Method and apparatus to authenticate and authorize user access to a system

US 20050144452A1
Filed: 06/25/2004
Published: 06/30/2005
Est. Priority Date: 06/26/2003
Status: Active Grant

First Claim

Patent Images

1. A method to authenticate and authorize a user, the method comprising:

receiving a request for authentication and authorization of the user from a secondary computer system on behalf of the user, the user seeking permission to access a primary computer system via the secondary computer system, via a computer network, wherein the request includes user information corresponding to the user;

verifying the user information for authenticity, wherein the verifying of the user information includes determining whether the user satisfies authentication and authorization criteria, defined by the primary computer system;

if it is determined that the user satisfies the authentication and authorization criteria, generating a token associated with the user by utilizing an authenticator residing at the primary computer system to authenticate and authorize the user; and

transmitting a portion of the token from the primary computer system to the secondary computer system on behalf of the user to permit the user to access the primary computer system via the secondary computer system, via the computer network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and system are provided for authenticating and authorizing user access to a system. According to one embodiment, a request for authentication and authorization of a user is received from a secondary site on behalf of the user who is seeking to access a primary site via the secondary site via a computer network. The request includes information relating to the user. The user information is then verified for authenticity, including determining whether the user satisfies the criteria for obtaining authentication and authorization as defined by the primary site. If the criteria are satisfied, a token, associated with the user, is generated at the primary site. A portion of the token is transmitted from the primary site to the secondary site on behalf of the user to permit the user to access the primary site via the secondary site, via the computer network.

Citations

56 Claims

1. A method to authenticate and authorize a user, the method comprising:
- receiving a request for authentication and authorization of the user from a secondary computer system on behalf of the user, the user seeking permission to access a primary computer system via the secondary computer system, via a computer network, wherein the request includes user information corresponding to the user;
  
  verifying the user information for authenticity, wherein the verifying of the user information includes determining whether the user satisfies authentication and authorization criteria, defined by the primary computer system;
  
  if it is determined that the user satisfies the authentication and authorization criteria, generating a token associated with the user by utilizing an authenticator residing at the primary computer system to authenticate and authorize the user; and
  
  transmitting a portion of the token from the primary computer system to the secondary computer system on behalf of the user to permit the user to access the primary computer system via the secondary computer system, via the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising storing another portion of the token at the primary computer system to match with the portion of the token at the secondary computer system to allow the user multiple future accesses to the primary computer system via the secondary computer system.
  - 3. The method of claim 1, if the user is determined that the user is not registered with the primary computer system, redirecting the user to a community computer system of the primary computer system prior to generating of the token to allow the user to register with the primary computer system.
  - 4. The method of claim 3, wherein the registering with the primary computer system comprises one or more of the following:
    - generating an identification for the user, generating a password for the user, and the user consenting to a consent agreement.
  - 5. The method of claim 1, wherein the authenticating of the user comprises verifying credentials of the user at the primary computer system using a federated mechanism having credentials authority system, the federated mechanism residing at a transaction platform of a server of the primary computer system.
  - 6. The method of claim 1, wherein the authorization of the user comprises providing permission to the user to access the primary computer system via the secondary computer system, via the computer network.
  - 7. The method of claim 1, wherein the token comprises selective information of the user information.
  - 8. The method of claim 1, wherein the token is transmitted from the primary computer system to the secondary computer system to allow the user a single access to the primary computer system via the secondary computer system.
  - 9. The method of claim 1, further comprising authorizing the secondary computer system to access the primary computer system and to perform a plurality of tasks at the primary computer system on behalf of the user.
  - 10. The method of claim 9, wherein the plurality of tasks are determined by the user by electing preferences provided on a preferences computer system at the primary computer system.
  - 11. The method of claim 10, wherein the plurality of tasks comprises one or more of the following:
    - registering items for auction for the user, placing the items for the auction on behalf of the user, and bidding on auctioning items for the user.
  - 12. The method of claim 1, further comprising if it is determined that the user does not satisfy the authentication and authorization criteria, transmit an error message from the primary computer system to the secondary computer system, the error message indicating authentication and authorization failure.

13. A method for authenticating and authorizing a user, the method comprising:
- generating a first token associated with the user to permit the user to access a primary computer system via a first secondary computer system, wherein the first token includes cryptographic user information authenticating and authorizing the user to access the primary computer system via the first secondary computer system, via a computer network;
  
  dividing the first token into two or more segments; and
  
  transmitting a first segment of the first token from the primary computer system to the first secondary computer system for the user to perform future access to the primary computer system via the first secondary computer system; and
  
  storing a second segment of the first token at the primary computer system to match the second segment of the first token with the first segment of the first token received from the first secondary computer system for each of the future accesses attempted by the user.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, further comprising:
    - generating a second token associated with the user to permit the user to access the primary computer system via a second secondary computer system, wherein the second token includes cryptographic user information authenticating and authorizing the user to access the primary computer system via the second secondary computer system, via the computer network;
      
      dividing the second token into two or more segments; and
      
      transmitting a first segment of the second token from the primary computer system to the second secondary computer system for the user to perform futures access to the primary computer system via the second secondary computer system; and
      
      storing a second segment of the second token at the primary computer system to match the second segment of the second token with the first segment of the second token received from the second secondary computer system for each of the future accesses attempted by the user.
  - 15. The method of claim 13, wherein the first and second secondary computer systems are partners with the primary computer system and are coupled with each other via the computer network, wherein the computer network includes one or more of the following:
    - a local area network (LAN), a wide area network (WAN), a metro area network (MAN), an intranet, and the Internet.
  - 16. The method of claim 13, further comprising cryptographing the cryptographic user information using includes one or more of the following cryptographic techniques:
    - Rivest-Shamir-Adelman (RSA) security and El Gamal Algorithm.
  - 17. The method of claim 15, wherein the first and second tokens are generated by an authenticator at the primary computer system.
  - 18. The method of claim 17, wherein the authenticator comprises a federated mechanism-based credential authority system residing at a transaction platform at the primary computer system.
  - 19. The method of claim 13, further comprising if the primary computer system fails to generate the first token, generating a first error message indicating the failure to authenticate and authorize the user to access the primary computer system via the first secondary computer system, and transmitting the first error message from the primary computer system to the first secondary computer system, via the computer network.
  - 20. The method of claim 13, further comprising if the primary computer system fails to generate the second token, generating a second error message indicating the failure to authenticate and authorize the user to access the primary computer system via the second secondary computer system, and transmitting the second error message from the primary computer system to the second secondary computer system, via the computer network.

21. An apparatus, comprising:
- a client computer to receive a request from a user seeking to access a server computer via the client computer, and to transmit the request to the server computer via a computer network, wherein the request includes user information relating to the user; and
  
  the server computer coupled with the client computer over the computer network, the server computer to receive the request from the client computer, verify the user information, wherein the verifying of the user information includes determining whether the user satisfies authentication and authorization criteria, defined by the server computer, if it is determined that the user satisfies the authentication and authorization criteria, generate a token associated with the user by utilizing an authenticator of the server computer to authenticate and authorize the user, and transmit a portion of the token from the server computer to the client computer on behalf of the user to permit the user to access the server computer via the client computer, via the computer network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The apparatus of claim 21, further comprising the server computer to store another portion of the token to match with the portion of the token at the client computer to allow the user multiple future accesses to the server computer via the client computer.
  - 23. The apparatus of claim 21, wherein the authenticating of the user comprises verifying credentials of the user at the server computer using a federated mechanism having credentials authority system, the federated mechanism residing at a transaction platform of a server of the server computer.
  - 24. The apparatus of claim 21, wherein the token comprises selective information of the user information.
  - 25. The apparatus of claim 21, wherein the token is transmitted from the server computer to the client computer to allow the user a single access to the server computer via the client computer.
  - 26. The apparatus of claim 21, wherein the client and the server computer each suppport one or more of the following:
    - a Website, an application, and a tool.
  - 27. The apparatus of claim 21, wherein the server computer is further to transmit an error message to the client computer, if it is determined that the user does not satisfy the authentication and authorization criteria, the error message indicating authentication and authorization failure.
  - 28. The apparatus of claim 21, wherein the computer network includes one or more of the following:
    - a local area network (LAN), a wide area network (WAN), a metro area network (MAN), an intranet, and the Internet.

29. A system, comprising:
- a first storage medium;
  
  a first client computer system coupled with the first storage medium, the first client computer system to receive a first request from a user seeking authentication and authorization to access a server computer system via the first client computer system, and to transmit the first request to the server computer system via a computer network, wherein the first request includes user information relating to the user; and
  
  the server computer system coupled with the first client computer system over the computer network, the server computer system to receive the first request from the first client computer system, verify the user information, wherein the verifying of the user information includes determining whether the user satisfies authentication and authorization criteria, defined by the server computer system, if it is determined that the user satisfies the authentication and authorization criteria, generate a first token associated with the user by utilizing an authenticator of the server computer system to authenticate and authorize the user, and transmit a portion of the first token from the server computer system to the first client computer system on behalf of the user to permit the user to access the server computer system via the first client computer system, via the computer network.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37)
- - 30. The system of claim 29, further comprising:
    - a second storage medium; and
      
      a second client computer system coupled with the second storage medium, the second client computer system to receive a second request from the user seeking authentication and authorization to access the server computer system via the second client computer system, and to transmit the second request to the server computer system via the computer network, wherein the second request includes user information relating to the user
  - 31. The system of claim 29, wherein the server computer system coupled with the second client computer system over the computer network, the server computer system to:
    - receive the second request from the second client computer system, verify the user information, wherein the verifying of the user information includes determining whether the user satisfies authentication and authorization criteria, defined by the server computer system, if it is determined that the user satisfies the authentication and authorization criteria, generate a second token associated with the user by utilizing an authenticator of the server computer system to authenticate and authorize the user, and transmit a portion of the second token from the server computer system to the first client computer system on behalf of the user to permit the user to access the server computer system via the second client computer system, via the computer network.
  - 32. The system of claim 29, wherein the first and second client computer systems comprise one or more of the following:
    - MSN computer system, AOL computer system, PayPal computer system, eWatch computer system, and Amazon.com computer system.
  - 33. The system of claim 29, wherein the server computer system comprises eBay computer system.
  - 34. The system of claim 29, wherein the first computer and the second computer each comprises one or more processors including at least one of the following:
    - one or more microprocessors, one or more microcontrollers, one or more field programmable gate arrays (FPGA), one or more application specific integrated circuits (ASIC), one or more central processing units (CPU), and one or more programmable logic devices (PLD).
  - 35. The system of claim 29, wherein the server computer system comprises a transaction platform having:
    - a federated mechanism to authorize and authenticate the user to access the server computer system via the first client computer system and the second client computer system, and facilitate the generating of the first and second tokens associated with the user; and
      
      a credential authority system to secure the first token and the second token by utilizing one or more of the following cryptographic techniques;
      
      RSA security and El Gamal Algorithm.
  - 36. The system of claim 29, wherein the server computer system is further to transmit an error message to the first and second client computer systems, if it is determined that the user does not satisfy the authentication and authorization criteria, the error message indicating authentication and authorization failure.
  - 37. The system of claim 29, wherein the computer network includes one or more of the following:
    - a local area network (LAN), a wide area network (WAN), a metro area network (MAN), an intranet, and the Internet.

38. A machine-readable medium having stored thereon data representing sets of instructions which, when executed by a machine, cause the machine to:
- receive a request for authentication and authorization of a user from a secondary computer system on behalf of the user seeking permission to access a primary computer system via the secondary computer system, via a computer network, wherein the request includes user information corresponding to the user;
  
  verify the user information for authenticity, wherein the verifying of the user information includes determining whether the user satisfies authentication and authorization criteria, defined by the primary computer system;
  
  if it is determined that the user satisfies the authentication and authorization criteria, generate a token associated with the user by utilizing an authenticator of the primary computer system to authenticate and authorize the user;
  
  transmit a portion of the token from the primary computer system to the secondary computer system on behalf of the user to permit the user to access the primary computer system via the secondary computer system, via the computer network.
- View Dependent Claims (39, 40, 41, 42)
- - 39. The machine-readable medium of claim 38, wherein the sets of instructions which, when executed by the machine, further cause the machine to store another portion of the token at the primary computer system to match with the portion of the token at the secondary computer system to allow the user multiple future accesses to the primary computer system via the secondary computer system.
  - 40. The machine-readable medium of claim 38, wherein the sets of instructions which, when executed by the machine, further cause the machine to if the user is determined that the user is not registered with the primary computer system, redirect the user to a community computer system of the primary computer system prior to generating of the token to allow the user to register with the primary computer system.
  - 41. The machine-readable medium of claim 40, wherein the registering with the primary computer system comprises one or more of the following:
    - generating an identification for the user, generating a password for the user, and the user consenting to a consent agreement.
  - 42. The machine-readable medium of claim 38, wherein the authenticating of the user comprises verifying credentials of the user at the primary computer system using a federated mechanism having credentials authority system, the federated mechanism residing at a transaction platform of a server of the primary computer system.

43. A machine-readable medium having stored thereon data representing sets of instructions which, when executed by a machine, cause the machine to:
- generate a first token associated with the user to permit the user to access a primary computer system via a first secondary computer system, wherein the first token includes cryptographic user information authenticating and authorizing the user to access the primary computer system via the first secondary computer system, via a computer network;
  
  divide the first token into two or more segments; and
  
  transmit a first segment of the first token from the primary computer system to the first secondary computer system for the user to perform futures access to the primary computer system via the first secondary computer system; and
  
  store a second segment of the first token at the primary computer system to match the second segment of the first token with the first segment of the first token received from the first secondary computer system for each of the future accesses attempted by the user.
- View Dependent Claims (44, 45, 46, 47, 48)
- - 44. The machine-readable medium of claim 43, wherein the sets of instructions which, when executed by the machine, further cause the machine to generate a second token associated with the user to permit the user to access the primary computer system via a second secondary computer system, wherein the second token includes cryptographic user information authenticating and authorizing the user to access the primary computer system via the second secondary computer system, via the computer network;
    - divide the second token into two or more segments; and
      
      transmit a first segment of the second token from the primary computer system to the second secondary computer system for the user to perform futures access to the primary computer system via the second secondary computer system; and
      
      store a second segment of the second token at the primary computer system to match the second segment of the second token with the first segment of the second token received from the second secondary computer system for each of the future accesses attempted by the user.
  - 45. The machine-readable medium of claim 44, wherein the first and second secondary computer systems are partners with the primary computer system and are coupled with each other via the computer network, wherein the computer network includes one or more of the following:
    - a local area network (LAN), a wide area network (WAN), a metro area network (MAN), an intranet, and the Internet.
  - 46. The machine-readable medium of claim 43, wherein the sets of instructions which, when executed by the machine, further cause the machine to cryptograph the cryptographic user information using includes one or more of the following cryptographic techniques:
    - Rivest-Shamir-Adelman (RSA) security and El Gamal Algorithm.
  - 47. The machine-readable medium of claim 43, wherein the first and second tokens are generated by an authenticator at a transaction platform residing at the primary computer system.
  - 48. The machine-readable medium of claim 47, wherein the authenticator comprises a federated mechanism-based credential authority system residing at the transaction platform at the primary computer system.

49. An apparatus, comprising:
- means for receiving a request from a user, the user seeking to access a server computer via a client computer, and means for transmitting the request to the server computer via a computer network, wherein the request includes user information relating to the user; and
  
  means for receiving the request from the client computer, means for verifying the user information, wherein the verifying of the user information includes determining whether the user satisfies authentication and authorization criteria, defined by the server computer, if it is determined that the user satisfies the authentication and authorization criteria, means for generating a token associated with the user by utilizing an authenticator of the server computer to authenticate and authorize the user, and means for transmitting a portion of the token from the server computer to the client computer on behalf of the user to permit the user to access the server computer via the client computer, via the computer network.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56)
- - 50. The apparatus of claim 49, further comprising means for storing another portion of the token to match with the portion of the token at the client computer to allow the user multiple future accesses to the server computer via the client computer.
  - 51. The apparatus of claim 49, further comprising means for verifying credentials of the user at the server computer using a federated mechanism having credentials authority system, the federated mechanism residing at a transaction platform of a server of the server computer.
  - 52. The apparatus of claim 49, wherein the token comprises selective information of the user information.
  - 53. The apparatus of claim 49, wherein means for transmitting the token from the server computer to the client computer to allow the user a single access to the server computer via the client computer.
  - 54. The apparatus of claim 49, wherein the client and the server computer each support one or more of the following:
    - a Website, an application, and a tool.
  - 55. The apparatus of claim 49, further comprising means for transmitting an error message to the client computer, if it is determined that the user does not satisfy the authentication and authorization criteria, the error message indicating authentication and authorization failure.
  - 56. The apparatus of claim 49, wherein the computer network includes one or more of the following:
    - a local area network (LAN), a wide area network (WAN), a metro area network (MAN), an intranet, and the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
eBay Inc.
Inventors
Seth, Shashi, Lynch, Liam S.

Granted Patent

US 7,769,998 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

Method and apparatus to authenticate and authorize user access to a system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to authenticate and authorize user access to a system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links