Method and system to provide additional security mechanism for packaged web applications

US 10,554,643 B2
Filed: 12/19/2014
Issued: 02/04/2020
Est. Priority Date: 12/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating an application by an authorization server, the method comprising:

receiving, by the authorization server related to a first application, from a web runtime engine in a device, a registration request to register a second application with the authorization server for accessing a protected resource stored in a resource server of the first application;

transmitting, by the authorization server, a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application to the web runtime engine, in response to the registration request, the first redirect URI being stored in the web runtime engine;

receiving, by the authorization server, an access request to access the protected resource by the second application from the web runtime engine; and

transmitting, by the authorization server, the access request to the resource server using a second redirect URI corresponding to a redirect endpoint of the second application,wherein the second redirect URI is intercepted by the web runtime engine before the access request is transmitted from the authorization server to the resource server,wherein a second parameter-value pair included in the intercepted second redirect URI is compared by the web runtime engine to the first parameter-value pair included in the first redirect URI stored in the web runtime engine, and the web runtime engine is configured to transmit, to the second application, an access grant to grant an access to the protected resource in response to the access request based on a comparison result that the second parameter-value pair matches the first parameter-value pair, andwherein all redirect endpoints of the second application include the first parameter-value pair.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating a client application by an authorization server is provided. In the method, the authorization server transmits a first redirect identifier assigned to a client application to a web runtime engine, in response to receiving a registering request to register with the authorization server of the client application; receives an access request to access a protected resource stored on a resource server by the client application: and transmits the access request to the resource server through the web runtime engine using a second redirect identifier corresponding to a redirect endpoint of the client application. The second redirect identifier is intercepted by the web runtime engine, and the protected resource is accessed by the client application based on a comparing result between the first redirect identifier and the second redirect identifier in the web runtime engine.

53 Citations

View as Search Results

16 Claims

1. A method for authenticating an application by an authorization server, the method comprising:
- receiving, by the authorization server related to a first application, from a web runtime engine in a device, a registration request to register a second application with the authorization server for accessing a protected resource stored in a resource server of the first application;
  
  transmitting, by the authorization server, a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application to the web runtime engine, in response to the registration request, the first redirect URI being stored in the web runtime engine;
  
  receiving, by the authorization server, an access request to access the protected resource by the second application from the web runtime engine; and
  
  transmitting, by the authorization server, the access request to the resource server using a second redirect URI corresponding to a redirect endpoint of the second application,wherein the second redirect URI is intercepted by the web runtime engine before the access request is transmitted from the authorization server to the resource server,wherein a second parameter-value pair included in the intercepted second redirect URI is compared by the web runtime engine to the first parameter-value pair included in the first redirect URI stored in the web runtime engine, and the web runtime engine is configured to transmit, to the second application, an access grant to grant an access to the protected resource in response to the access request based on a comparison result that the second parameter-value pair matches the first parameter-value pair, andwherein all redirect endpoints of the second application include the first parameter-value pair.
- View Dependent Claims (2, 3, 13)
- - 2. The method of claim 1, wherein the protected resource is accessed by the second application based on the access grant.
  - 3. The method of claim 1, wherein the access request is transmitted to the resource server by the web runtime engine based on the comparison result that the second parameter-value pair matches the first parameter-value pair.
  - 13. The method of claim 1, wherein the first parameter-value pair includes one of a fixed string and a randomly generated string, andwherein the first parameter-value pair is different from a third parameter-value pair included in all redirect endpoints of a third application, the third application being different from the first application.

4. An authorization server, the authorization server comprising:
- a transceiver; and
  
  a processor configured to control the transceiver to;
  
  receive, from a web runtime engine in a device, a registration request to register a second application with the authorization server related to a first application for accessing a protected resource stored in a resource server of the first application;
  
  transmit a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application to the web runtime engine, in response to the registration request, the first redirect URI being stored in the web runtime engine;
  
  receive an access request to access the protected resource by the second application, the protected resource including data generated by the first application; and
  
  transmit the access request to the resource server using a second redirect URI corresponding to a redirect endpoint of the second application,wherein the second redirect URI is intercepted by the web runtime engine before the access request is transmitted from the authorization server to the resource server,wherein a second parameter-value pair included in the intercepted second redirect URI is compared by the web runtime engine to the first parameter-value pair included in the first redirect URI stored in the web runtime engine, and the web runtime engine is configured to provide an access grant to access the protected resource to the second application based on a comparison result that the second parameter-value pair matches the first parameter-value pair, andwherein all redirect endpoints of the second application include the first parameter-value pair.
- View Dependent Claims (5, 6, 14)
- - 5. The authorization server of claim 4, wherein the protected resource is accessed by the second application based on the access grant.
  - 6. The authorization server of claim 4, wherein the access request is transmitted to the resource server by the web runtime engine based on the comparison result that the second parameter-value pair matches the first parameter-value pair.
  - 14. The authorization server of claim 4, wherein the first parameter-value pair includes one of a fixed string and a randomly generated string, andwherein the first parameter-value pair is different from a third parameter-value pair included in all redirect endpoints of a third application, the third application being different from the first application.

7. A method for authenticating an application by a web runtime engine in a device, the method comprising:
- transmitting, by the web runtime engine, to an authorization server related to a first application, a registration request to register a second application with the authorization server for accessing a protected resource stored in a resource server of the first application;
  
  receiving, by the web runtime engine, a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application from the authorization server related to the first application, and storing the first redirect URI in response to transmitting a registration request to register the second application with the authorization server for accessing the protected resource stored in the resource server of the first application;
  
  receive, by the web runtime engine, the registration request to register a second application with the authorization server related to the first application for accessing the protected resource stored in a resource server of the first application;
  
  transmitting, by the web runtime engine, to the authorization server an access request;
  
  intercepting, by the web runtime engine, a second redirect URI from the access request, before the access request is transmitted to the resource server from the authorization server;
  
  comparing, by the web runtime engine, the first parameter-value pair included in the stored first redirect URI and a second parameter-value pair included in the intercepted second redirect URI; and
  
  transmitting, by the web runtime engine, an access grant to grant an access to the protected resource to the second application based on a comparison result that the second parameter-value pair matches the first parameter-value pair,wherein all redirect endpoints of the second application include the first parameter-value pair.
- View Dependent Claims (8, 9, 15)
- - 8. The method of claim 7, wherein the access to the protected resource by the second application is allowed based on the access grant.
  - 9. The method of claim 7, wherein the access request is transmitted to the resource server by the web runtime engine based on the comparison result that the second parameter-value pair matches the first parameter-value pair.
  - 15. The method of claim 7, wherein the first parameter-value pair includes one of a fixed string and a randomly generated string, andwherein the first parameter-value pair is different from a third parameter-value pair included in all redirect endpoints of a third application, the third application being different from the first application.

10. A web runtime engine in a device, the web runtime engine comprising:
- a transceiver;
  
  a memory; and
  
  a processor configured to control the transceiver to;
  
  transmit, to an authorization server related to a first application, a registration request to register a second application with the authorization server for accessing a protected resource stored in a resource server of the first application,receive a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application from the authorization server related to the first application, and store the first redirect URI at the memory, in response to transmitting the registration request to register the second application with the authorization server for accessing the protected resource stored in the resource server of the first application,receive an access request to access the protected resource from the second application,transmit, to the authorization server, the access request to access the protected resource,intercept a second redirect URIL, from the access request, before the access request is transmitted to the resource server from the authorization server,compare the first parameter-value pair included in the stored first redirect URI and a second parameter-value pair included in the intercepted second redirect URI andtransmit an access grant to grant an access to the protected resource to the second application based on a comparison result that the second parameter-value pair matches the first parameter-value pair,wherein all redirect endpoints of the second application include the first parameter-value pair.
- View Dependent Claims (11, 12, 16)
- - 11. The web runtime engine of claim 10, wherein the access to the protected resource by the second application is allowed based on the access grant.
  - 12. The web runtime engine of claim 10, wherein the access request is transmitted to the resource server by the web runtime engine based on the comparison result that the second parameter-value pair matches the first parameter-value pair.
  - 16. The web runtime engine of claim 10, wherein the first parameter-value pair includes one of a fixed string and a randomly generated string, andwherein the first parameter-value pair is different from a third parameter-value pair included in all redirect endpoints of a third application, the third application being different from the first application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Venkataramana, Balaji Nerella, Das, Kaushik, Jamadagni, Satish Nanjunda Swamy, Perumal, Prabhavathi
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
Cruz-Franqui, Richard W

Application Number

US14/578,090
Publication Number

US 20150180850A1
Time in Patent Office

1,873 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/08 for authentication of entit...

Method and system to provide additional security mechanism for packaged web applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system to provide additional security mechanism for packaged web applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links