Authentication for online content using an access token

US 10,395,024 B2
Filed: 03/04/2014
Issued: 08/27/2019
Est. Priority Date: 03/04/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

one or more computer-readable storage device storing computer-executable instructions that, responsive to execution by the one or more processors, cause the system to perform operations including;

authenticating, at an online content resource, a client device for access to online content based on user credentials received from the client device as part of a request for access to the online content;

generating a message that includes the user credentials and a common access key held by multiple content resources that serve the online content;

creating an access token by hashing the message with the common access key to generate a first hashed message and by storing the first hashed message and an unhashed version of the message together as part of the access token;

communicating the access token and an instance of the online content to the client device;

removing, subsequent to the communicating, the access token and the message from the online content resource so that the access token is not stored by the online content resource;

receiving, subsequent to the removing, the access token as part of a subsequent request from the client device for access to the online content; and

authenticating the client device as permitted to access the online content as part of the subsequent request using the common access key and the access token and independent of any information about the client device stored by the online content resource by;

retrieving the first hashed message and the unhashed version of the message from the access token;

hashing the unhashed version of the message with the common access key to generate a second hashed message; and

ascertaining that the second hashed message matches the first hashed message retrieved from the access token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for authentication for online content using an access token are described. According to various embodiments, online content (e.g., webpages and other types of web content) can be served across a variety of different online resources. According to one or more embodiments, an access token is leveraged to enable a user to authenticate with multiple different distributed content resources for access to online content, and without requiring the user to input authentication credentials for each of the content resources.

132 Citations

20 Claims

1. A system comprising:
- one or more processors; and
  
  one or more computer-readable storage device storing computer-executable instructions that, responsive to execution by the one or more processors, cause the system to perform operations including;
  
  authenticating, at an online content resource, a client device for access to online content based on user credentials received from the client device as part of a request for access to the online content;
  
  generating a message that includes the user credentials and a common access key held by multiple content resources that serve the online content;
  
  creating an access token by hashing the message with the common access key to generate a first hashed message and by storing the first hashed message and an unhashed version of the message together as part of the access token;
  
  communicating the access token and an instance of the online content to the client device;
  
  removing, subsequent to the communicating, the access token and the message from the online content resource so that the access token is not stored by the online content resource;
  
  receiving, subsequent to the removing, the access token as part of a subsequent request from the client device for access to the online content; and
  
  authenticating the client device as permitted to access the online content as part of the subsequent request using the common access key and the access token and independent of any information about the client device stored by the online content resource by;
  
  retrieving the first hashed message and the unhashed version of the message from the access token;
  
  hashing the unhashed version of the message with the common access key to generate a second hashed message; and
  
  ascertaining that the second hashed message matches the first hashed message retrieved from the access token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A system as recited in claim 1, wherein said generating further comprises generating the message to include a date on which the message is generated.
  - 3. A system as recited in claim 1, wherein said generating further comprises generating the message to include an identifier for online content being requested.
  - 4. A system as described in claim 1, wherein said authenticating and said creating are performed via a content resource configured to serve an instance of the online content independent of a resource that generates the online content.
  - 5. A system as described in claim 1, wherein the message further includes one or more of an indication of an elapsed time after which the access token will expire or a date after which the access token will expire.
  - 6. A system as described in claim 1, wherein the common access key is added to the message prior to said hashing the message.
  - 7. A system as described in claim 1, wherein the operations further comprise encrypting the access token prior to said communicating.
  - 8. A system as described in claim 1, wherein the operations further comprise:
    - ascertaining that the access token is one of expired or revoked; and
      
      causing, in response to said ascertaining, the access token to be refreshed.

9. A computer-implemented method, comprising:
- authenticating, at an online content resource and at a first time, a client device for access to online content based on user credentials received from the client device as part of a request for access to the online content;
  
  generating a message that includes the user credentials and a common access key held by multiple content resources;
  
  creating an access token by hashing the message with the common access key to generate a first hashed message and by storing the first hashed message and an unhashed version of the message together as part of the access token;
  
  communicating the access token and an instance of the online content to the client device;
  
  removing, subsequent to the communicating, the access token and the message from the online content resource so that the access token is not stored by the online content provider;
  
  receiving, subsequent to the removing, the access token as part of a subsequent request from the client device for access to the online content;
  
  retrieving the first hashed message and the unhashed version of the message from the access token;
  
  hashing the unhashed version of the message with the common access key to generate a second hashed message;
  
  ascertaining that the second hashed message matches the first hashed message retrieved from the access token; and
  
  authenticating the client device at a second time as permitted to access the online content as part of the subsequent request and using credentials from the access token.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A computer-implemented method as recited in claim 9, wherein said authenticating and said creating are performed via a content resource configured to serve an instance of the online content independent of a resource that generates the online content.
  - 11. A computer-implemented method as recited in claim 9, wherein the message further includes one or more of an indication of an elapsed time after which the access token will expire or a date after which the access token will expire.
  - 12. A computer-implemented method as recited in claim 9, wherein the common access key is added to the message prior to said hashing the message.
  - 13. A computer-implemented method as recited in claim 9, further comprising encrypting the access token prior to said communicating.
  - 14. A computer-implemented method as recited in claim 9, further comprising:
    - ascertaining that the access token is one of expired or revoked; and
      
      causing, in response to said ascertaining, the access token to be refreshed.

15. One or more computer-readable storage device storing instructions that are executed to perform operations comprising:
- authenticating, at an online content resource, a client device for access to online content based on user credentials received from the client device as part of a request for access to the online content;
  
  generating a message that includes the user credentials and a common access key held by multiple content resources that serve the online content;
  
  creating an access token by hashing the message with the common access key to generate a first hashed message and by storing the first hashed message and an unhashed version of the message together as part of the access token;
  
  communicating the access token and an instance of the online content to the client device;
  
  removing, subsequent to the communicating, the access token and the message from the online content resource;
  
  receiving, subsequent to the removing, the access token as part of a subsequent request from the client device for access to the online content; and
  
  authenticating the client device as permitted to access the online content as part of the subsequent request using the common access key and the access token and independent of any information maintained about the client device by the multiple content resources by;
  
  retrieving the first hashed message and the unhashed version of the message from the access token;
  
  hashing the unhashed version of the message with the common access key to generate a second hashed message; and
  
  ascertaining that the second hashed message matches the first hashed message retrieved from the access token.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. One or more computer-readable storage device as recited in claim 15, wherein said authenticating and said creating are performed via a content resource configured to serve an instance of the online content independent of a resource that generates the online content.
  - 17. One or more computer-readable storage device as recited in claim 15, wherein the message further includes one or more of an indication of an elapsed time after which the access token will expire or a date after which the access token will expire.
  - 18. One or more computer-readable storage device as recited in claim 15, wherein the common access key is added to the message prior to said hashing the message.
  - 19. One or more computer-readable storage device as recited in claim 15, wherein the operations further comprise encrypting the access token prior to said communicating.
  - 20. One or more computer-readable storage device as recited in claim 15, wherein the operations further comprise:
    - ascertaining that the access token is one of expired or revoked; and
      
      causing, in response to said ascertaining, the access token to be refreshed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Inc.
Inventors
Sanso, Antonio
Primary Examiner(s)
Patel, Haresh N

Application Number

US14/196,728
Publication Number

US 20150254441A1
Time in Patent Office

2,002 Days
Field of Search

726 9, 726 4, 726 6, 726 7
US Class Current
CPC Class Codes

G06F 21/41 where a single sign-on prov...

Authentication for online content using an access token

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication for online content using an access token

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links