Extended OAuth architecture support in a scalable environment

US 10,567,392 B2
Filed: 12/15/2017
Issued: 02/18/2020
Est. Priority Date: 06/30/2017
Status: Active Grant

First Claim

Patent Images

1. A method of sharing one or more valid tokens across multiple instances of an application in a dynamically scalable environment, the method comprising the steps of:

if a computer, which includes an authorization server, issues a corresponding new refresh token for each request for a refresh of each access token, the computer (i) receiving a token request from a client interacting with instances of an application, the client being another computer, the token request including a field indicating a number of tokens required, and the number of tokens being an integer greater than one, (ii) in response to the step of receiving the token request, generating and sharing access and refresh token pairs so that a total number of the access and refresh token pairs equals the number of tokens required included in the token request, and (iii) sending the access and refresh token pairs to the client so that in response to token requests from the instances of the application, the instances of the application obtain respective access and refresh token pairs;

orif the computer does not issue the corresponding new refresh token for each request for the refresh of each access token, the computer (iv) receiving from the client a request for a refresh token, (v) in response to the step of receiving the request for the refresh token, validating an existing access token which is bound to the refresh token, and (vi) in response to the step of validating, if the existing access token is expired, generating and sending to the client a new access token, or in response to the step of validating, if the existing access token is not expired, sending to the client the existing access token;

the computer determining the existing access token is expired;

based on the computer not issuing the corresponding new refresh token for each request for the refresh of each access token, and based on the existing access token being expired, the computer invalidating the existing access token; and

based on the new access token being sent to the client and the existing access token being invalidated, sharing a valid access token with each of the instances of the application, the valid access token being the new access token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach is provided for sharing valid token(s) across application instances. If refresh token rotation is used, (i) a token request is received which includes a number of tokens required, (ii) access and refresh token pairs are generated and shared so that a total number of the pairs equals the number of tokens, and (iii) the access and refresh token pairs are sent to a client so that in response to token requests, the application instances obtain respective access and refresh token pairs. If refresh token rotation is not used, (iv) a request for a refresh token is received, (v) an existing access token is validated, where the access token is bound to the refresh token, and (vi) if the existing access token is expired, a new access token is generated and sent to the client; otherwise, the existing access token is sent to the client.

4 Citations

8 Claims

1. A method of sharing one or more valid tokens across multiple instances of an application in a dynamically scalable environment, the method comprising the steps of:
- if a computer, which includes an authorization server, issues a corresponding new refresh token for each request for a refresh of each access token, the computer (i) receiving a token request from a client interacting with instances of an application, the client being another computer, the token request including a field indicating a number of tokens required, and the number of tokens being an integer greater than one, (ii) in response to the step of receiving the token request, generating and sharing access and refresh token pairs so that a total number of the access and refresh token pairs equals the number of tokens required included in the token request, and (iii) sending the access and refresh token pairs to the client so that in response to token requests from the instances of the application, the instances of the application obtain respective access and refresh token pairs;
  
  orif the computer does not issue the corresponding new refresh token for each request for the refresh of each access token, the computer (iv) receiving from the client a request for a refresh token, (v) in response to the step of receiving the request for the refresh token, validating an existing access token which is bound to the refresh token, and (vi) in response to the step of validating, if the existing access token is expired, generating and sending to the client a new access token, or in response to the step of validating, if the existing access token is not expired, sending to the client the existing access token;
  
  the computer determining the existing access token is expired;
  
  based on the computer not issuing the corresponding new refresh token for each request for the refresh of each access token, and based on the existing access token being expired, the computer invalidating the existing access token; and
  
  based on the new access token being sent to the client and the existing access token being invalidated, sharing a valid access token with each of the instances of the application, the valid access token being the new access token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising the step of the computer extending an Oath 2.0 authorization framework that enables the instances of the application to have access to a service, wherein the step of extending is a result of the steps of (i) receiving the token request from the client, (ii) generating and sharing the access and refresh token pairs, (iii) sending the access and refresh token pairs, (iv) receiving the request for a refresh token, (v) validating the existing access token and (vi) generating and sending the new access token if the existing access token is expired, or sending the existing access token if the existing access token is not expired.
  - 3. The method of claim 1, further comprising the step of accessing resources of a resource server using the new access token which is shared with each of the instances of the application.
  - 4. The method of claim 1, further comprising the step of based on the computer issuing the corresponding new refresh token for each request for the refresh of each access token, the computer receiving an authorization code in the token request, wherein the step of generating and sharing the access and refresh token pairs is based in part on the authorization code being received.
  - 5. The method of claim 1, further comprising the step of based on the computer issuing the corresponding new refresh token for each request for the refresh of each access token, the computer receiving password credentials of a resource owner in the token request, wherein the step of generating and sharing the access and refresh token pairs is based in part on the password credentials of the resource owner being received.
  - 6. The method of claim 1, further comprising the steps of:
    - based on the computer issuing the corresponding new refresh token for each request for the refresh of each access token, and based on a dynamically increasing need for one or more new access and refresh token pairs in addition to the generated access and refresh token pairs, the computer receiving a request for the one or more new access and refresh token pairs in addition to the generated access and refresh token pairs, the request for the one or more new access and refresh token pairs including a value of clone token to indicate token cloning is utilized to generate the one or more new access and refresh token pairs and further including the number of tokens required;
      
      based on the request including the value of clone token and the number of tokens, the computer generating the one or more new access and refresh token pairs using token cloning so that a total number of the one or more new access and refresh token pairs is equal to the number of tokens; and
      
      the computer sending the one or more new access and refresh token pairs to the client.
  - 7. The method of claim 6, further comprising the steps of:
    - the computer receiving a request to revoke one or more tokens, the request to revoke including a first field indicating whether to revoke token(s) included in the one or more new access and refresh token pairs, a second field indicating a type of the token(s) being revoked, and a third field identifying a token;
      
      if a first value in the first field indicates that the token(s) included in the one or more new access and refresh token pairs are to be revoked, the computer determining whether a second value in the second field indicates the type of the token(s) is a refresh token type, or if the first value in the first field indicates that the token(s) included in the one or more new access and refresh token pairs are not to be revoked, the computer revoking the token identified by a third value in the third field, without revoking any other token; and
      
      if the first value in the first field indicates that the token(s) are to be revoked and the second value in the second field indicates the type of the token(s) is a refresh token type, the computer revoking the refresh token(s) included in the one or more new access and refresh token pairs, or if the first value in the first field indicates that the token(s) are to be revoked and the second value in the second field does not indicate that the type of the token(s) is a refresh token type, the computer sending an error code to the client.
  - 8. The method of claim 1, further comprising the step of:
    - providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer readable program code in the computer, the program code being executed by a processor of the computer to implement the steps of (i) receiving the token request, (ii) generating and sharing the access and refresh token pairs, (iii) sending the access and refresh token pairs to the client, (iv) receiving from the client the request for the refresh token, (v) validating the existing access token, (vi) if the existing access token is expired, generating and sending to the client the new access token, or if the existing access token is not expired, sending to the client the existing access token to the instance of the application, (vii) determining the existing access token is expired, (viii) invalidating the existing access token; and
      
      (ix) sharing the valid access token with each of the instances of the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
D, Manjunatha, Dayananda, Sowmya H.
Primary Examiner(s)
Shehni, Ghazal B

Application Number

US15/843,005
Publication Number

US 20190007421A1
Time in Patent Office

795 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/108   when the policy decisions a...

H04W 12/084   using delegated authorisati...

Extended OAuth architecture support in a scalable environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

4 Citations

8 Claims

Specification

Use Cases

Quick Links

Others

Extended OAuth architecture support in a scalable environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

8 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others