Systems and methods for authenticating an online user using a secure authorization server

US 10,484,375 B2
Filed: 06/04/2018
Issued: 11/19/2019
Est. Priority Date: 11/16/2015
Status: Active Grant

First Claim

Patent Images

1. A secure authorization server for verifying an identity of an end user, said secure authorization server comprising at least one processor in communication with at least one memory, said secure authorization server programmed to:

receive, from a computing client, an authentication request including a first redirection uniform resource indicator (URI);

transmit, to the end user in response to the authentication request, a login credential request;

receive, from the end user in response to the login credential request, end user login credentials;

transmit, in response to authenticating the end user login credentials, an authentication response to the computing client via the first redirection URI, wherein the authentication response includes an authorization code;

receive, from the computing client, a token request, wherein the token request includes the authorization code and a second redirection URI; and

transmit, in response to validating the authorization code and determining that the second redirection URI matches the first redirection URI, a token response to the computing client via the first redirection URI, wherein the token response includes an access token having a lifetime.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure authorization server computer system for verifying an identity of an end-user is provided. The computer system is programmed to receive, from a computing client, an authentication request at an authorization component. The authentication request includes a secure authentication request identifier. The computer system is also programmed to validate the authentication request at the authorization component by validating the secure authentication request identifier. The computer system is further programmed to transmit an authentication response from the authorization component to the computing client. The authentication response includes an authorization code. The authorization code represents a validation of the authentication request.

21 Citations

21 Claims

1. A secure authorization server for verifying an identity of an end user, said secure authorization server comprising at least one processor in communication with at least one memory, said secure authorization server programmed to:
- receive, from a computing client, an authentication request including a first redirection uniform resource indicator (URI);
  
  transmit, to the end user in response to the authentication request, a login credential request;
  
  receive, from the end user in response to the login credential request, end user login credentials;
  
  transmit, in response to authenticating the end user login credentials, an authentication response to the computing client via the first redirection URI, wherein the authentication response includes an authorization code;
  
  receive, from the computing client, a token request, wherein the token request includes the authorization code and a second redirection URI; and
  
  transmit, in response to validating the authorization code and determining that the second redirection URI matches the first redirection URI, a token response to the computing client via the first redirection URI, wherein the token response includes an access token having a lifetime.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The secure authorization server in accordance with claim 1, wherein said secure authorization server is further programmed to:
    - receive, from the computing client, a user information request that includes the access token from the token response; and
      
      transmit end-user data to the computing client via the first redirection URI in response to a validation of the access token.
  - 3. The secure authorization server in accordance with claim 1, wherein the authentication request includes a secure authentication request identifier, and wherein said secure authorization server is further programmed to validate the authentication request by at least verifying that the secure authentication request identifier is valid.
  - 4. The secure authorization server in accordance with claim 3, wherein said secure authorization server is further programmed to include at least the secure authentication request identifier in the authorization code.
  - 5. The secure authorization server in accordance with claim 3, wherein said secure authorization server is further programmed to include in the token response an identification token including at least the secure authentication request identifier from the authentication request.
  - 6. The secure authorization server in accordance with claim 1, wherein said secure authorization server is further programmed to include in the token response the lifetime of the access token.
  - 7. The secure authorization server in accordance with claim 1, wherein the token response is a second token response, and wherein said secure authorization server is further programmed to transmit, in response to validating the authorization code and determining that the second redirection URI matches the first redirection URI, a first token response to the computing client via the first redirection URI, the first token response including a refresh token usable by the computing client to obtain the access token from said secure authorization server in the second token response.

8. A method for verifying an identity of an end user, said method implemented using a secure authorization computing device including at least one processor in communication with a memory, the secure authorization computing device in communication with a computing client, said method comprising:
- receiving, from the computing client, an authentication request including a first redirection uniform resource indicator (URI);
  
  transmitting, to the end user in response to the authentication request, a login credential request;
  
  receiving, from the end user in response to the login credential request, end user login credentials;
  
  transmitting, in response to authenticating the end user login credentials, an authentication response to the computing client via the first redirection URI, wherein the authentication response includes an authorization code;
  
  receiving, from the computing client, a token request, wherein the token request includes the authorization code and a second redirection URI;
  
  transmitting, in response to validating the authorization code and determining that the second redirection URI matches the first redirection URI, a token response to the computing client via the first redirection URI, wherein the token response includes an access token having a lifetime.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method in accordance with claim 8, further comprising;
    - receiving, from the computing client, a user information request that includes the access token from the token response; and
      
      transmitting end-user data to the computing client in response to a validation of the access token.
  - 10. The method in accordance with claim 8, wherein the authentication request includes a secure authentication request identifier, and wherein said method further comprises validating the authentication request by at least verifying that the secure authentication request identifier is valid.
  - 11. The method in accordance with claim 10, wherein said method further comprises including at least the secure authentication request identifier in the authorization code.
  - 12. The method in accordance with claim 10, wherein said method further comprises including in the token response an identification token including at least the secure authentication request identifier from the authentication request.
  - 13. The method in accordance with claim 8, wherein said method further comprises including in the token response the lifetime of the access token.
  - 14. The method in accordance with claim 8, wherein the token response is a second token response, and wherein said method further comprises transmitting, in response to validating the authorization code and determining that the second redirection URI matches the first redirection URI, a first token response to the computing client via the first redirection URI, the first token response including a refresh token usable by the computing client to obtain the access token from said secure authorization server in the second token response.

15. A non-transitory computer-readable storage media having computer-executable instructions embodied thereon for verifying an identity of an end user, wherein when executed by at least one processor, the computer-executable instructions cause the processor to:
- receive, from a computing client, an authentication request including a first redirection uniform resource indicator (URI);
  
  transmit, to the end user in response to the authentication request, a login credential request;
  
  receive, from the end user in response to the login credential request, end user login credentials;
  
  transmit, in response to authenticating the end user login credentials, an authentication response to the computing client via the first redirection URI, wherein the authentication response includes an authorization code;
  
  receive, from the computing client, a token request, wherein the token request includes the authorization code and a second redirection URI;
  
  transmit, in response to validating the authorization code and determining that the second redirection URI matches the first redirection URI, a token response to the computing client via the first redirection URI, wherein the token response includes an access token having a lifetime.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable storage media of claim 15, wherein the computer-executable instructions further cause the processor to:
    - receive, from the computing client, a user information request that includes the access token from the token response; and
      
      transmit end-user data to the computing client in response to a validation of the access token.
  - 17. The non-transitory computer-readable storage media of claim 15, wherein the authentication request includes a secure authentication request identifier, and wherein the computer-executable instructions further cause the processor to validate the authentication request by at least verifying that the secure authentication request identifier is valid.
  - 18. The non-transitory computer-readable storage media of claim 17, wherein the computer-executable instructions further cause the processor to include at least the secure authentication request identifier in the authorization code.
  - 19. The non-transitory computer-readable storage media of claim 17, wherein the computer-executable instructions further cause the processor to include in the token response an identification token including at least the secure authentication request identifier from the authentication request.
  - 20. The non-transitory computer-readable storage media of claim 15, wherein the computer-executable instructions further cause the processor to include in the token response the lifetime of the access token.
  - 21. The non-transitory computer-readable storage media of claim 15, wherein the token response is a second token response, and wherein the computer-executable instructions further cause the processor to transmit, in response to validating the authorization code and determining that the second redirection URI matches the first redirection URI, a first token response to the computing client via the first redirection URI, the first token response including a refresh token usable by the computing client to obtain the access token from said secure authorization server in the second token response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Original Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Inventors
Zhang, Jenny Qian, Alger, Eric G., Bucher, Steven Patrick
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US15/997,510
Publication Number

US 20180288047A1
Time in Patent Office

533 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/10   for controlling access to d...

Systems and methods for authenticating an online user using a secure authorization server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for authenticating an online user using a secure authorization server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links