Inter-application delegated authentication

US 10,530,774 B2
Filed: 02/05/2018
Issued: 01/07/2020
Est. Priority Date: 04/29/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

launching a first application at a client device;

transmitting, by the first application using a first instance of an authentication engine, a primary authentication request of the first application to an authentication server, the primary authentication request including an application identifier of the first application and a device identifier of the client device;

receiving, from the server, an instruction to use a particular second application on the client device to continue authentication, the instruction including a first cryptographic nonce;

in response to the instruction, transmitting an inter-application authentication request to the second application using the first instance of the authentication engine;

transmitting, by the second application using a second instance of the authentication engine, a verification request to the authentication server;

receiving, from the server, an instruction to authorize the first application, the instruction including a second cryptographic nonce;

transmitting, by the first application, a secondary authentication request using the second cryptographic nonce; and

receiving, from the server, an access token and keys for the first application.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system for delegating authentication of an untrusted application executing on a client device. For delegated authentication, an untrusted application relies on a trusted application executing in the same environment for authentication purposes. The delegated authentication process avoids requiring the user of the untrusted application to provide authentication credentials. The disclosed system for delegating authentication enables any trusted application executing in the same computing environment to authenticate the untrusted application.

24 Citations

View as Search Results

27 Claims

1. A method comprising:
- launching a first application at a client device;
  
  transmitting, by the first application using a first instance of an authentication engine, a primary authentication request of the first application to an authentication server, the primary authentication request including an application identifier of the first application and a device identifier of the client device;
  
  receiving, from the server, an instruction to use a particular second application on the client device to continue authentication, the instruction including a first cryptographic nonce;
  
  in response to the instruction, transmitting an inter-application authentication request to the second application using the first instance of the authentication engine;
  
  transmitting, by the second application using a second instance of the authentication engine, a verification request to the authentication server;
  
  receiving, from the server, an instruction to authorize the first application, the instruction including a second cryptographic nonce;
  
  transmitting, by the first application, a secondary authentication request using the second cryptographic nonce; and
  
  receiving, from the server, an access token and keys for the first application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the primary authentication request includes a hashed identifier of the first application using a last received nonce from the server as a hash key.
  - 3. The method of claim 2, wherein the instruction to launch the second application is received in response to authentication server validation of the primary authentication request based on the hashed identifier.
  - 4. The method of claim 1, whereinthe inter-application authentication request includes the first cryptographic nonce received from the server.
  - 5. The method of claim 1, wherein the second application is a trusted application that was previously authenticated by the authentication server.
  - 6. The method of claim 5, wherein the identifier of the first application transmitted with the verification request is hashed using the first nonce and the verification request is signed using a private key of the second application.
  - 7. The method of claim 1, wherein in response to receiving the instruction to authorize the first application, the second application transmits the second nonce to the first application using an inter-application communication provided by the second instance of the authentication engine.
  - 8. The method of claim 7, wherein transmitting the second authentication request includes generating a hash of the application identifier of the first application using the second nonce and including the hash in the second authentication request.
  - 9. The method of claim 1, wherein the first application uses the authentication token and the keys for subsequent communications that require the first application to be authenticated.

10. A system comprising one or more computers having one or more processors and one or more computer readable storage media, the one or more computer readable storage media storing instructions that when executed by the one or more processors cause the one or more computers to perform operations comprising:
- launching a first application at a client device;
  
  transmitting, by the first application using a first instance of an authentication engine, a primary authentication request of the first application to an authentication server, the primary authentication request including an application identifier of the first application and a device identifier of the client device;
  
  receiving, from the server, an instruction to use a particular second application on the client device to continue authentication, the instruction including a first cryptographic nonce;
  
  in response to the instruction, transmitting an inter-application authentication request to the second application using the first instance of the authentication engine;
  
  transmitting, by the second application using a second instance of the authentication engine, a verification request to the authentication server;
  
  receiving, from the server, an instruction to authorize the first application, the instruction including a second cryptographic nonce;
  
  transmitting, by the first application, a secondary authentication request using the second cryptographic nonce; and
  
  receiving, from the server, an access token and keys for the first application.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the primary authentication request includes a hashed identifier of the first application using a last received nonce from the server as a hash key.
  - 12. The system of claim 11, wherein the instruction to launch the second application is received in response to authentication server validation of the primary authentication request based on the hashed identifier.
  - 13. The system of claim 10, whereinthe inter-application authentication request includes the first cryptographic nonce received from the server.
  - 14. The system of claim 10, wherein the second application is a trusted application that was previously authenticated by the authentication server.
  - 15. The system of claim 14, wherein the identifier of the first application transmitted with the verification request is hashed using the first nonce and the verification request is signed using a private key of the second application.
  - 16. The system of claim 10, wherein in response to receiving the instruction to authorize the first application, the second application transmits the second nonce to the first application using an inter-application communication provided by the second instance of the authentication engine.
  - 17. The system of claim 16, wherein transmitting the second authentication request includes generating a hash of the application identifier of the first application using the second nonce and including the hash in the second authentication request.
  - 18. The system of claim 10, wherein the first application uses the authentication token and the keys for subsequent communications that require the first application to be authenticated.

19. One or more non-transitory computer readable storage media, the one or more computer readable storage media storing instructions that when executed by one or more processors cause the one or more processors to perform operations comprising:
- launching a first application at a client device;
  
  transmitting, by the first application using a first instance of an authentication engine, a primary authentication request of the first application to an authentication server, the primary authentication request including an application identifier of the first application and a device identifier of the client device;
  
  receiving, from the server, an instruction to use a particular second application on the client device to continue authentication, the instruction including a first cryptographic nonce;
  
  in response to the instruction, transmitting an inter-application authentication request to the second application using the first instance of the authentication engine;
  
  transmitting, by the second application using a second instance of the authentication engine, a verification request to the authentication server;
  
  receiving, from the server, an instruction to authorize the first application, the instruction including a second cryptographic nonce;
  
  transmitting, by the first application, a secondary authentication request using the second cryptographic nonce; and
  
  receiving, from the server, an access token and for the first application.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The one or more non-transitory computer readable storage media of claim 19, wherein the primary authentication request includes a hashed identifier of the first application using a last received nonce from the server as a hash key.
  - 21. The one or more non-transitory computer readable storage media of claim 20, wherein the instruction to launch the second application is received in response to authentication server validation of the primary authentication request based on the hashed identifier.
  - 22. The one or more non-transitory computer readable storage media of claim 19, whereinthe inter-application authentication request includes the first cryptographic nonce received from the server.
  - 23. The one or more non-transitory computer readable storage media of claim 19, wherein the second application is a trusted application that was previously authenticated by the authentication server.
  - 24. The one or more non-transitory computer readable storage media of claim 23, wherein the identifier of the first application transmitted with the verification request is hashed using the first nonce and the verification request is signed using a private key of the second application.
  - 25. The one or more non-transitory computer readable storage media of claim 19, wherein in response to receiving the instruction to authorize the first application, the second application transmits the second nonce to the first application using an inter-application communication provided by the second instance of the authentication engine.
  - 26. The one or more non-transitory computer readable storage media of claim 25, wherein transmitting the second authentication request includes generating a hash of the application identifier of the first application using the second nonce and including the hash in the second authentication request.
  - 27. The one or more non-transitory computer readable storage media of claim 19, wherein the first application uses the authentication token and the keys for subsequent communications that require the first application to be authenticated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
X Corp. (f/k/a Twitter, Inc.) (X Holdings Corp.)
Original Assignee
X Corp. (f/k/a Twitter, Inc.) (X Holdings Corp.)
Inventors
Seibert, Jr., Jeffrey, Ducker, Michael
Primary Examiner(s)
Powers, William S

Application Number

US15/889,073
Publication Number

US 20180375865A1
Time in Patent Office

701 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 9/0819   Key transport or distributi...

H04L 9/3236   using cryptographic hash fu...

H04W 12/43   using shared identity modul...

Inter-application delegated authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Inter-application delegated authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others