the session data object is generated, and a user ID of a user associated with the client computing device.

13. A non-transitory computer-readable storage medium storing computer-readable instructions, comprising:
- instructions for receiving, at a server computing device and from a specified computing device, a first request for performing a function associated with an application executing at the server computing device, wherein the specified computing device is provisioned to work with the application by a client computing device;
  
  instructions for extracting, by the server computing device, a token from the first request, wherein the token identifies a set of functions the specified computing device is permitted to execute, and wherein the token is provisioned to the specified computing device via the client computing device during a registration process of the specified computing device;
  
  instructions for determining, at the server computing device, whether the token is associated with the function; and
  
  instructions for permitting the specified computing device to execute the function responsive to a determination that the token is associated with the function, wherein permitting the specified computing device to execute the function includes;
  
  determining whether the server computing device has a session data object associated with the specified computing device, the session data object having the token and an installation ID of the specified computing device,performing the function in an event the session data object is available at the server computing device, andnotifying the specified computing device regarding a failure of the first request; and
  
  instructions for revoking access for a specified type of computing devices provisioned by the client computing device, wherein revoking access for the specified type of computing devices includes;
  
  receiving a revoke request from the client computing device to revoke access for the specified type of computing devices provisioned by the client computing device;
  
  identifying session objects having tokens generated for the computing devices of the specified type; and
  
  deleting the session objects to revoke the access for the specified type of computing devices.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer-readable storage medium of claim 13 further comprising:
    - notifying the specified computing device that a session between the server computing device and the server computing device is disconnected; and
      
      causing the specified computing device to request the client computing device to provision the specified computing device with a specified token that enables the specified computing device to communicate with server computing device to execute one or more functions of the application.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the instructions for receiving the first request include:
    - instructions for receiving the first request at the server computing device via a first computing device that acts as a proxy to the specified computing device, andinstructions for generating the token and a session data object for the first computing device, the session data object including the token and an installation ID associated with the first computing device.
  - 16. The non-transitory computer-readable storage medium of claim 13 further comprising:
    - instructions for receiving a second request from the client computing device to retrieve a list of computing devices at which a user associated with the client computing device is logged in;
      
      instructions for retrieving session data objects associated with the user, the session data objects created for the computing devices for which the client computing device has provisioned tokens from the server computing device, the session data objects including installation IDs of the computing devices for which the tokens are provisioned; and
      
      instructions for sending the installation IDs to the client computing device.
  - 17. The non-transitory computer-readable storage medium of claim 13 further comprising:
    - instructions for sending data associated with the client computing device to the specified computing device; and
      
      instructions for causing the specified computing device to execute a specified function for the client computing device based on the data.

18. A system, comprising:
- a processor;
  
  a first component including instructions which, when executed by the processor, cause the system to receive, from a client computing device, a first request for provisioning a specified computing device with a token that enables the specified computing device to communicate with an application executing at a server computing device;
  
  a second component including instructions which, when executed by the processor, cause the system to generate the token, wherein the token is associated with a set of functions that the specified computing device is allowed to execute, wherein the first component further includes instructions which, when executed by the processor, cause the system to;
  
  send the token to the client computing device,cause the client computing device to send the token to the specified computing device, andreceive, from the specified computing device, a request for performing a specified function;
  
  a third component including instructions which, when executed by the processor, cause the system to determine whether the system has a session data object associated with the specified computing device, the session data object having the token and an installation ID of the specified computing device and generated at the server computing device in response to generating the token; and
  
  a fourth component including instructions which, when executed by the processor, cause the system to permit the specified computing device to perform the specified function in an event the session data object is available at the server computing device, wherein;
  
  the first component further includes instructions which, when executed by the processor, cause the system to receive a revoke request from the client computing device to revoke access for a specified type of computing devices provisioned by the client computing device; and
  
  the third component further includes instructions which, when executed by the processor, cause the system to;
  
  identify session objects having tokens generated for the computing devices of the specified type; and
  
  delete the session objects to revoke the access for the specified type of computing devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Inventors
Wang, Xinlei, Penov, Francislav P.
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/001,611
Publication Number

US 20170208057A1
Time in Patent Office

930 Days
Field of Search

726 1, 709229, 713172, 713175, 713151, 713155, 713173, 713174, 713182, 713183, 380229
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/44   Program or device authentic...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/083   using passwords cryptograph...

H04L 63/105   Multiple levels of security

H04W 12/04   Key management, e.g. using ...

H04W 12/08   Access security

H04W 12/35   Protecting application or s...

H04W 12/37   Managing security policies ...

H04W 4/70   Services for machine-to-mac...

Session management for internet of things devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Session management for internet of things devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links