Authentication token with client key

US 10,505,916 B2
Filed: 10/19/2017
Issued: 12/10/2019
Est. Priority Date: 10/19/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a first request to access a secure service, the first request including a first token and a second token;

extracting a client public key from the first token;

validating the second token with the client public key extracted from the first token;

authorizing access to the secure service upon validation of the second token;

creating a third token signed by a server private key; and

transmitting to a second server a second request for access to the second server, the second request including the first token and the third token,wherein the first token is configured to validate a client device for the access to the second server, and the third token is configured to validate a requesting entity of the second request for access to the second server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for using two tokens to request access to a secure server. The tokens allow the server to verify, without an external call, that the requesting device is one identified in the request and that the requesting device is authorized by a trusted identity provider. A first token is an authentication token issued by the trusted identity provider and including a client device public key. The second token is a proof-of-possession token that is signed by a client device using a client device private key corresponding to the client device public key. The server obtains the client device public key from the authentication token, and then uses the client device public key to validate the proof-of-possession token. The authentication token can be re-used by a server creating its own proof-of-possession token for presentation to a second server to access a secure service on the second server.

Citations

10 Claims

1. A method, comprising:
- receiving a first request to access a secure service, the first request including a first token and a second token;
  
  extracting a client public key from the first token;
  
  validating the second token with the client public key extracted from the first token;
  
  authorizing access to the secure service upon validation of the second token;
  
  creating a third token signed by a server private key; and
  
  transmitting to a second server a second request for access to the second server, the second request including the first token and the third token,wherein the first token is configured to validate a client device for the access to the second server, and the third token is configured to validate a requesting entity of the second request for access to the second server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, wherein the second token authenticates a source of the first request.
  - 3. The method as recited in claim 1, wherein the first token is an authentication token created and signed by a trusted identity provider, and wherein the extracting further comprises validating the first token with an identity provider public key to obtain the client public key.
  - 4. The method as recited in claim 1, wherein the first request is a HyperText Transfer Protocol (HTTP) request containing the first token and the second token in an authorization header.
  - 5. The method as recited in claim 1, wherein the authorizing access to the secure service is based on one or both of the first and second tokens without a call to an external service to validate the first request.
  - 6. The method as recited in claim 1, wherein the second server authorizes access by the client device based on validation of at least the first token.

7. One or more non-transitory computer-readable media, containing computer executable instructions, comprising:
- a first code segment that, when executed, receives a first request from a client device to access a secure service, the first request including a first token and a second token;
  
  a second code segment that, when executed, extracts a client device public key from the first token;
  
  a third code segment that, when executed, validates the second token using the client device public key extracted from the first token;
  
  a fourth code segment that, when executed, authorizes access to the secure service upon successful validation of the second token;
  
  a fifth code segment that, when executed, creates a third token signed with a first server private key; and
  
  a sixth code segment that, when executed, creates a second request to a second server, the second request including the first token and the third token,wherein the third token is configured to be validatable with a first server public key, and the first token is configured to be validatable with an identity provider public key.
- View Dependent Claims (8, 9, 10)
- - 8. The one or more non-transitory computer-readable media as recited in claim 7, wherein the client device public key is configured to be extractable from the first token using a public key of an identity provider that created the first token.
  - 9. The one or more non-transitory computer-readable media as recited in claim 7, wherein the first token and the second token are received included in an authorization header of an HTTP request.
  - 10. The one or more non-transitory computer-readable media as recited in claim 7, wherein the first token is a JSON Web Token that stores the client device public key in a digitally signed body of the token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile USA, Inc. (Deutsche Telekom AG)
Original Assignee
T-Mobile USA, Inc. (Deutsche Telekom AG)
Inventors
Engan, Michael, McDorman, Douglas, Velusamy, Senthil Kumar Mulluppadi, Subramaniam, Komethagan
Primary Examiner(s)
Lwin, Maung T

Application Number

US15/788,731
Publication Number

US 20190124070A1
Time in Patent Office

782 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/166   at the transport layer

H04L 9/3213   using tickets or tokens, e....

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04W 12/03   Protecting confidentiality,...

H04W 12/069   using certificates or pre-s...

Authentication token with client key

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication token with client key

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links