Authorization token cache system and method

US 10,097,551 B2
Filed: 03/23/2016
Issued: 10/09/2018
Est. Priority Date: 05/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a token client from a user, credentials information for a token service;

storing, by the token client in a token cache, credentials information and token metadata;

wherein the token metadata stored by the token client in the token cache indicates how to requestan access token from the token service and how to retrieve an accesstoken from access token responses received from the token service;

receiving, by the token client from an application executing on one or more computing devices, a request to initialize a new session;

generating, by the token client, a session identifier that maps to a cache key for retrieving the token metadata and the credentials information from the token cache;

returning, by the token client to the application executing on one or more computing devices, the session identifier;

receiving, by the token client from the application executing on one or more computing devices, a request to access a protected resource from a resource server, wherein the request includes the session identifier;

responsive to receiving the request, mapping, by the token client, the session identifier to the cache key for retrieving the token metadata and the credentials information from the token cache;

retrieving, by the token client using the cache key, the token metadata and credentials information from the token cache, wherein the credentials information are not provided by the token client to the application executing on one or more computing devices;

responsive to retrieving the token metadata and credentials information from the token cache, generating, by the token client based at least in part on the token metadata, a token request that identifies the credentials information;

sending, by the token client to the token service, the token request that identifies the credentials information;

receiving, by the token client from the token service, an access token response and retrieving a first access token from the access token response using the token metadata;

storing, by the token client in the token cache and in association with the cache key, the first access token, such that the cache key may be used to retrieve the first access token;

sending, by the token client to a resource server, a resource request to access the protected resource;

wherein the resource request includes the first access token;

receiving, by the token client from the resource server, a resource response that includes a representation of the protected resource; and

returning, by the token client to the application executing on one or more computing devices, the representation of the protected resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes one or more processors to request access tokens from a token service computer, cache the access tokens and related information in a token cache, transmit the access tokens with a resource request to a resource server, and receive requested resources in response to the resource request. The resource server transmits representations of requested resources to computing devices having valid tokens. The access tokens and related information including credentials information and token metadata are stored in the token cache.

65 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, by a token client from a user, credentials information for a token service;
  
  storing, by the token client in a token cache, credentials information and token metadata;
  
  wherein the token metadata stored by the token client in the token cache indicates how to requestan access token from the token service and how to retrieve an accesstoken from access token responses received from the token service;
  
  receiving, by the token client from an application executing on one or more computing devices, a request to initialize a new session;
  
  generating, by the token client, a session identifier that maps to a cache key for retrieving the token metadata and the credentials information from the token cache;
  
  returning, by the token client to the application executing on one or more computing devices, the session identifier;
  
  receiving, by the token client from the application executing on one or more computing devices, a request to access a protected resource from a resource server, wherein the request includes the session identifier;
  
  responsive to receiving the request, mapping, by the token client, the session identifier to the cache key for retrieving the token metadata and the credentials information from the token cache;
  
  retrieving, by the token client using the cache key, the token metadata and credentials information from the token cache, wherein the credentials information are not provided by the token client to the application executing on one or more computing devices;
  
  responsive to retrieving the token metadata and credentials information from the token cache, generating, by the token client based at least in part on the token metadata, a token request that identifies the credentials information;
  
  sending, by the token client to the token service, the token request that identifies the credentials information;
  
  receiving, by the token client from the token service, an access token response and retrieving a first access token from the access token response using the token metadata;
  
  storing, by the token client in the token cache and in association with the cache key, the first access token, such that the cache key may be used to retrieve the first access token;
  
  sending, by the token client to a resource server, a resource request to access the protected resource;
  
  wherein the resource request includes the first access token;
  
  receiving, by the token client from the resource server, a resource response that includes a representation of the protected resource; and
  
  returning, by the token client to the application executing on one or more computing devices, the representation of the protected resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein generating, by the token client based at least in part on the token metadata, a token request that identifies the credentials information comprises:
    - determining, by the token client based at least in part on the token metadata, how to generate a token request to obtain the first access token from the token service based on a set of one or more service properties defined by the token metadata.
  - 3. The method of claim 1, further comprising:
    - receiving, by the token client, a change to the credentials information;
      
      determining, by the token client, that the credentials information has changed;
      
      in response to determining that the credentials information has changed;
      
      sending, by the token client to the token service, a second token request that identifies the changed credentials information;
      
      receiving a second access token response from the token service and retrieving a second access token from the second access token response using the token metadata; and
      
      storing, by the token client in the token cache and in association with the cache key, the second access token.
  - 4. The method of claim 1, further comprising:
    - receiving, by the token client from the application executing on one or more computing devices, a particular request for the protected resource;
      
      wherein the particular request includes the session identifier;
      
      identifying, by the token client based on the session identifier, the cache key and retrieving the first access token from the token cache using the cache key,wherein the resource request to access the protected resource is sent in response to retrieving the first access token from the token cache using the cache key.
  - 5. The method of claim 1, further comprising:
    - receiving, by the token client from the resource server in response to the resource request to access protected resources, a second access token;
      
      storing, by the token client in the token cache and in association with the cache key, the second access token.
  - 6. The method of claim 1, further comprising:
    - sending, by the token client from the resource server, a second resource request that includes the first access token;
      
      receiving, by the token client from the resource server, a second resource response indicating that the second resource request is one of an unauthorized request and a bad request;
      
      in response to receiving the second resource response, generating, by the token client based at least in part on the token metadata, a second token request that identifies the credentials information;
      
      sending, by the token client to the token service, the second token request that identifies the credentials information;
      
      receiving a second access token response from the token service and retrieving a second access token from the second access token response using the token metadata; and
      
      storing, by the token client in the token cache and in association with the cache key, the second access token.
  - 7. The method of claim 1, further comprising:
    - retrieving the first access token from a particular XPath expression within an extensible markup language (XML) document of the access token response, wherein the XPath expression is identified by the token metadata.
  - 8. The method of claim 1, further comprising:
    - retrieving the first access token from a particular JSONPath expression within a Javascript Object Notation (ISON) document of the access token response, wherein the JSONPath expression is identified by the token metadata.
  - 9. The method of claim 1, wherein sending, by the token client to a resource server, a resource request to access protected resources comprises:
    - determining, by the token client from the token metadata, a particular position in a body of the resource request;
      
      binding the first access token to the particular position in the body of the resource request.
  - 10. The method of claim 1, further comprising:
    - executing a cryptographic hash function on the credentials information to obtain a first hash-based message authentication code;
      
      receiving input comprising a particular username and a particular password;
      
      in response to receiving the input, executing the cryptographic hash function on the particular username and the particular password to obtain a second hash-based message authentication code;
      
      comparing the first hash-based message authentication code with the second hash-based message authentication code and determining whether the credentials information matches;
      
      wherein the resource request to access protected resources is sent in response to determining that the credentials information matches.

11. One or more non-transitory computer-readable media storing one or more sequences of instructions, wherein the instructions include:
- instructions, which when executed by one or more hardware processors, cause receiving, by a token client from a user, credentials information for a token service;
  
  instructions, which when executed by one or more hardware processors, cause storing, by a token client in a token cache, credentials information and token metadata;
  
  wherein the token metadata stored by the token client in the token cache indicates how⁷to request an access token from a token service and how to retrieve an access token from access token responses received from the token service;
  
  instructions, which when executed by one or more hardware processors, cause receiving, by the token client from an application executing on one or more computing devices, a request to initialize a new session;
  
  instructions, which when executed by one or more hardware processors, cause generating, by the token client, a session identifier that maps to a cache key for retrieving the token metadata and the credentials information from the token cache;
  
  instructions, which when executed by one or more hardware processors, cause returning, by the token client to the application executing on one or more computing devices, the session identifier;
  
  instructions, which when executed by one or more hardware processors, cause receiving, by the token client from the application executing on one or more computing devices, a request to access a protected resource from a resource server, wherein the request includes the session identifier;
  
  instructions, which when executed by one or more hardware processors, cause responsive to receiving the request, mapping, by the token client, the session identifier to the cache key for retrieving the token metadata and the credentials information from the token cache;
  
  instructions, which when executed by one or more hardware processors, cause retrieving, by the token client using the cache key, the token metadata and credentials information from the token cache, wherein the credentials information are not provided by the token client to the application executing on one or more computing devices;
  
  instructions, which when executed by one or more hardware processors, cause responsive to retrieving the token metadata and credentials information from the token cache, generating, by the token client based at least in part on the token metadata, a token request that identifies the credentials information;
  
  instructions, which when executed by one or more hardware processors, cause sending, by the token client to the token service, the token request that identifies the credentials information;
  
  instructions, which when executed by one or more hardware processors, cause receiving, by the token client from the token service, an access token response and retrieving a first access token from the access token response using the token metadata;
  
  instructions, winch when executed by one or more hardware processors, cause storing, by the token client in the token cache and in association with the cache key, the first access token, such that the cache key may be used to retrieve the access token;
  
  instructions, which when executed by one or more hardware processors, cause sending, by the token client to a resource server, a resource request to access the protected resource;
  
  wherein the resource request includes the first access token;
  
  instructions, which when executed by one or more hardware processors, cause receiving, by the token client from the resource server, a resource response that includes a representation of the protected resource; and
  
  instructions, which when executed by one or more hardware processors, cause returning, by the token client to the application executing on one or more computing devices, the representation of the protected resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The one or more non-transitory computer-readable media of claim 11, wherein instructions for generating, by the token client based at least in part on the token metadata, a token request that identifies the credentials information include instructions which when executed by one or more hardware processors cause:
    - determining, by the token client based at least in part on the token metadata, how to generate a token request to obtain the first access token from the token service based on a set of one or more service properties defined by the token metadata.
  - 13. The one or more non-transitory computer-readable media of claim 11, wherein the instructions further include:
    - instructions, which when executed by one or more hardware processors, cause receiving, by the token client, a change to the credentials information;
      
      instructions, which when executed by one or more hardware processors, cause determining, by the token client, that the credentials information has changed;
      
      instructions, which when executed by one or more hardware processors, cause in response to determining that the credentials information has changed;
      
      sending, by the token client to the token service, a second token request that identifies the changed credentials information;
      
      receiving a second access token response from the token service and retrieving a second access token from the second access token response using the token metadata; and
      
      storing, by the token client in the token cache and in association with the cache key, the second access token.
  - 14. The one or more non-transitory computer-readable media of claim 11, wherein the instructions further include:
    - instructions, which when executed by one or more hardware processors, cause receiving, by the token client from the application executing on one or more computing devices, a particular request for the protected resource;
      
      wherein the particular request includes the session identifier;
      
      instructions, which when executed by one or more hardware processors, cause identifying, by the token client based on the session identifier, the cache key and retrieving the first access token from the token cache using the cache key;
      
      wherein the resource request to access protected resources is sent in response to retrieving the first access token from the token cache using the cache key.
  - 15. The one or more non-transitory computer-readable media of claim 11, wherein the instructions further include:
    - instructions, which when executed by one or more hardware processors, cause receiving, by the token client from the resource server in response to the resource request to access protected resources, a second access token;
      
      instructions, which when executed by one or more hardware processors, cause storing, by the token client in the token cache and in association with the cache key, the second access token.
  - 16. The one or more non-transitory computer-readable media of claim 11, wherein the instructions further include:
    - instructions, which when executed by one or more hardware processors, cause sending, by the token client from the resource server, a second resource request that includes the first access token;
      
      instructions, which when executed by one or more hardware processors, cause receiving, by the token client from the resource server, a second resource response indicating that the second resource request is one of an unauthorized request and a bad request;
      
      instructions, which when executed by one or more hardware processors, cause in response to receiving the second resource response, generating, by the token client based at least in part on the token metadata, a second token request that identifies the credentials information;
      
      instructions, which when executed by one or more hardware processors, cause sending, by the token client to the token service, the second token request that identifies the credentials information;
      
      instructions, which when executed by one or more hardware processors, cause receiving a second access token response from the token service and retrieving a second access token from the second access token response using the token metadata; and
      
      instructions, which when executed by one or more hardware processors, cause storing, by the token client in the token cache and in association with the cache key, the second access token.
  - 17. The one or more non-transitory computer-readable media of claim 11, wherein the instructions further include:
    - instructions, which when executed by one or more hardware processors, cause retrieving the first access token from a particular XPath expression within an extensible markup language (XML) document of the access token response, wherein the XPath expression is identified by the token metadata.
  - 18. The one or more non-transitory computer-readable media of claim 11, wherein the instructions further include:
    - instructions, which when executed by one or more hardware processors, cause retrieving the first access token from a particular JSONPath expression within a Javascript Object Notation (JSON) document of the access token response, wherein the JSONPath expression is identified by the token metadata.
  - 19. The one or more non-transitory computer-readable media of claim 11, wherein instructions for sending, by the token client to a resource server, a resource request to access protected resources token comprise instructions which when executed by one or more hardware processors cause:
    - determining, by the token client from the token metadata, a particular position in a body of the resource request;
      
      binding the first access token to the particular position in the body of the resource request.
  - 20. The one or more non-transitory computer-readable media of claim 11, wherein the instructions further include:
    - instructions, which when executed by one or more hardware processors, cause executing a cryptographic hash function on the credentials information to obtain a first hash-based message authentication code;
      
      instructions, which when executed by one or more hardware processors, cause receiving input comprising a particular username and a particular password;
      
      instructions, which when executed by one or more hardware processors, cause in response to receiving the input, executing the cryptographic hash function on the particular username and the particular password to obtain a second hash-based message authentication code;
      
      instructions, which when executed by one or more hardware processors, cause comparing the first hash-based message authentication code with the second hash-based message authentication code and determining whether the credentials information matches,wherein the resource request, to access protected resources is sent in response to determining that the credentials information matches.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Chan, Daniel, Kunisetty, Sunil
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
Huang, Cheng-Feng

Application Number

US15/078,897
Publication Number

US 20160226879A1
Time in Patent Office

930 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 67/568   Storing data temporarily at...

H04L 9/3242   involving keyed hash functi...

Authorization token cache system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

65 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization token cache system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links