Two-token based authenticated session management
First Claim
1. A method of maintaining a web session for a user:
- by a first user agent of a first electronic device that is being used by a user, the first user agent being a first software application;
transmitting a first authentication request to a login endpoint of a service provider, wherein the first authentication request comprises a request to access a first web resource and includes a login credential for the user at the first web resource;
receiving, from the login endpoint, a first access token and a grant token in response to the first authentication request, wherein the first access token has a life that is shorter than a life of the grant token such that the grant token is relatively long-lived and the first access token is relatively short-lived;
receiving, from the login endpoint further in response to the first authentication request, addresses of a plurality of re-authentication endpoints, wherein each of the plurality of re-authentication endpoints serves a respective top-level domain (TLD) of the service provider, the plurality of re-authentication endpoints includes a first re-authentication endpoint serving a first TLD of the first web resource and a second re-authentication endpoint serving a second TLD of a second web resource, and wherein the login endpoint is different from the plurality of re-authentication endpoints;
storing the first access token in a memory;
using the first access token to access the first web resource and establish a web session;
when the first access token expires or is about to expire, transmitting a re-authentication request to the first re-authentication endpoint serving the first TLD, the re-authentication request including the grant token;
receiving a second access token in response to the re-authentication request from the first re-authentication endpoint, wherein the second access token has a life that is shorter than the life of the grant token;
using the second access token to access the first web resource and maintain the web session;
generating a second authentication request that comprises a request to access the second web resource on the second TLD, the second authentication request including the grant token;
transmitting the second authentication request to the second re-authentication endpoint serving the second TLD;
receiving, from the second re-authentication endpoint, a third access token in response to the second authentication request; and
using the third access token to access the second web resource and maintain the web session.
2 Assignments
0 Petitions
Accused Products
Abstract
A system maintains a web session across multiple web resources and/or devices using a two-token model. A user agent transmits an authentication request to a login endpoint. The user agent have access to a grant token, and it will receive an access token in response to the authentication request. The grant token is relatively long-lived and the first access token is relatively short-lived. The user agent will use the access token to access the first web resource and establish a web session. When the access token expires or is about to expire, the user agent will transmit a re-authentication request with the grant token to a re-authentication endpoint. The user agent will then receive a second access token from the re-authentication endpoint. The user agent will then use the second access token to access the web resource and maintain the web session.
-
Citations
23 Claims
-
1. A method of maintaining a web session for a user:
by a first user agent of a first electronic device that is being used by a user, the first user agent being a first software application; transmitting a first authentication request to a login endpoint of a service provider, wherein the first authentication request comprises a request to access a first web resource and includes a login credential for the user at the first web resource; receiving, from the login endpoint, a first access token and a grant token in response to the first authentication request, wherein the first access token has a life that is shorter than a life of the grant token such that the grant token is relatively long-lived and the first access token is relatively short-lived; receiving, from the login endpoint further in response to the first authentication request, addresses of a plurality of re-authentication endpoints, wherein each of the plurality of re-authentication endpoints serves a respective top-level domain (TLD) of the service provider, the plurality of re-authentication endpoints includes a first re-authentication endpoint serving a first TLD of the first web resource and a second re-authentication endpoint serving a second TLD of a second web resource, and wherein the login endpoint is different from the plurality of re-authentication endpoints; storing the first access token in a memory; using the first access token to access the first web resource and establish a web session; when the first access token expires or is about to expire, transmitting a re-authentication request to the first re-authentication endpoint serving the first TLD, the re-authentication request including the grant token; receiving a second access token in response to the re-authentication request from the first re-authentication endpoint, wherein the second access token has a life that is shorter than the life of the grant token; using the second access token to access the first web resource and maintain the web session; generating a second authentication request that comprises a request to access the second web resource on the second TLD, the second authentication request including the grant token; transmitting the second authentication request to the second re-authentication endpoint serving the second TLD; receiving, from the second re-authentication endpoint, a third access token in response to the second authentication request; and using the third access token to access the second web resource and maintain the web session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
15. A method of maintaining a web session for a user:
-
receiving, by a login endpoint of a service provider from a first user agent of a first electronic device, a first authentication request to access a first web resource with which the login endpoint is associated, wherein the first authentication request includes a login credential for the user at the first web resource, wherein the first user agent is a first software application; generating, by the login endpoint, a first access token in response to the first authentication request, wherein the first access token will authorize the first user agent to access the first web resource; generating, by the login endpoint, a grant token so that the grant token has a life that is longer than a life of the first access token so that the grant token is relatively long-lived and the first access token is relatively short-lived; transmitting, by the login endpoint to the first user agent of the first electronic device, the grant token, the first access token, and addresses of a plurality of re-authentication endpoints, wherein each of the plurality of re-authentication endpoints serves a respective top-level domain (TLD) of the service provider, the plurality of re-authentication endpoints includes a first re-authentication endpoint serving a first TLD of the first web resource and a second re-authentication endpoint serving a second TLD of a second web resource, wherein the login endpoint is different from the plurality of re-authentication endpoints; establishing, by the login endpoint, a web session for the user; when the first access token has expired or is about to expire, receiving, by the first re-authentication endpoint from the first user agent of the first electronic device, a re-authorization request that includes the grant token; determining, by the first re-authentication endpoint, whether the grant token is valid; if the grant token is invalid, denying, by the first re-authentication endpoint, the re-authorization request; if the grant token is valid, sending, by the first re-authentication endpoint, a second access token to the first electronic device, wherein the first access token will authorize the first user agent to access the first web resource and thus maintain the web session; receiving, by the second re-authentication endpoint from the first user agent, a second authentication request to access the second web resource on the second TLD, determining, by the second re-authentication endpoint, that the second authentication request includes the grant token, and confirming that the grant token is valid; generating, by the second re-authentication endpoint, a third access token in response to the second authentication request, wherein the third access token will permit the first user agent to access the second web resource and maintain the web session; and transmitting, by the second re-authentication endpoint, the third access token to the first electronic device. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
-
Specification