Access control using impersonization

US 10,673,906 B2
Filed: 02/20/2018
Issued: 06/02/2020
Est. Priority Date: 12/04/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

memory to store instructions that, as a result of being executed by one or more processors of the system, cause the system to at least;

obtain a request from a user for a web-based service;

obtain an authentication token comprising a signing key as a result of authenticating the request; and

determine, based on at least in part on information from the request, at least one other web-based service from a plurality of other web-based services and provide the authentication token on behalf of the user, from the web-based service, to the least one other web-based service to enable the at least one other web-based service to perform at least one operation in response to the request, wherein the at least one other web-based service decrypts the authentication token to obtain the signing key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Citations

20 Claims

1. A system, comprising:
- memory to store instructions that, as a result of being executed by one or more processors of the system, cause the system to at least;
  
  obtain a request from a user for a web-based service;
  
  obtain an authentication token comprising a signing key as a result of authenticating the request; and
  
  determine, based on at least in part on information from the request, at least one other web-based service from a plurality of other web-based services and provide the authentication token on behalf of the user, from the web-based service, to the least one other web-based service to enable the at least one other web-based service to perform at least one operation in response to the request, wherein the at least one other web-based service decrypts the authentication token to obtain the signing key.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the authentication token is encrypted using a cryptographic key so as to be decryptable by the at least one other web-based service.
  - 3. The system of claim 1, wherein the at least one other web-based service is identified based at least in part on the request.
  - 4. The system of claim 1, wherein authenticating the request is performed by an authentication service that evaluates an electronic signature associated with the request.
  - 5. The system of claim 4, wherein the authentication service, in response to the electronic signature being valid, provides the web-based service with the signing key and the authentication token.
  - 6. The system of claim 5, wherein the at least one other web-based service uses the signing key and the authentication token to generate another request to the authentication service to verify the request before performing the at least one operation.
  - 7. The system of claim 2, wherein the at least one other web-based service uses a copy of the cryptographic key to decrypt the authentication token to obtain the signing key.

8. A computer-implemented method, comprising:
- obtaining a request from a user for a web-based service;
  
  obtaining an authentication token comprising a signing key as a result of authenticating the request; and
  
  providing the authentication token, from the web-based service, to at least one other web-based service, that is identified based on information from the request, to enable the at least one other web-based service to perform at least one operation in response to the request wherein the at least one other web-based service decrypts the authentication token to obtain the signing key.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented method of claim 8, further comprising:
    - using a cryptographic key held secret between the web-based service and an authentication service to encrypt the authentication token; and
      
      storing the cryptographic key in a data storage device.
  - 10. The computer-implemented method of claim 8, further comprising:
    - using information associated with the request to identify the at least one other web-based service from a plurality of other web-based services.
  - 11. The computer-implemented method of claim 8, wherein the web-based service is provided with the authentication token and the signing key by an authentication service, wherein the signing key is provided in response to evaluating an electronic signature associated with the request.
  - 12. The computer-implemented method of claim 11, wherein the other web-based service sends another request to the authentication service using the authentication token and the signing key.
  - 13. The computer-implemented method of claim 11, wherein the at least one other web-based service uses a copy of the cryptographic key to decrypt the authentication token to obtain signing key.
  - 14. The computer-implemented method of claim 8, wherein the user is a customer of a computing resource service provider and the web-based service and the at least one other web-based service are services associated with the computing resource service provider.

15. A non-transitory computer-readable storage medium comprising stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- obtain a request from a user for a web-based service;
  
  obtain an authentication token comprising a signing key as a result of authenticating the request; and
  
  provide the authentication token by sending the authentication token from the web-based service to at least one other web-based service to enable the at least one other web-based service to perform at least one operation in response to the request, wherein the at least one other web-based service is identified by information included in the request, wherein the at least one other web-based service decrypts the authentication token to obtain the signing key.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the signing key and the authentication token are obtained from an authentication service.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the instructions, as a result of being executed by one or more processors, further cause the system to at least:
    - send a second request, from the web-based service, to the at least one other web-based service, the second request including the authentication token.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the at least one other web-based service is identified from a plurality of other web-based services based at least in part on information associated with the authentication token.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the authentication token enables the at least other web-based service to determine whether to perform at least one operation in response to the second request without communicating with an authentication service.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the authentication token enables the at least one other web-based service to determine whether to perform the at least one operation by using a copy of a cryptographic key to decrypt the authentication token to obtain the signing key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Pratt, Brian Irl
Primary Examiner(s)
Shayanfar, Ali

Application Number

US15/900,465
Publication Number

US 20180183837A1
Time in Patent Office

833 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

H04L 2463/062   applying encryption of the ...

H04L 63/126   the source of the received ...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 9/3247   involving digital signatures

Access control using impersonization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access control using impersonization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links