Secure user authentication
First Claim
1. In a computer network, a user authentication method comprising:
- receiving a request from a client to access a resource;
acquiring access data for an authentication service and return access data for the resource; and
directing the client to request authentication, the direction including the access data for the authentication service and the return access data for the resource.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for authenticating a user before granting access to a network resource. In response to a first request from a client to access the resource, access data for an authentication service and return access data for the resource are acquired. The client is then directed to request authentication, the direction including the access data for the authentication service and the return access data for the resource. The client requests access the authentication service using the access data an the return access data. If the authentication service successfully verifies the source of the request, it then directs the client to again request access to the resource using the return access data.
-
Citations
46 Claims
-
1. In a computer network, a user authentication method comprising:
-
receiving a request from a client to access a resource;
acquiring access data for an authentication service and return access data for the resource; and
directing the client to request authentication, the direction including the access data for the authentication service and the return access data for the resource. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. In a computer network, a method comprising:
-
receiving a request from a client to access an authentication service, the request including return access data for a resource;
authenticating a source of the request; and
if authenticated, directing the client to the resource using the return access data. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. In a computer network, a user authentication method comprising:
-
in response to receiving a first request from a client to access a resource;
generating session data;
acquiring access data for an authentication service;
modifying the access data for the authentication service to include the session data and return access data for the resource; and
directing the client to the authentication service using the modified access data for the authentication service;
in response to the client being directed to the authentication service using the modified access data for the authentication service;
acquiring profile data for the resource;
digitally signing the acquired profile data;
modifying the access data for the resource to include the signed profile data and the session data received with the request; and
directing the client to the resource using the modified access data for the resource; and
in response to the client being directed to the resource using the modified access data for the resource;
verifying a signature used to sign the profile data and the session data received with the second request to ensure that the second request was caused by the authentication service to which the client was directed following and as a result of the first request to access the resource;
verifying the profile data to ensure the user has permission to access the resource; and
granting access only after the signature, the session data, and the profile data are each verified. - View Dependent Claims (19, 20, 21)
-
-
17. Computer readable media having instructions for:
-
receiving a request from a client to access a resource;
acquiring access data for an authentication service and return access data for the resource; and
directing the client to request authentication, the direction to include the access data for the authentication service and the return access data for the resource. - View Dependent Claims (18, 22)
-
-
23. A computer readable media having instructions for:
-
receiving a request from a client to access an authentication service, the request including return access data for a resource;
authenticating a source of the request; and
if authenticated, directing the client to the resource using the return access data. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
-
31. A computer readable media having instructions for:
-
in response to receiving a first request from a client to access a resource;
generating session data;
acquiring access data for an authentication service;
modifying the access data for the authentication service to include the session data and return access data for the resource; and
directing the client to the authentication service using the modified access data for the authentication service;
in response to the client being directed to the authentication service using the modified access data for the authentication service;
acquiring profile data for the resource;
digitally signing the acquired profile data;
modifying the access data for the resource to include the signed profile data and the session data received with the request; and
directing the client to the resource using the modified access data for the resource; and
in response to the client being directed to the resource using the modified access data for the resource;
verifying a signature used to sign the profile data and the session data received with the second request to ensure that the second request was caused by the authentication service to which the client was directed following and as a result of the first request to access the resource;
verifying the profile data to ensure the user has permission to access the resource; and
granting access only after the signature, the session data, and the profile data are each verified.
-
-
32. In a computer network, a user authentication system comprising:
-
a resource server operable to receive a request from a client to access a resource; and
an access module operable to acquire access data for an authentication service, to modify the access data for the authentication service to include return access data for the resource, and to direct the client to the authentication service using the modified access data for the authentication service. - View Dependent Claims (33, 34, 35, 36)
-
-
37. In a computer network, a system comprising:
-
an authentication server operable to receive a request from a client to access an authentication service, the request including return access data for a resource; and
an authentication module operable to authenticate a source of the request, and, if authenticated, to direct the client to the resource using the return access data. - View Dependent Claims (38, 39, 40, 41, 42, 43)
-
-
44. In a computer network, a user authentication system comprising:
-
a resource server operable to receive a first and second requests from a client to access a resource, second requests including signed profile data and session data;
a session data generator operable to generate session data for the resource in response to a received request to access the resource;
an access module operable to acquire access data for an authentication service, to modify the access data for the authentication service to include the generated session data and return access data for the resource, and to direct the client to the authentication service using the modified access data for the authentication service;
a source verifier operable to verify a signature used to sign profile data and session data both included with a second request in order to ensure that the second request resulted from the client being directed to access the resource by an authentication service to which the client was directed following a first request;
a credential verifier operable to verify the profile data to ensure the user has permission to access the resource; and
a gatekeeper operable to grant access to the resource only after the signature, the session data, and the profile data are each verified.
-
-
45. In a computer network, a user authentication system comprising:
-
a resource server operable to receive a first and second requests from a client to access a resource, second requests including signed profile data and session data;
a session data generator operable to generate session data for the resource in response to a received request to access the resource;
an access module operable to acquire access data for an authentication service, to modify the access data for the authentication service to include the generated session data and return access data for the resource, and to direct the client to the authentication service using the modified access data for the authentication service;
an authentication server operable to receive an access request from a client, the request including session data and access data for a resource; and
an authentication module operable to acquire profile data for the resource, to digitally sign the acquired profile data, to modify the access data for the resource to include the signed profile data and the session data received with the request, and to direct the client to the resource using the modified access data;
a source verifier operable to verify a signature used to sign profile data and session data both included with a second request in order to ensure that the second request resulted from the client being directed to access the resource by an authentication service to which the client was directed following a first request;
a credential verifier operable to verify the profile data to ensure the user has permission to access the resource; and
a gatekeeper operable to grant access to the resource only after the signature, the session data, and the profile data are each verified.
-
-
46. In a computer network, a user authentication system comprising:
-
a means for receiving first and second requests from a client to access a resource, second requests including signed profile data and session data;
a means for generating session data for the resource in response to a received request to access the resource;
a means for acquiring access data for an authentication service;
a means for modifying the access data for the authentication service to include the generated session data and return access data for the resource;
a means for directing the client to the authentication service using the modified access data for the authentication service;
a means for receiving an authentication access request from a client, the authentication access request including session data and access data for a resource;
a means for acquiring profile data for the resource;
a means for digitally signing the acquired profile data;
a means for modifying the access data for the resource to include the signed profile data and the session data received with the authentication access request;
a means for directing the client to the resource using the modified access data for the resource;
a means for verifying a signature used to sign profile data and session data both included with a second request in order to ensure that the second request resulted from the client being directed to access the resource by an authentication service to which the client was directed following a first request;
a means for verifying profile data to ensure the user has permission to access the resource; and
a means for granting access to the resource only after the signature, the session data, and the profile data are each verified.
-
Specification