Refresh token for credential renewal
First Claim
1. A computer-implemented method, comprising:
- receiving a request for access to one or more resources in a multi-tenant computing environment, the request sent from a client device associated with a customer of the multi-tenant environment;
receiving a security credential associated with the request, the security credential including information associated with the customer and having a specified lifetime;
performing a first determination that the customer is authorized to access the one or more resources;
granting access to the one or more resources for the specified lifetime of the security credential;
modifying configuration information of the one or more resources corresponding to generate first modified configuration information, the first modified configuration information corresponding to a change in criteria to access the one or more resources using the security credential;
determining that the specified lifetime of the security credential will end within a determined future time period;
receiving, from the client device and before the end of the specified lifetime of the security credential, indication of proof of possession of a refresh token for the security credential;
performing a second determination that the customer is authorized to access the one or more resources using the refresh token according to the first modified configuration information;
causing the security credential to be renewed for an additional specified lifetime; and
granting access to the one or more resources for the additional specified lifetime of the security credential.
1 Assignment
0 Petitions
Accused Products
Abstract
Security credentials issued by an entity, such as an identity broker, can have a limited lifetime. Access to resources or content under those credentials then can only be obtained for a limited period of time, limiting the ability of an unauthorized entity obtaining the credentials to utilize those credentials for access. Along with the credentials, a refresh token can be issued to a requesting client that can enable the limited lifetime of the credentials to be renewed up to a maximum lifetime of the credentials and/or the token. A service providing access can determine that the client has a valid copy of the refresh token when the credentials are about to expire, and if so can cause the lifetime of the credentials to be extended another credential lifetime. This renewal can be done transparent to a user and without again contacting the identity broker.
69 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving a request for access to one or more resources in a multi-tenant computing environment, the request sent from a client device associated with a customer of the multi-tenant environment; receiving a security credential associated with the request, the security credential including information associated with the customer and having a specified lifetime; performing a first determination that the customer is authorized to access the one or more resources; granting access to the one or more resources for the specified lifetime of the security credential; modifying configuration information of the one or more resources corresponding to generate first modified configuration information, the first modified configuration information corresponding to a change in criteria to access the one or more resources using the security credential; determining that the specified lifetime of the security credential will end within a determined future time period; receiving, from the client device and before the end of the specified lifetime of the security credential, indication of proof of possession of a refresh token for the security credential; performing a second determination that the customer is authorized to access the one or more resources using the refresh token according to the first modified configuration information; causing the security credential to be renewed for an additional specified lifetime; and granting access to the one or more resources for the additional specified lifetime of the security credential. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method, comprising:
-
receiving, from a client, a request to perform at least one task using one or more electronic resources, the request associated with a credential for a user associated with the request; performing a first determination that the user is authorized to have the at least one task performed using the one or more electronic resources; performing the at least one task for up to a lifetime of the credential; modifying, during the lifetime of the credential, configuration information of the one or more electronic resources to generate modified configuration information, the first modified configuration information corresponding to a change in criteria to access the one or more electronic resources using the credential; determining, proximate to an end of the lifetime, that the client possesses a valid refresh token associated with the credential; performing a second determination, with respect to the modified configuration information, that the user is still authorized to have the at least one task performed under the credential; and extending the lifetime of the credential for the performing of the at least one task. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system, comprising:
-
at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to; receive, from a client, a request to perform at least one task using one or more electronic resources, the request associated with a credential for a user associated with the request; perform a first determination that the user is authorized to have the at least one task performed using the one or more electronic resources; perform the at least one task for up to a lifetime of the credential; modify, during the lifetime of the credential, configuration information of the one or more electronic resources to generate modified configuration information, the first modified configuration information corresponding to a change in criteria to access the one or more electronic resources using the credential; determine, proximate to an end of the lifetime, that the client possesses a valid refresh token associated with the credential; perform a second determination, with respect to the modified configuration information, that the user is still authorized to have the at least one task performed under the credential; and extend the lifetime of the credential for the performing of the at least one task. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification