Coordinating access authorization across multiple systems at different mutual trust levels

US 10,708,053 B2
Filed: 07/14/2017
Issued: 07/07/2020
Est. Priority Date: 05/19/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, from a beneficiary application via a network, an initiation message requesting the beneficiary application be authorized to access data hosted at a resource server connected to the network;

verifying that a valid session for a user exists between the beneficiary application and an agent executing at a user device;

instructing the agent to obtain an authorization code on behalf of the beneficiary application from an authorization server associated with the resource server;

receiving the authorization code from the agent;

obtaining an access token and a refresh token from the authorization server based on the authorization code;

generating a partner authorization (PA) token associated with the access token and the refresh token; and

transmitting the PA token to the beneficiary application to allow the beneficiary application to retrieve the access token when the user is logged in to the beneficiary application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments presented herein provide a partner authentication (PA) system that coordinates a network-based authorization process for an application. The PA system exchanges a series of messages with the application seeking an access token for a protected resource, an authorization server associated with the resource, and an agent executing on a device accessed by a user who wants the application to access the resource. The PA system and the agent communicate with the authorization server on behalf of the application throughout the authorization process. The PA system receives an access token and a refresh token from the server on behalf of the application and sends a partner authorization (PA) token to the application. When the application seeks access to the resource that is available to authorized parties via the resource server, the application sends the PA token to the PA system and receives the access token in return.

9 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, from a beneficiary application via a network, an initiation message requesting the beneficiary application be authorized to access data hosted at a resource server connected to the network;
  
  verifying that a valid session for a user exists between the beneficiary application and an agent executing at a user device;
  
  instructing the agent to obtain an authorization code on behalf of the beneficiary application from an authorization server associated with the resource server;
  
  receiving the authorization code from the agent;
  
  obtaining an access token and a refresh token from the authorization server based on the authorization code;
  
  generating a partner authorization (PA) token associated with the access token and the refresh token; and
  
  transmitting the PA token to the beneficiary application to allow the beneficiary application to retrieve the access token when the user is logged in to the beneficiary application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - receiving the PA token from the beneficiary application in a request for the access token; and
      
      sending the access token to the beneficiary application.
  - 3. The method of claim 1, further comprising:
    - receiving the PA token from the beneficiary application in a request for the access token;
      
      verifying, via a communication from the agent, that the user is logged in to the beneficiary application;
      
      determining the access token has expired;
      
      sending the refresh token to the authorization server to request an updated access token;
      
      receiving the updated access token and an updated refresh token from the authorization server; and
      
      sending the access token to the beneficiary application.
  - 4. The method of claim 1, wherein verifying that the valid session exists between the beneficiary application and the agent comprises:
    - generating a request token and a state identifier based on the initiation message;
      
      sending, to the beneficiary application in a verification-request message via the network, the request token and the state identifier;
      
      receiving, from the agent via the network, a verification-confirmation message, wherein the verification-confirmation message includes a first copy of the request token and a first copy of the state identifier;
      
      verifying the first copy of the state identifier received in the verification-confirmation message matches the state identifier sent in the verification-request message; and
      
      verifying the first copy of the request token received in the verification-confirmation message matches the request token sent in the verification-request message to confirm the agent is in communication with the beneficiary application.
  - 5. The method of claim 4, wherein instructing the agent to obtain the authorization code comprises:
    - sending, to the agent via the network in response to the verification-confirmation message, a redirect-to-issuer message, wherein the redirect-to-issuer message includes the state identifier and specifies a uniform resource identifier (URI) of an authorization server associated with the resource server;
      
      receiving, from the agent at a client device via the network, a code-transferal message that includes a second copy of the state identifier and an authorization code associated with the resource server; and
      
      verifying the second copy of the state identifier received in the code-transferal message matches the state identifier sent in the verification-request message.
  - 6. The method of claim 5, wherein obtaining an access token from the authorization server based on the authorization code comprises:
    - sending, to the authorization server via the network, a token-request message requesting an access token and a refresh token, wherein the token-request message includes the authorization code and the state identifier;
      
      receiving, from the authorization server via the network, a token-grant message that includes the access token and the refresh token; and
      
      verifying a third copy of the state identifier received in the token-grant message matches the state identifier sent in the verification-request message.
  - 7. The method of claim 6, further comprising:
    - generating a response token for the agent based on the token-grant messagesending, to the agent via the network, an redirect-to-beneficiary message, wherein the redirect-to-beneficiary message specifies a uniform resource identifier (URI) of a beneficiary server on which the beneficiary application executes and includes the response token;
      
      receiving, via the network from the beneficiary application at the beneficiary server, a response-confirmation message, wherein the response-confirmation message includes a first copy of the response token;
      
      verifying the first copy of the response token received in the response-confirmation message matches the response token sent in the redirect-to-beneficiary message to confirm the beneficiary application is in communication with the agent; and
      
      sending, via the network to the beneficiary application in response to the response-confirmation message, a PA-grant message, wherein the PA-grant message includes the PA token.

8. A system comprising:
- one or more processors; and
  
  memory storing one or more applications that, when executed on the one or more processors, perform an operation comprising;
  
  receiving, from a beneficiary application via a network, an initiation message requesting the beneficiary application be authorized to access data hosted at a resource server connected to the network;
  
  verifying that a valid session for a user exists between the beneficiary application and an agent executing at a user device;
  
  instructing the agent to obtain an authorization code on behalf of the beneficiary application from an authorization server associated with the resource server;
  
  receiving the authorization code from the agent;
  
  obtaining an access token and a refresh token from the authorization server based on the authorization code;
  
  generating a partner authorization (PA) token associated with the access token and the refresh token; and
  
  transmitting the PA token to the beneficiary application to allow the beneficiary application to retrieve the access token when the user is logged in to the beneficiary application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the operation further comprises:
    - receiving the PA token from the beneficiary application in a request for the access token; and
      
      sending the access token to the beneficiary application.
  - 10. The system of claim 8, wherein the operation further comprises:
    - receiving the PA token from the beneficiary application in a request for the access token;
      
      verifying, via a communication from the agent, that the user is logged in to the beneficiary application;
      
      determining the access token has expired;
      
      sending the refresh token to the authorization server to request an updated access token;
      
      receiving the updated access token and an updated refresh token from the authorization server; and
      
      sending the access token to the beneficiary application.
  - 11. The system of claim 8, wherein verifying that the valid session exists between the beneficiary application and the agent comprises:
    - generating a request token and a state identifier based on the initiation message;
      
      sending, to the beneficiary application in a verification-request message via the network, the request token and the state identifier;
      
      receiving, from the agent via the network, a verification-confirmation message, wherein the verification-confirmation message includes a first copy of the request token and a first copy of the state identifier;
      
      verifying the first copy of the state identifier received in the verification-confirmation message matches the state identifier sent in the verification-request message; and
      
      verifying the first copy of the request token received in the verification-confirmation message matches the request token sent in the verification-request message to confirm the agent is in communication with the beneficiary application.
  - 12. The system of claim 11, wherein instructing the agent to obtain the authorization code comprises:
    - sending, to the agent via the network in response to the verification-confirmation message, a redirect-to-issuer message, wherein the redirect-to-issuer message includes the state identifier and specifies a uniform resource identifier (URI) of an authorization server associated with the resource server;
      
      receiving, from the agent at a client device via the network, a code-transferal message that includes a second copy of the state identifier and an authorization code associated with the resource server; and
      
      verifying the second copy of the state identifier received in the code-transferal message matches the state identifier sent in the verification-request message.
  - 13. The system of claim 12, wherein obtaining an access token from the authorization server based on the authorization code comprises:
    - sending, to the authorization server via the network, a token-request message requesting an access token and a refresh token, wherein the token-request message includes the authorization code and the state identifier;
      
      receiving, from the authorization server via the network, a token-grant message that includes the access token and the refresh token; and
      
      verifying a third copy of the state identifier received in the token-grant message matches the state identifier sent in the verification-request message.
  - 14. The system of claim 13, wherein the operation further comprises:
    - generating a response token for the agent based on the token-grant messagesending, to the agent via the network, an redirect-to-beneficiary message, wherein the redirect-to-beneficiary message specifies a uniform resource identifier (URI) of a beneficiary server on which the beneficiary application executes and includes the response token;
      
      receiving, via the network from the beneficiary application at the beneficiary server, a response-confirmation message, wherein the response-confirmation message includes a first copy of the response token;
      
      verifying the first copy of the response token received in the response-confirmation message matches the response token sent in the redirect-to-beneficiary message to confirm the beneficiary application is in communication with the agent; and
      
      sending, via the network to the beneficiary application in response to the response-confirmation message, a PA-grant message, wherein the PA-grant message includes the PA token.

15. A non-transitory computer-readable storage medium containing instructions that, when executed by one or more processors, perform an operation comprising:
- receiving, at a partner authorization (PA) system from an application hosted at a beneficiary server via a network, a first message indicating a user wants to authorize the application to access data hosted at a resource server;
  
  generating a request token and a state identifier based on the first message;
  
  sending, to the application in a second message via the network, the request token and the state identifier;
  
  receiving, at the PA system from an agent executing at a client device via the network, a third message, wherein the third message includes a first copy of the request token and a first copy of the state identifier;
  
  verifying the first copy of the state identifier received in the third message matches the state identifier sent in the second message;
  
  verifying the first copy of the request token received in the third message matches the request token sent in the second message to confirm the agent is in communication with the application;
  
  sending, to the agent via the network in response to the third message, a fourth message, wherein the fourth message includes the state identifier and specifies a uniform resource identifier (URI) of an authorization server associated with the resource server;
  
  receiving, from the agent at the client device via the network, a fifth message that includes a second copy of the state identifier and an authorization code associated with the resource server; and
  
  verifying the second copy of the state identifier received in the fifth message matches the state identifier sent in the second message.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the operation further comprises:
    - sending, to the authorization server via the network, a sixth message requesting an access token and a refresh token, wherein the sixth message includes the authorization code and the state identifier.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the operation further comprises:
    - receiving, from the authorization server via the network, a seventh message that includes the access token and the refresh token; and
      
      verifying a third copy of the state identifier received in the seventh message matches the state identifier sent in the second message.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the operation further comprises:
    - generating a partner authorization (PA) token for the application and a response token for the agent based on the seventh message;
      
      sending, to the agent via the network, an eighth message, wherein the eighth message specifies a uniform resource identifier (URI) of the beneficiary server and includes the response token;
      
      receiving, via the network from the application at the beneficiary server, a ninth message, wherein the ninth message includes a first copy of the response token;
      
      verifying the first copy of the response token received in the ninth message matches the response token sent in the eighth message to confirm the application is in communication with the agent; and
      
      sending, via the network to the application in response to the ninth message, a tenth message, wherein the tenth message includes the PA token.
  - 19. The non-transitory computer-readable storage medium of claim 17, further comprising:
    - determining that the access token has expired;
      
      sending the refresh token to the authorization server to request an updated access token;
      
      receiving the updated access token and an updated refresh token from the authorization server; and
      
      sending the access token to the application.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the fourth message comprises a redirect-to-issuer message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Jain, Parul, Foiles, Douglas L., Janardhana, Nagaraj
Primary Examiner(s)
Murphy, J. Brant

Application Number

US15/650,470
Publication Number

US 20180337784A1
Time in Patent Office

1,089 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/445   by mutual authentication, e...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 9/0891   Revocation or update of sec...

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04W 12/084   using delegated authorisati...

Coordinating access authorization across multiple systems at different mutual trust levels

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Coordinating access authorization across multiple systems at different mutual trust levels

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links