Method and system to provide additional security mechanism for packaged web applications
First Claim
1. A method for authenticating an application by an authorization server, the method comprising:
- receiving, by the authorization server related to a first application, from a web runtime engine in a device, a registration request to register a second application with the authorization server for accessing a protected resource stored in a resource server of the first application;
transmitting, by the authorization server, a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application to the web runtime engine, in response to the registration request, the first redirect URI being stored in the web runtime engine;
receiving, by the authorization server, an access request to access the protected resource by the second application from the web runtime engine; and
transmitting, by the authorization server, the access request to the resource server using a second redirect URI corresponding to a redirect endpoint of the second application,wherein the second redirect URI is intercepted by the web runtime engine before the access request is transmitted from the authorization server to the resource server,wherein a second parameter-value pair included in the intercepted second redirect URI is compared by the web runtime engine to the first parameter-value pair included in the first redirect URI stored in the web runtime engine, and the web runtime engine is configured to transmit, to the second application, an access grant to grant an access to the protected resource in response to the access request based on a comparison result that the second parameter-value pair matches the first parameter-value pair, andwherein all redirect endpoints of the second application include the first parameter-value pair.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for authenticating a client application by an authorization server is provided. In the method, the authorization server transmits a first redirect identifier assigned to a client application to a web runtime engine, in response to receiving a registering request to register with the authorization server of the client application; receives an access request to access a protected resource stored on a resource server by the client application: and transmits the access request to the resource server through the web runtime engine using a second redirect identifier corresponding to a redirect endpoint of the client application. The second redirect identifier is intercepted by the web runtime engine, and the protected resource is accessed by the client application based on a comparing result between the first redirect identifier and the second redirect identifier in the web runtime engine.
53 Citations
16 Claims
-
1. A method for authenticating an application by an authorization server, the method comprising:
-
receiving, by the authorization server related to a first application, from a web runtime engine in a device, a registration request to register a second application with the authorization server for accessing a protected resource stored in a resource server of the first application; transmitting, by the authorization server, a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application to the web runtime engine, in response to the registration request, the first redirect URI being stored in the web runtime engine; receiving, by the authorization server, an access request to access the protected resource by the second application from the web runtime engine; and transmitting, by the authorization server, the access request to the resource server using a second redirect URI corresponding to a redirect endpoint of the second application, wherein the second redirect URI is intercepted by the web runtime engine before the access request is transmitted from the authorization server to the resource server, wherein a second parameter-value pair included in the intercepted second redirect URI is compared by the web runtime engine to the first parameter-value pair included in the first redirect URI stored in the web runtime engine, and the web runtime engine is configured to transmit, to the second application, an access grant to grant an access to the protected resource in response to the access request based on a comparison result that the second parameter-value pair matches the first parameter-value pair, and wherein all redirect endpoints of the second application include the first parameter-value pair. - View Dependent Claims (2, 3, 13)
-
-
4. An authorization server, the authorization server comprising:
-
a transceiver; and a processor configured to control the transceiver to; receive, from a web runtime engine in a device, a registration request to register a second application with the authorization server related to a first application for accessing a protected resource stored in a resource server of the first application; transmit a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application to the web runtime engine, in response to the registration request, the first redirect URI being stored in the web runtime engine; receive an access request to access the protected resource by the second application, the protected resource including data generated by the first application; and transmit the access request to the resource server using a second redirect URI corresponding to a redirect endpoint of the second application, wherein the second redirect URI is intercepted by the web runtime engine before the access request is transmitted from the authorization server to the resource server, wherein a second parameter-value pair included in the intercepted second redirect URI is compared by the web runtime engine to the first parameter-value pair included in the first redirect URI stored in the web runtime engine, and the web runtime engine is configured to provide an access grant to access the protected resource to the second application based on a comparison result that the second parameter-value pair matches the first parameter-value pair, and wherein all redirect endpoints of the second application include the first parameter-value pair. - View Dependent Claims (5, 6, 14)
-
-
7. A method for authenticating an application by a web runtime engine in a device, the method comprising:
-
transmitting, by the web runtime engine, to an authorization server related to a first application, a registration request to register a second application with the authorization server for accessing a protected resource stored in a resource server of the first application; receiving, by the web runtime engine, a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application from the authorization server related to the first application, and storing the first redirect URI in response to transmitting a registration request to register the second application with the authorization server for accessing the protected resource stored in the resource server of the first application; receive, by the web runtime engine, the registration request to register a second application with the authorization server related to the first application for accessing the protected resource stored in a resource server of the first application; transmitting, by the web runtime engine, to the authorization server an access request; intercepting, by the web runtime engine, a second redirect URI from the access request, before the access request is transmitted to the resource server from the authorization server; comparing, by the web runtime engine, the first parameter-value pair included in the stored first redirect URI and a second parameter-value pair included in the intercepted second redirect URI; and transmitting, by the web runtime engine, an access grant to grant an access to the protected resource to the second application based on a comparison result that the second parameter-value pair matches the first parameter-value pair, wherein all redirect endpoints of the second application include the first parameter-value pair. - View Dependent Claims (8, 9, 15)
-
-
10. A web runtime engine in a device, the web runtime engine comprising:
-
a transceiver; a memory; and a processor configured to control the transceiver to; transmit, to an authorization server related to a first application, a registration request to register a second application with the authorization server for accessing a protected resource stored in a resource server of the first application, receive a first redirect uniform resource identifier (URI) including a first parameter-value pair assigned to the second application from the authorization server related to the first application, and store the first redirect URI at the memory, in response to transmitting the registration request to register the second application with the authorization server for accessing the protected resource stored in the resource server of the first application, receive an access request to access the protected resource from the second application, transmit, to the authorization server, the access request to access the protected resource, intercept a second redirect URIL, from the access request, before the access request is transmitted to the resource server from the authorization server, compare the first parameter-value pair included in the stored first redirect URI and a second parameter-value pair included in the intercepted second redirect URI and transmit an access grant to grant an access to the protected resource to the second application based on a comparison result that the second parameter-value pair matches the first parameter-value pair, wherein all redirect endpoints of the second application include the first parameter-value pair. - View Dependent Claims (11, 12, 16)
-
Specification