METHOD AND APPARATUS FOR SECURELY INVOKING A REST API

US 20090235349A1
Filed: 03/12/2008
Published: 09/17/2009
Est. Priority Date: 03/12/2008
Status: Active Grant

First Claim

Patent Images

1. A method for enabling a user to securely invoke a REST (Representational State Transfer) API (Application Programmer Interface) at an application server, the method comprising:

establishing a first secure communication channel with an application server;

sending a first request to the application server to invoke the REST API, wherein the first request is sent using the first secure communication channel;

receiving a security token from an authentication system in response to authenticating the user with the authentication system;

receiving a nonce and a timestamp from the application server;

determining a security token digest using the security token, the nonce, and the timestamp;

sending a second request to the application server to invoke the REST API, wherein the second request includes the security token digest, and wherein the second request is sent using the first secure communication channel;

receiving data from the application server which is associated with the request to invoke the REST API; and

storing the data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment of the present invention provides a system that enables a user to securely invoke a REST (Representational State Transfer) API (Application Programming Interface) at an application server. A client can establish a secure communication channel with an application server, and can send a request to the application server to invoke the REST API. The client can then receive a security token from an authentication system in response to authenticating the user with the authentication system. Next, the client can receive a nonce and a timestamp from the application server. The client can then determine a security token digest using the security token, the nonce, and the timestamp. Next, the client can resend the request to the application server to invoke the REST API with the security token digest. The application server can invoke the REST API if the security token digest is valid.

302 Citations

20 Claims

1. A method for enabling a user to securely invoke a REST (Representational State Transfer) API (Application Programmer Interface) at an application server, the method comprising:
- establishing a first secure communication channel with an application server;
  
  sending a first request to the application server to invoke the REST API, wherein the first request is sent using the first secure communication channel;
  
  receiving a security token from an authentication system in response to authenticating the user with the authentication system;
  
  receiving a nonce and a timestamp from the application server;
  
  determining a security token digest using the security token, the nonce, and the timestamp;
  
  sending a second request to the application server to invoke the REST API, wherein the second request includes the security token digest, and wherein the second request is sent using the first secure communication channel;
  
  receiving data from the application server which is associated with the request to invoke the REST API; and
  
  storing the data.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the secure communication channel is an HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) session, and wherein the REST API is specified using a URL (Uniform Resource Locator).
  - 3. The method of claim 1, wherein the security token is one of:
    - a SAML (Security Assertion Markup Language) token;
      
      a UniAuth token;
      
      an asymmetric key;
      
      ora Kerberos ticket.
  - 4. The method of claim 1, wherein determining the security token digest includes applying a cryptographic hash function to the security token, the nonce, and the timestamp.
  - 5. The method of claim 1, wherein prior to receiving the security token from the authentication system, the method comprises:
    - receiving a redirection message from the application server, wherein the redirection message causes the client to establish a second secure communication channel with the authentication system; and
      
      using the second secure communication channel to authenticate the user with the authentication system.

6. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for enabling a user to securely invoke a REST (Representational State Transfer) API (Application Programmer Interface) at an application server, the method comprising:
- establishing a first secure communication channel with an application server;
  
  sending a first request to the application server to invoke the REST API, wherein the first request is sent using the first secure communication channel;
  
  receiving a security token from an authentication system in response to authenticating the user with the authentication system;
  
  receiving a nonce and a timestamp from the application server;
  
  determining a security token digest using the security token, the nonce, and the timestamp;
  
  sending a second request to the application server to invoke the REST API, wherein the second request includes the security token digest, and wherein the second request is sent using the first secure communication channel;
  
  receiving data from the application server which is associated with the request to invoke the REST API; and
  
  storing the data.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable storage medium of claim 6, wherein the secure communication channel is an HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) session, and wherein the REST API is specified using a URL (Uniform Resource Locator).
  - 8. The computer-readable storage medium of claim 6, wherein the security token is one of:
    - a SAML (Security Assertion Markup Language) token;
      
      a UniAuth token;
      
      an asymmetric key;
      
      ora Kerberos ticket.
  - 9. The computer-readable storage medium of claim 6, wherein determining the security token digest includes applying a cryptographic hash function to the security token, the nonce, and the timestamp.
  - 10. The computer-readable storage medium of claim 6, wherein prior to receiving the security token from the authentication system, the method comprises:
    - receiving a redirection message from the application server, wherein the redirection message causes the client to establish a second secure communication channel with the authentication system; and
      
      using the second secure communication channel to authenticate the user with the authentication system.

11. A method for enabling a user to securely invoke a REST (Representational State Transfer) API (Application Programming Interface) at an application server, the method comprising:
- establishing a first secure communication channel with a client;
  
  receiving a first request from the client to invoke the REST API, wherein the first request is received using the first secure communication channel;
  
  sending a nonce and a timestamp to the client;
  
  receiving a security token digest from the client;
  
  validating the security token digest;
  
  generating output data by invoking the REST API in response to determining that the security token digest is valid; and
  
  sending the output data to the client.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the secure communication channel is an HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) session, and wherein the REST API is specified using a URL (Uniform Resource Locator).
  - 13. The method of claim 11, wherein the security token is one of:
    - a SAML (Security Assertion Markup Language) token;
      
      a UniAuth token;
      
      an asymmetric key;
      
      ora Kerberos ticket.
  - 14. The method of claim 11, wherein validating the security token digest includes applying a cryptographic hash function to the security token, the nonce, and the timestamp.
  - 15. The method of claim 11, wherein the method further comprises:
    - sending a redirection message to the client, wherein the redirection message causes the client to;
      
      establish a second secure communication channel with the authentication system; and
      
      use the second secure communication channel to authenticate the user with the authentication system.

16. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for enabling a user to securely invoke a REST (Representational State Transfer) API (Application Programming Interface) at an application server, the method comprising:
- establishing a first secure communication channel with a client;
  
  receiving a first request from the client to invoke the REST API, wherein the first request is received using the first secure communication channel;
  
  sending a nonce and a timestamp to the client;
  
  receiving a security token digest from the client;
  
  validating the security token digest;
  
  generating output data by invoking the REST API in response to determining that the security token digest is valid; and
  
  sending the output data to the client.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable storage medium of claim 16, wherein the secure communication channel is an HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) session, and wherein the REST API is specified using a URL (Uniform Resource Locator).
  - 18. The computer-readable storage medium of claim 16, wherein the security token is one of:
    - a SAML (Security Assertion Markup Language) token;
      
      a UniAuth token;
      
      an asymmetric key;
      
      ora Kerberos ticket.
  - 19. The computer-readable storage medium of claim 16, wherein validating the security token digest includes applying a cryptographic hash function to the security token, the nonce, and the timestamp.
  - 20. The computer-readable storage medium of claim 16, wherein the method further comprises:
    - sending a redirection message to the client, wherein the redirection message causes the client to;
      
      establish a second secure communication channel with the authentication system; and
      
      use the second secure communication channel to authenticate the user with the authentication system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Lai, Ray Y., Chan, Ka Fu

Granted Patent

US 8,621,598 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/168   above the transport layer

H04L 9/3213   using tickets or tokens, e....

H04L 9/3236   using cryptographic hash fu...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

METHOD AND APPARATUS FOR SECURELY INVOKING A REST API

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

302 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR SECURELY INVOKING A REST API

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

302 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links