Device access revocation

US 10,146,932 B2
Filed: 12/22/2016
Issued: 12/04/2018
Est. Priority Date: 01/29/2016
Status: Active Grant

First Claim

Patent Images

1. A method performed by a resource device comprising a data processing apparatus, the method comprising:

after multiple users have each been granted a respective access token allowing access to a resource device, receiving, by the resource device, revocation data indicating that the previously granted access to the resource device should be revoked for one or more of the multiple users, wherein the revocation data indicates (i) a user, role, or permission level for which access is revoked and (ii) an authorization duration or an authorization expiration time for a previous authorization of access to the resource device for the indicated user, role, or permission level;

after receiving the revocation data, receiving, by the resource device, token data derived from a first access token that allows access to the resource device, the first access token being issued to a first user;

determining, by the resource device and based on the token data, that authorization for the first access token is dependent on authorization for one or more second access tokens that provide to access to the resource device, the one or more second access tokens respectively being granted to users different from the first user;

determining, by the resource device, that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data; and

in response to receiving the token data and before expiration of the previous authorization of access to the resource device for the indicated user, role, or permission level, denying, by the resource device, access to the resource device based on (i) determining that the first access token is dependent on authorization for the one or more second access tokens, and (ii) determining that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some implementations, after one or more users have each been granted a respective access token allowing access to a resource device, revocation data is received by the resource device. The revocation data indicates that the previously granted access to the resource device should be revoked. For example, the revocation data may indicate (i) a user, role, or permission level for which access is revoked and (ii) a duration that access to the resource device was allowed. After receiving the revocation data, the resource device receives token data derived from an access token that allows access to the resource device. The resource device determines that the access token relies on authorization of the user, role, or permission level indicated by the revocation data, and in response, the resource device denies access.

69 Citations

View as Search Results

15 Claims

1. A method performed by a resource device comprising a data processing apparatus, the method comprising:
- after multiple users have each been granted a respective access token allowing access to a resource device, receiving, by the resource device, revocation data indicating that the previously granted access to the resource device should be revoked for one or more of the multiple users, wherein the revocation data indicates (i) a user, role, or permission level for which access is revoked and (ii) an authorization duration or an authorization expiration time for a previous authorization of access to the resource device for the indicated user, role, or permission level;
  
  after receiving the revocation data, receiving, by the resource device, token data derived from a first access token that allows access to the resource device, the first access token being issued to a first user;
  
  determining, by the resource device and based on the token data, that authorization for the first access token is dependent on authorization for one or more second access tokens that provide to access to the resource device, the one or more second access tokens respectively being granted to users different from the first user;
  
  determining, by the resource device, that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data; and
  
  in response to receiving the token data and before expiration of the previous authorization of access to the resource device for the indicated user, role, or permission level, denying, by the resource device, access to the resource device based on (i) determining that the first access token is dependent on authorization for the one or more second access tokens, and (ii) determining that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, comprising:
    - in response to receiving the revocation data, storing an entry in an access control blacklist stored locally at the resource device, the entry indicating the user, role, or permission level indicated by the revocation data; and
      
      comparing one or more users, roles, or permission levels indicated in the stored blacklist with a user, role or permission level indicated by the token data derived from the first access token;
      
      wherein denying the resource access to the resource device is based at least in part on the comparison.
  - 3. The method of claim 1, wherein the resource device determines that authorization for the first access token is dependent on authorization for one or more second access tokens based on locally stored data at the resource device, the resource device being configured to use the locally stored data to evaluate whether to grant access to the resource device independent of whether the resource device has network connectivity.
  - 4. The method of claim 1, wherein receiving the revocation data comprises receiving the revocation data at a time that is (i) after a particular access token has been granted, the particular access token having an authorization expiration time, and (ii) before the authorization expiration time for the particular access token;
    - wherein receiving the token data comprises receiving token data derived from the particular access token; and
      
      wherein the determining and the denying are performed at a second time that is (i) after the particular access token has been granted and (ii) before the authorization expiration time for the particular access token.
  - 5. The method of claim 1, comprising:
    - storing, in an access control blacklist stored at the resource device, a blacklist entry for the first user;
      
      determining, based on the blacklist entry, that one or more access tokens granted to the first user have expired; and
      
      based on determining that one or more access tokens granted to first the user have expired, deleting the blacklist entry for the first user from the access control blacklist.
  - 6. The method of claim 5, comprising determining, by the resource device, that the received token data corresponds to a valid and unexpired token that provides access to the resource;
    - wherein denying access to the resource device comprises denying access to the resource device after determining that the received token data corresponds to a valid and unexpired token that provides access to the resource device, based on (i) determining that authorization for the first access token is dependent on authorization for one or more second access and (ii) determining that at least one of the one or more second access tokens correspond to the user, role, or permission level indicated by the revocation data.
  - 7. The method of claim 1, wherein the revocation data is received, from a user device, through a proximity-based connection established between the resource device and the user device.
  - 8. The method of claim 1, wherein the revocation data is received, from a server computer, through a network connection established between the resource device and the server computer.
  - 9. The method of claim 1, wherein denying access to the resource device comprises:
    - determining a particular second access token from among the one or more second access tokens corresponds to the user, role, or permission level for which access is revoked; and
      
      storing an entry in an access control blacklist such that access to the resource device is denied for any of the multiple users that have been granted access tokens that depend on authorization for the particular second access token.

10. A non-transitory computer-readable storage device encoded with computer program instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising:
- after multiple users have each been granted a respective access token allowing access to a resource device, receiving, by the resource device, revocation data indicating that the previously granted access to the resource device should be revoked for one or more of the multiple users, wherein the revocation data indicates (i) a user, role, or permission level for which access is revoked and (ii) an authorization duration or an authorization expiration time for a previous authorization of access to the resource device for the indicated user, role, or permission level;
  
  after receiving the revocation data, receiving, by the resource device, token data derived from a first access token that allows access to the resource device, the first access token being issued to a first user;
  
  determining, by the resource device and based on the token data, that authorization for the first access token is dependent on authorization for one or more second access tokens that provide to access to the resource device, the one or more second access tokens respectively being granted to users different from the first user;
  
  determining, by the resource device, that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data; and
  
  in response to receiving the token data and before expiration of the previous authorization of access to the resource device for the indicated user, role, or permission level, denying, by the resource device, access to the resource device based on (i) determining that the first access token is dependent on authorization for the one or more second access tokens, and (ii) determining that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data.
- View Dependent Claims (11)
- - 11. The non-transitory computer-readable storage device of claim 10, wherein the operations further comprise:
    - in response to receiving the revocation data, storing a blacklist entry in an access control blacklist stored locally at the resource device, the entry indicating the user, role, or permission level indicated by the revocation data; and
      
      comparing one or more users, roles, or permission levels indicated in the stored blacklist with a user, role or permission level indicated by the token data derived from the first access token;
      
      wherein denying the resource access to the resource device is based at least in part on the comparison.

12. A system comprising:
- one or more computers; and
  
  a non-transitory computer-readable medium coupled to the one or more computers having instructions stored thereon, which, when executed by the one or more computers, cause the one or more computers to perform operations comprising;
  
  after multiple users have each been granted a respective access token allowing access to a resource device, receiving, by the resource device, revocation data indicating that the previously granted access to the resource device should be revoked for one or more of the multiple users, wherein the revocation data indicates (i) a user, role, or permission level for which access is revoked and (ii) an authorization duration or an authorization expiration time for a previous authorization of access to the resource device for the indicated user, role, or permission level;
  
  after receiving the revocation data, receiving, by the resource device, token data derived from a first access token that allows access to the resource device, the first access token being issued to a first user;
  
  determining, by the resource device and based on the token data, that authorization for the first access token is dependent on authorization for one or more second access tokens that provide to access to the resource device, the one or more second access tokens respectively being granted to users different from the first user;
  
  determining, by the resource device, that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data; and
  
  in response to receiving the token data and before expiration of the previous authorization of access to the resource device for the indicated user, role, or permission level, denying, by the resource device, access to the resource device based on (i) determining that the first access token is dependent on authorization for the one or more second access tokens, and (ii) determining that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the operations comprise:
    - in response to receiving the revocation data, storing an entry in an access control blacklist stored locally at the resource device, the entry indicating the user, role, or permission level indicated by the revocation data; and
      
      comparing one or more users, roles, or permission levels indicated in the stored blacklist with a user, role or permission level indicated by the token data derived from the first access token;
      
      wherein denying the resource access to the resource device is based at least in part on the comparison.
  - 14. The system of claim 12, wherein the resource device determines that authorization for the first access token is dependent on authorization for one or more second access tokens based on locally stored data at the resource device, the resource device being configured to use the locally stored data to evaluate whether to grant access to the resource device independent of whether the resource device has network connectivity.
  - 15. The system of claim 12, wherein receiving the revocation data comprises receiving the revocation data at a time that is (i) after a particular access token has been granted, the particular access token having an authorization expiration time, and (ii) before the authorization expiration time for the particular access token;
    - wherein receiving the token data comprises receiving token data derived from the particular access token; and
      
      wherein the determining and the denying are performed at a second time that is (i) after the particular access token has been granted and (ii) before the authorization expiration time for the particular access token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google LLC (Alphabet Inc.)
Inventors
Birgisson, Arnar, Gutnik, Yevgeniy
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Kaplan, Benjamin A

Application Number

US15/387,776
Publication Number

US 20170220793A1
Time in Patent Office

712 Days
Field of Search

726 6
US Class Current
CPC Class Codes

G06F 21/45   Structures or tools for the...

G06F 21/62   Protecting access to data v...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04W 12/08   Access security

H04W 12/082   using revocation of authori...

Device access revocation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Device access revocation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links