Two-token based authenticated session management

US 10,541,992 B2
Filed: 12/30/2016
Issued: 01/21/2020
Est. Priority Date: 12/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method of maintaining a web session for a user:

by a first user agent of a first electronic device that is being used by a user, the first user agent being a first software application;

transmitting a first authentication request to a login endpoint of a service provider, wherein the first authentication request comprises a request to access a first web resource and includes a login credential for the user at the first web resource;

receiving, from the login endpoint, a first access token and a grant token in response to the first authentication request, wherein the first access token has a life that is shorter than a life of the grant token such that the grant token is relatively long-lived and the first access token is relatively short-lived;

receiving, from the login endpoint further in response to the first authentication request, addresses of a plurality of re-authentication endpoints, wherein each of the plurality of re-authentication endpoints serves a respective top-level domain (TLD) of the service provider, the plurality of re-authentication endpoints includes a first re-authentication endpoint serving a first TLD of the first web resource and a second re-authentication endpoint serving a second TLD of a second web resource, and wherein the login endpoint is different from the plurality of re-authentication endpoints;

storing the first access token in a memory;

using the first access token to access the first web resource and establish a web session;

when the first access token expires or is about to expire, transmitting a re-authentication request to the first re-authentication endpoint serving the first TLD, the re-authentication request including the grant token;

receiving a second access token in response to the re-authentication request from the first re-authentication endpoint, wherein the second access token has a life that is shorter than the life of the grant token;

using the second access token to access the first web resource and maintain the web session;

generating a second authentication request that comprises a request to access the second web resource on the second TLD, the second authentication request including the grant token;

transmitting the second authentication request to the second re-authentication endpoint serving the second TLD;

receiving, from the second re-authentication endpoint, a third access token in response to the second authentication request; and

using the third access token to access the second web resource and maintain the web session.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system maintains a web session across multiple web resources and/or devices using a two-token model. A user agent transmits an authentication request to a login endpoint. The user agent have access to a grant token, and it will receive an access token in response to the authentication request. The grant token is relatively long-lived and the first access token is relatively short-lived. The user agent will use the access token to access the first web resource and establish a web session. When the access token expires or is about to expire, the user agent will transmit a re-authentication request with the grant token to a re-authentication endpoint. The user agent will then receive a second access token from the re-authentication endpoint. The user agent will then use the second access token to access the web resource and maintain the web session.

Citations

23 Claims

1. A method of maintaining a web session for a user:
- by a first user agent of a first electronic device that is being used by a user, the first user agent being a first software application;
  
  transmitting a first authentication request to a login endpoint of a service provider, wherein the first authentication request comprises a request to access a first web resource and includes a login credential for the user at the first web resource;
  
  receiving, from the login endpoint, a first access token and a grant token in response to the first authentication request, wherein the first access token has a life that is shorter than a life of the grant token such that the grant token is relatively long-lived and the first access token is relatively short-lived;
  
  receiving, from the login endpoint further in response to the first authentication request, addresses of a plurality of re-authentication endpoints, wherein each of the plurality of re-authentication endpoints serves a respective top-level domain (TLD) of the service provider, the plurality of re-authentication endpoints includes a first re-authentication endpoint serving a first TLD of the first web resource and a second re-authentication endpoint serving a second TLD of a second web resource, and wherein the login endpoint is different from the plurality of re-authentication endpoints;
  
  storing the first access token in a memory;
  
  using the first access token to access the first web resource and establish a web session;
  
  when the first access token expires or is about to expire, transmitting a re-authentication request to the first re-authentication endpoint serving the first TLD, the re-authentication request including the grant token;
  
  receiving a second access token in response to the re-authentication request from the first re-authentication endpoint, wherein the second access token has a life that is shorter than the life of the grant token;
  
  using the second access token to access the first web resource and maintain the web session;
  
  generating a second authentication request that comprises a request to access the second web resource on the second TLD, the second authentication request including the grant token;
  
  transmitting the second authentication request to the second re-authentication endpoint serving the second TLD;
  
  receiving, from the second re-authentication endpoint, a third access token in response to the second authentication request; and
  
  using the third access token to access the second web resource and maintain the web session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein using the second access token to maintain the web session comprises sending the second access token to the first web resource.
  - 3. The method of claim 1 further comprising, by the first user agent of the first electronic device:
    - receiving, from the user, a command to terminate the web session;
      
      removing the grant token from the first electronic device in response to the command; and
      
      sending a logout command to an endpoint device that is associated with the first web resource.
  - 4. The method of claim 3, wherein the logout command comprises a command for the first re-authentication endpoint or a user profile server to delete the grant token.
  - 5. The method of claim 1, wherein transmitting the re-authentication request comprises transmitting a request that comprises:
    - a header having an authentication field in which the grant token is placed;
      
      ora hash that is derived from the grant token.
  - 6. The method of claim 1, wherein the grant token includes a user identifier and a timestamp indicating a time at which the grant token was created.
  - 7. The method of claim 6 further comprising, by the login endpoint, generating a web token that comprises the grant token and one or more of the following fields:
    - an identifier of the first access token;
      
      an expiration time of the first access token;
      
      oran address from which an image of the user may be returned.
  - 8. The method of claim 1 further comprising, by the first user agent:
    - generating a third authentication request that comprises a request to access a third web resource on the first TLD, the third authentication request including the grant token;
      
      transmitting the third authentication request to the first re-authentication endpoint serving the first TLD;
      
      receiving a fourth access token in response to the third authentication request; and
      
      using the fourth access token to access the third web resource and maintain the web session.
  - 9. The method of claim 1, further comprising, by a second user agent that is being used by the user:
    - generating a third authentication request that comprises a request to access a third web resource on the first TLD, and including the grant token in the third authentication request;
      
      transmitting the third authentication request to the first re-authentication endpoint serving the first TLD;
      
      receiving a fourth access token in response to the third authentication request; and
      
      using the fourth access token to access the third web resource and maintain the web session.
  - 10. The method of claim 1, further comprising:
    - discovering a second electronic device that is in a communication range of the first electronic device;
      
      determining that the second electronic device also includes a virtual session manager that includes the grant token;
      
      when transmitting the first authentication request to login endpoint, doing so via the virtual session manager of the second electronic device so that the second electronic device can present the grant token to the first re-authentication endpoint; and
      
      when receiving the first access token in response to the first authentication request, doing so via the virtual session manager after the virtual session manager received the first access token from the first re-authentication endpoint.
  - 11. The method of claim 10, wherein:
    - identifying the grant token is done by the virtual session manager of the second electronic device and not by the first electronic device; and
      
      establishing the web session is done without the first electronic device receiving any access to the grant token.
  - 12. The method of claim 10, further comprising, by the first user agent of the first electronic device:
    - when receiving the first access token from the virtual session manager, also receiving one or more rules from the virtual session manager; and
      
      applying the rules when accessing the first web resource.
  - 13. The method of claim 10, further comprising, by the first user agent of the first electronic device:
    - when receiving the first access token from the virtual session manager, also receiving a history from the virtual session manager, wherein the history includes one or more parameters associated with the user'"'"'s prior use of the first web resource; and
      
      when accessing the first web resource, automatically sending the parameters to the first web resource to maintain or automatically reconnect to the web session so that the web session is uninterrupted without manually entering the parameters.
  - 14. The method of claim 1, further comprising, by the first electronic device:
    - determining that the user has a plurality of available login credentials for the first web resource;
      
      causing the first electronic device to prompt the user to select an account from a set of candidate accounts, wherein each of the candidate accounts is associated with one of the available login credentials;
      
      receiving, from the user, a selected one of the candidate accounts in response to the prompt; and
      
      using the login credential for the selected candidate account as the login credential for the first authentication request.

15. A method of maintaining a web session for a user:
- receiving, by a login endpoint of a service provider from a first user agent of a first electronic device, a first authentication request to access a first web resource with which the login endpoint is associated, wherein the first authentication request includes a login credential for the user at the first web resource, wherein the first user agent is a first software application;
  
  generating, by the login endpoint, a first access token in response to the first authentication request, wherein the first access token will authorize the first user agent to access the first web resource;
  
  generating, by the login endpoint, a grant token so that the grant token has a life that is longer than a life of the first access token so that the grant token is relatively long-lived and the first access token is relatively short-lived;
  
  transmitting, by the login endpoint to the first user agent of the first electronic device, the grant token, the first access token, and addresses of a plurality of re-authentication endpoints, wherein each of the plurality of re-authentication endpoints serves a respective top-level domain (TLD) of the service provider, the plurality of re-authentication endpoints includes a first re-authentication endpoint serving a first TLD of the first web resource and a second re-authentication endpoint serving a second TLD of a second web resource, wherein the login endpoint is different from the plurality of re-authentication endpoints;
  
  establishing, by the login endpoint, a web session for the user;
  
  when the first access token has expired or is about to expire, receiving, by the first re-authentication endpoint from the first user agent of the first electronic device, a re-authorization request that includes the grant token;
  
  determining, by the first re-authentication endpoint, whether the grant token is valid;
  
  if the grant token is invalid, denying, by the first re-authentication endpoint, the re-authorization request;
  
  if the grant token is valid, sending, by the first re-authentication endpoint, a second access token to the first electronic device, wherein the first access token will authorize the first user agent to access the first web resource and thus maintain the web session;
  
  receiving, by the second re-authentication endpoint from the first user agent, a second authentication request to access the second web resource on the second TLD,determining, by the second re-authentication endpoint, that the second authentication request includes the grant token, and confirming that the grant token is valid;
  
  generating, by the second re-authentication endpoint, a third access token in response to the second authentication request, wherein the third access token will permit the first user agent to access the second web resource and maintain the web session; and
  
  transmitting, by the second re-authentication endpoint, the third access token to the first electronic device.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The method of claim 15, wherein determining whether the grant token is valid comprises requiring one or more of the following as a condition of determining that the grant token is valid:
    - determining that the user has not changed an access credential since a most recent prior access request;
      
      ordetermining that no known account associated with the user has been flagged as having encountered suspicious activity that may indicate that the account has been compromised.
  - 17. The method of claim 15, further comprising, by the first re-authentication endpoint:
    - receiving a logout command from the user;
      
      determining that the logout command includes an identifier for the grant token;
      
      deleting or causing the first web resource to delete the grant token from a memory; and
      
      causing the first web resource to clear the first access token so that the first access token can no longer be used to access the first web resource.
  - 18. The method of claim 15, further comprising, before generating the grant token, confirming by the login endpoint that the first user agent supports a two-token model by determining whether a header of the first access request includes a two-token model identifier.
  - 19. The method of claim 15, further comprising, by the first re-authentication endpoint:
    - generating a session record that includes the grant token, a time at which the grant token was created, and an identifier of the user agent; and
      
      maintaining the session record in a memory until the first re-authentication endpoint;
      
      receives a logout command from the user,determines that more than a threshold number of sessions are currently active for the user, ordetermines that an account associated with the user has been flagged as having encountered suspicious activity that may indicate that the account has been compromised.
  - 20. The method of claim 15, further comprising, by the login endpoint, generating a web token that comprises the grant token and one or more of the following fields:
    - an identifier of the first access token;
      
      an expiration time of the first access token;
      
      oran address from which an image of the user may be returned.
  - 21. The method of claim 15, by the first re-authentication endpoint:
    - receiving, from the first user agent, a third authentication request to access a third web resource on the first TLD,determining that the third authentication request includes the grant token, and confirming that the grant token is valid;
      
      generating a fourth access token in response to the third authentication request, wherein the fourth access token will permit the first user agent to access the third web resource and maintain the web session; and
      
      transmitting the fourth access token to the first electronic device.
  - 22. The method of claim 15, by the first re-authentication endpoint:
    - receiving, from a second user agent that is being used by the user, a third authentication request to access a third web resource on the first TLD,determining that the third authentication request includes the grant token, and confirming that the grant token is valid;
      
      generating a fourth access token in response to the third authentication request, wherein the fourth access token will permit the second user agent to access the third web resource and maintain the web session; and
      
      transmitting the fourth access token to an electronic device that includes the second user agent.
  - 23. The method of claim 22, wherein the method further comprises, by the login endpoint:
    - determining that the first authentication request is indirectly received from the first user agent of the first electronic device via a second electronic device that includes a virtual session manager; and
      
      after generating the grant token, transmitting the grant token to the second electronic device but not to the first electronic device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google LLC (Alphabet Inc.)
Inventors
Kong, Guibin, Agarwal, Naveen
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US15/395,448
Publication Number

US 20180191700A1
Time in Patent Office

1,117 Days
Field of Search

726 9
US Class Current
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

H04L 63/108   when the policy decisions a...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 67/146   Markers for unambiguous ide...

H04L 67/306   User profiles

Two-token based authenticated session management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Two-token based authenticated session management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links