Local claim-based security service with cross-browser compatibility

US 10,476,870 B2
Filed: 08/25/2017
Issued: 11/12/2019
Est. Priority Date: 08/25/2017
Status: Active Grant

First Claim

Patent Images

1. A computing system, comprising:

at least one processor on a user machine; and

memory storing instructions executable by the at least one processor on the user machine, wherein the instructions, when executed, provide;

web application interaction logic, in a local authority service running on the user machine, whereinthe web application interaction logic is configured to interact with a web application running on the user machine to receive an authentication request from the web application, andthe authentication request requests authentication to a remote computing system, that is remote from the user machine;

hardware key reader interaction logic, in the local authority service, wherein the hardware key reader interaction logic is configured to, based on the authentication request, interact with a hardware key reader to obtain a representation of a hardware-protected key corresponding to a user; and

secure backend communication logic, in the local authority service, configured to;

provide a token to an authentication system of the remote computing system, the token being generated based, at least in part, on the hardware-protected key; and

receive an operation result performed by the authentication system using the token,wherein the web application interaction logic is configured to provide an indication of the operation result to the web application, and the web application interaction logic is configured to interact with a plurality of different web applications.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A web application that is attempting to access a site hosted by a system that needs authentication based on a hardware-protected key is redirected to a local authority service on the machine. The local authority service interacts with a hardware key reader to obtain authentication information from a hardware key holder. The local authority service illustratively interacts with the system being accessed in order to obtain an operation result, based on the hardware-protected key obtained through the hardware key reader. The operation result is then posted to the web application, by the local authority service, for use in authenticating the user.

15 Citations

20 Claims

1. A computing system, comprising:
- at least one processor on a user machine; and
  
  memory storing instructions executable by the at least one processor on the user machine, wherein the instructions, when executed, provide;
  
  web application interaction logic, in a local authority service running on the user machine, whereinthe web application interaction logic is configured to interact with a web application running on the user machine to receive an authentication request from the web application, andthe authentication request requests authentication to a remote computing system, that is remote from the user machine;
  
  hardware key reader interaction logic, in the local authority service, wherein the hardware key reader interaction logic is configured to, based on the authentication request, interact with a hardware key reader to obtain a representation of a hardware-protected key corresponding to a user; and
  
  secure backend communication logic, in the local authority service, configured to;
  
  provide a token to an authentication system of the remote computing system, the token being generated based, at least in part, on the hardware-protected key; and
  
  receive an operation result performed by the authentication system using the token,wherein the web application interaction logic is configured to provide an indication of the operation result to the web application, and the web application interaction logic is configured to interact with a plurality of different web applications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computing system of claim 1 wherein the web application interaction logic is configured to post the operation result to the web application.
  - 3. The computing system of claim 2 wherein the instructions, when executed, provide:
    - token generator logic, on the local authority service, configured to issue, as the token, a claim-based token corresponding to the user.
  - 4. The computing system of claim 3 wherein the instructions, when executed, provide:
    - signing logic, on the local authority service, configured to sign the claim-based token with the representation of the hardware-protected key.
  - 5. The computing system of claim 2, wherein the web application interaction logic is configured to post the operation result to the web application using a standard hypertext transfer protocol (http) post.
  - 6. The computing system of claim 1 wherein the hardware key reader comprises:
    - a smart card reader.
  - 7. The computing system of claim 6 wherein the instructions, when executed, provide:
    - a user experience (UX) controller configured to generate user interface display prompting the user to enter the hardware protected key using the smart card reader.
  - 8. The computing system of claim 1 wherein the authentication request comprises a redirected authentication request that is redirected to the web application interaction logic by the remote computing system.
  - 9. The computing system of claim 8 wherein the web application is configured to be redirected to the local authority service by posting the authentication request, using a standard http post, to a local host endpoint that is monitored by the local authority service.

10. A computer implemented method, comprising:
- running, on a user machine, a local authority service configured to interact with a plurality of different web applications;
  
  receiving, at the local authority service, an authentication request from a particular web application that is running on the user machine, the authentication request requesting authentication to a remote computing system that is remote from the user machine;
  
  using the local authority service to,based on the authentication request, interact with a hardware key reader to obtain a representation of a hardware-protected key corresponding to a user, andproviding a token to an authentication system of the remote computing system, the token being generated based, at least in part, on the hardware-protected key;
  
  receiving, at the local authority service, an operation result performed by the authentication system using the token; and
  
  providing an indication of the operation result to the particular web application.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer implemented method of claim 10 wherein providing an indication of the operation result comprises:
    - posting the operation result to the particular web application.
  - 12. The computer implemented method of claim 11 and further comprising:
    - issuing, as the token, a claim-based token corresponding to the user, from the local authority service.
  - 13. The computer implemented method of claim 12 and further comprising:
    - signing, with the local authority service, the claim-based token with the representation of the hardware-protected key.
  - 14. The computer implemented method of claim 11 wherein the local authority service posts the operation result to the particular web application using a standard hypertext transfer protocol (http) post.
  - 15. The computer implemented method of claim 10 wherein using the local authority service to interact with a hardware key reader comprises:
    - interacting with a smart card reader.
  - 16. The computer implemented method of claim 15 wherein interacting with a smart card reader comprises:
    - generating a user interface display prompting the user to enter the hardware protected key using the smart card reader.
  - 17. The computer implemented method of claim 10 wherein receiving the authentication request comprises:
    - receiving a redirected authentication request that is redirected to the local authority service by the remote computing system.
  - 18. The computer implemented method of claim 17 wherein receiving a redirected authentication request comprises:
    - receiving the redirected authentication request by a posting of the authentication request, using a hypertext transfer protocol (http) post, to a local host endpoint that is monitored by the local authority service.

19. A data center computing system comprising:
- at least one processor; and
  
  memory storing instructions executable by the at least one processor, wherein the instructions, when executed, configure the data center computing system to;
  
  interact with a web application running on a user machine;
  
  redirect an authentication request, corresponding to the web application, to a local authority service running on the user machine, with a standard hypertext transfer protocol (http) re-direct action, the local authority service being configured to interact with a plurality of different web applications; and
  
  receive, from the local authority service running on the user machine, a signed claim-based token, signed with a hardware protected key corresponding to a user;
  
  generate an operation result based on the signed claim-based token;
  
  send the operation result to the local authority service; and
  
  interact with the web application, using the operation result, to authenticate the user to the data center computing system.
- View Dependent Claims (20)
- - 20. The data center computing system of claim 19 wherein the instructions configure the data center computing system to expose an interface that is invoked by the web application using interactions that conform to the hypertext transfer protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Zeng, Yi, Huang, Yu
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US15/686,391
Publication Number

US 20190068585A1
Time in Patent Office

809 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

Local claim-based security service with cross-browser compatibility

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Local claim-based security service with cross-browser compatibility

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others