Refresh token for credential renewal

US 10,567,381 B1
Filed: 12/17/2015
Issued: 02/18/2020
Est. Priority Date: 12/17/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a request for access to one or more resources in a multi-tenant computing environment, the request sent from a client device associated with a customer of the multi-tenant environment;

receiving a security credential associated with the request, the security credential including information associated with the customer and having a specified lifetime;

performing a first determination that the customer is authorized to access the one or more resources;

granting access to the one or more resources for the specified lifetime of the security credential;

modifying configuration information of the one or more resources corresponding to generate first modified configuration information, the first modified configuration information corresponding to a change in criteria to access the one or more resources using the security credential;

determining that the specified lifetime of the security credential will end within a determined future time period;

receiving, from the client device and before the end of the specified lifetime of the security credential, indication of proof of possession of a refresh token for the security credential;

performing a second determination that the customer is authorized to access the one or more resources using the refresh token according to the first modified configuration information;

causing the security credential to be renewed for an additional specified lifetime; and

granting access to the one or more resources for the additional specified lifetime of the security credential.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security credentials issued by an entity, such as an identity broker, can have a limited lifetime. Access to resources or content under those credentials then can only be obtained for a limited period of time, limiting the ability of an unauthorized entity obtaining the credentials to utilize those credentials for access. Along with the credentials, a refresh token can be issued to a requesting client that can enable the limited lifetime of the credentials to be renewed up to a maximum lifetime of the credentials and/or the token. A service providing access can determine that the client has a valid copy of the refresh token when the credentials are about to expire, and if so can cause the lifetime of the credentials to be extended another credential lifetime. This renewal can be done transparent to a user and without again contacting the identity broker.

69 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- receiving a request for access to one or more resources in a multi-tenant computing environment, the request sent from a client device associated with a customer of the multi-tenant environment;
  
  receiving a security credential associated with the request, the security credential including information associated with the customer and having a specified lifetime;
  
  performing a first determination that the customer is authorized to access the one or more resources;
  
  granting access to the one or more resources for the specified lifetime of the security credential;
  
  modifying configuration information of the one or more resources corresponding to generate first modified configuration information, the first modified configuration information corresponding to a change in criteria to access the one or more resources using the security credential;
  
  determining that the specified lifetime of the security credential will end within a determined future time period;
  
  receiving, from the client device and before the end of the specified lifetime of the security credential, indication of proof of possession of a refresh token for the security credential;
  
  performing a second determination that the customer is authorized to access the one or more resources using the refresh token according to the first modified configuration information;
  
  causing the security credential to be renewed for an additional specified lifetime; and
  
  granting access to the one or more resources for the additional specified lifetime of the security credential.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, further comprising:
    - determining a type of change to the configuration information by the modifying; and
      
      causing the security credential to be renewed in response to the type of change being a first type of change corresponding to a set of permissible changes.
  - 3. The computer-implemented method of claim 1, further comprising:
    - determining a type of change to the configuration information by the modifying; and
      
      causing the security credential to not be renewed in response to the type of change being a second type of change, the second type of change not including a permissible change.
  - 4. The computer-implemented method of claim 1, further comprising:
    - further modifying the configuration information to generate second modified configuration information;
      
      determining that the specified lifetime of the security credential will end within a second future time period;
      
      receiving, from the client device, a second indication of proof of possession of the refresh token for the security credential;
      
      determining, per a third determination, that the customer is no longer authorized to access the one or more resources using the refresh token according to the second modified configuration information; and
      
      causing access to the one or more resources to be revoked at an end of the additional specified lifetime of the security credential.

5. A computer-implemented method, comprising:
- receiving, from a client, a request to perform at least one task using one or more electronic resources, the request associated with a credential for a user associated with the request;
  
  performing a first determination that the user is authorized to have the at least one task performed using the one or more electronic resources;
  
  performing the at least one task for up to a lifetime of the credential;
  
  modifying, during the lifetime of the credential, configuration information of the one or more electronic resources to generate modified configuration information, the first modified configuration information corresponding to a change in criteria to access the one or more electronic resources using the credential;
  
  determining, proximate to an end of the lifetime, that the client possesses a valid refresh token associated with the credential;
  
  performing a second determination, with respect to the modified configuration information, that the user is still authorized to have the at least one task performed under the credential; and
  
  extending the lifetime of the credential for the performing of the at least one task.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The computer-implemented method of claim 5, wherein extending the lifetime of the credential further comprises:
    - determining a lifetime period of the credential;
      
      determining a maximum lifetime of the credential; and
      
      extending the lifetime by an additional lifetime period up to a maximum lifetime of the credential.
  - 7. The computer-implemented method of claim 5, further comprising:
    - verifying possession of the valid refresh token, the refresh token including at least one of identifying information for the customer, customer account information, or customer policy information.
  - 8. The computer-implemented method of claim 5, wherein the valid refresh token enables the credential to have the lifetime extended without contacting an identity broker having issued the credential.
  - 9. The computer-implemented method of claim 5, wherein the refresh token was issued with the credential, the refresh token being provided for storage on the client.
  - 10. The computer-implemented method of claim 5, wherein the valid refresh token is invalidated at an end of a maximum lifetime of the valid refresh token or upon a change to one or more authorization conditions under which the refresh token was issued.
  - 11. The computer-implemented method of claim 5, wherein performing the second determination includes determining that a difference between initial configuration information at a time of issuance of the credential and the modified configuration information falls within a set of permissible changes.
  - 12. The computer-implemented method of claim 8, wherein the credential enables the one or more resources to assume a role associated with the credential, the role enabling the one or more resources to perform the at least one task.
  - 13. The computer-implemented method of claim 5, further comprising:
    - initiating a session for performing the at least one task in response to performing the first determination that the user is authorized; and
      
      continuing the session for the performing in response to performing the second determination that the user is still authorized.

14. A system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the system to;
  
  receive, from a client, a request to perform at least one task using one or more electronic resources, the request associated with a credential for a user associated with the request;
  
  perform a first determination that the user is authorized to have the at least one task performed using the one or more electronic resources;
  
  perform the at least one task for up to a lifetime of the credential;
  
  modify, during the lifetime of the credential, configuration information of the one or more electronic resources to generate modified configuration information, the first modified configuration information corresponding to a change in criteria to access the one or more electronic resources using the credential;
  
  determine, proximate to an end of the lifetime, that the client possesses a valid refresh token associated with the credential;
  
  perform a second determination, with respect to the modified configuration information, that the user is still authorized to have the at least one task performed under the credential; and
  
  extend the lifetime of the credential for the performing of the at least one task.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the instructions when executed further cause the system to:
    - determine a lifetime period of the credential;
      
      determine a maximum lifetime of the credential; and
      
      extend the lifetime by an additional lifetime period up to a maximum lifetime of the credential.
  - 16. The system of claim 14, wherein the instructions when executed further cause the system to:
    - verify possession of the valid refresh token, the refresh token including at least one of identifying information for the customer, customer account information, or customer policy information.
  - 17. The system of claim 14, wherein the valid refresh token enables the credential to have the lifetime extended without contacting an identity broker having issued the credential.
  - 18. The system of claim 14, wherein the valid refresh token is invalidated at an end of a maximum lifetime of the valid refresh token or in response to a change to one or more authorization conditions under which the refresh token was issued, wherein the maximum lifetime of the valid refresh token is specifiable by the client.
  - 19. The system of claim 14, wherein the credential enables the one or more resources to assume a role associated with the credential, the role enabling the one or more resources to perform the at least one task.
  - 20. The system of claim 14, wherein performing the second determination includes determining that a difference between initial configuration information of the one or more resources at a time of issuance of the credential and the modified configuration information falls within a set of permissible changes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Baer, Graeme David, Frenkel, Dmitry, Barbour, Marc R.
Primary Examiner(s)
Naghdali, Khalil

Application Number

US14/972,676
Time in Patent Office

1,524 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/068   using time-dependent keys, ...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

Refresh token for credential renewal

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

69 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Refresh token for credential renewal

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links