Methods, Apparatuses, and Computer Program Products for Providing a Single Service Sign-On

US 20090271847A1
Filed: 04/25/2008
Published: 10/29/2009
Est. Priority Date: 04/25/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving a request for an access token from a remote entity, wherein the request includes an indication of a requested service;

determining a request type, wherein the request type may be a user identification and password combination, a request token exchange, or an access token exchange;

extracting one or more parameters included in the request based upon the determined request type;

performing one or more security checks based at least in part upon the one or more extracted parameters;

creating an access token based at least in part upon results of the one or more security checks; and

providing the access token to the remote entity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus may include a processor configured to receive a request for an access token from a remote entity, wherein the request includes an indication of a requested service. The processor may be further configured to determine a request type, wherein the request type may be a user identification and password combination, a request token exchange, or an access token exchange. The processor may be additionally configured to extract one or more parameters included in the request based upon the determined request type and to perform one or more security checks based at least in part upon the one or more extracted parameters. The processor may be further configured to create an access token based at least in part upon the results of the one or more security checks and to provide the access token to the remote entity.

166 Citations

25 Claims

1. A method comprising:
- receiving a request for an access token from a remote entity, wherein the request includes an indication of a requested service;
  
  determining a request type, wherein the request type may be a user identification and password combination, a request token exchange, or an access token exchange;
  
  extracting one or more parameters included in the request based upon the determined request type;
  
  performing one or more security checks based at least in part upon the one or more extracted parameters;
  
  creating an access token based at least in part upon results of the one or more security checks; and
  
  providing the access token to the remote entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, wherein extracting one or more parameters included in the request based upon the determined request type comprises:
    - extracting a user identification, hash of a password, and a signature comprising a client key and client secret if the determined request type is a user identification and password combination;
      
      extracting a request token and a signature comprising a client key and a client secret if the determined request type is a request token exchange;
      
      orextracting a previously issued access token and a signature comprising a client secret and a token secret if the determined request type is an access token exchange.
  - 3. A method according to claim 2, wherein performing one or more security checks based at least in part upon the one or more extracted parameters comprises:
    - verifying that the user identification and hash of the password are known and correspond to each other;
      
      verifying the signature; and
      
      verifying an association between client identification, user identification, and the requested service if the determined request type is a user identification and password combination;
      
      verifying the signature and verifying an association between the request token, client key, and client secret if the determined request type is a request token exchange;
      
      orverifying the signature and verifying an association between the previously issued access token, token secret, and client secret if the determined request type is an access token exchange.
  - 4. A method according to claim 1, wherein performing one or more security checks based at least in part upon the one or more extracted parameters further comprises verifying that the remote entity has authorization to access the requested service.
  - 5. A method according to claim 1, wherein creating an access token based at least in part upon results of the one or more security checks comprises creating an access token associated with a user and the requested service and creating a token secret associated with the access token.
  - 6. A method according to claim 1, wherein creating an access token based at least in part upon results of the one or more security checks comprises creating an access token having defined access permissions, wherein the defined access permissions include one or more of one or more associated services which the access token may be used to access, one or more associated users, a use period for which the access token is valid, and a number of uses for which the access token is valid.
  - 7. A method according to claim 1, wherein the remote entity is one of a client device or a service provider.
  - 8. A method according to claim 1, further comprising:
    - receiving a token information request message from a service provider, wherein the token information message comprises an access token, and wherein the token information message is signed with a service key and a service secret;
      
      verifying an association between the access token, the service key, and the service secret;
      
      determining a user identification, token secret, and client secret that are associated with the access token; and
      
      sending a message comprising the determined user identification, client key, and token secret to the service.

9. A computer program product comprising at least one computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising:
- a first program code portion for receiving a request for an access token from a remote entity, wherein the request includes an indication of a requested service;
  
  a second program code portion for determining a request type, wherein the request type may be a user identification and password combination, a request token exchange, or an access token exchange;
  
  a third program code portion for extracting one or more parameters included in the request based upon the determined request type;
  
  a fourth program code portion for performing one or more security checks based at least in part upon the one or more extracted parameters;
  
  a fifth program code portion for creating an access token based at least in part upon results of the one or more security checks; and
  
  a sixth program code portion for providing the access token to the remote entity.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A computer program product according to claim 9, wherein the third program code portion includes instructions for:
    - extracting a user identification, hash of a password, and a signature comprising a client key and client secret if the determined request type is a user identification and password combination;
      
      extracting a request token and a signature comprising a client key and a client secret if the determined request type is a request token exchange;
      
      orextracting a previously issued access token and a signature comprising a client secret and a token secret if the determined request type is an access token exchange.
  - 11. A computer program product according to claim 10, wherein the fourth program code portion includes instructions for:
    - verifying that the user identification and hash of the password are known and correspond to each other;
      
      verifying the signature; and
      
      verifying an association between client identification, user identification, and the requested service if the determined request type is a user identification and password combination;
      
      verifying the signature and verifying an association between the request token, client key, and client secret if the determined request type is a request token exchange;
      
      orverifying the signature and verifying an association between the previously issued access token, token secret, and client secret if the determined request type is an access token exchange.
  - 12. A computer program product according to claim 9, wherein the fourth program code portion includes instructions for verifying that the remote entity has authorization to access the requested service.
  - 13. A computer program product according to claim 9, wherein the fifth program code portion includes instructions for creating an access token associated with a user and the requested service and creating a token secret associated with the access token.
  - 14. A computer program product according to claim 9, wherein the fifth program code portion includes instructions for creating an access token having defined access permissions, wherein the defined access permissions include one or more of one or more associated services which the access token may be used to access, one or more associated users, a use period for which the access token is valid, and a number of uses for which the access token is valid.
  - 15. A computer program product according to claim 9, wherein the remote entity is one of a client device or a service provider.
  - 16. A computer program product according to claim 9, further comprising:
    - a seventh program code portion for receiving a token information request message from a service provider, wherein the token information message comprises an access token, and wherein the token information message is signed with a service key and a service secret;
      
      an eighth program code portion for verifying an association between the access token, the service key, and the service secret;
      
      a ninth program code portion for determining a user identification, token secret, and client secret that are associated with the access token; and
      
      a tenth program code portion for sending a message comprising the determined user identification, client key, and token secret to the service.

17. An apparatus comprising a processor configured to:
- receive a request for an access token from a remote entity, wherein the request includes an indication of a requested service;
  
  determine a request type, wherein the request type may be a user identification and password combination, a request token exchange, or an access token exchange;
  
  extract one or more parameters included in the request based upon the determined request type;
  
  perform one or more security checks based at least in part upon the one or more extracted parameters;
  
  create an access token based at least in part upon results of the one or more security checks; and
  
  provide the access token to the remote entity.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. An apparatus according to claim 17, wherein the processor is further configured to extract one or more parameters included in the request based upon the determined request type by:
    - extracting a user identification, hash of a password, and a signature comprising a client key and client secret if the determined request type is a user identification and password combination;
      
      extracting a request token and a signature comprising a client key and a client secret if the determined request type is a request token exchange;
      
      orextracting a previously issued access token and a signature comprising a client secret and a token secret if the determined request type is an access token exchange.
  - 19. An apparatus according to claim 18, wherein the processor is further configured to perform one or more security checks based at least in part upon the one or more extracted parameters by:
    - verifying that the user identification and hash of the password are known and correspond to each other;
      
      verifying the signature; and
      
      verifying an association between client identification, user identification, and the requested service if the determined request type is a user identification and password combination;
      
      verifying the signature and verifying an association between the request token, client key, and client secret if the determined request type is a request token exchange;
      
      orverifying the signature and verifying an association between the previously issued access token, token secret, and client secret if the determined request type is an access token exchange.
  - 20. An apparatus according to claim 17, wherein the processor is further configured to perform one or more security checks based at least in part upon the one or more extracted parameters by verifying that the remote entity has authorization to access the requested service.
  - 21. An apparatus according to claim 17, wherein the processor is further configured to create an access token associated with a user and the requested service and to create a token secret associated with the access token.
  - 22. An apparatus according to claim 17, wherein the processor is further configured to create an access token having defined access permissions, wherein the defined access permissions include one or more of one or more associated services which the access token may be used to access, one or more associated users, a use period for which the access token is valid, and a number of uses for which the access token is valid.
  - 23. An apparatus according to claim 17, wherein the remote entity is one of a client device or a service provider.
  - 24. An apparatus according to claim 23 wherein the processor is further configured to:
    - receive a token information request message from a service provider, wherein the token information message comprises an access token, and wherein the token information message is signed with a service key and a service secret;
      
      verify an association between the access token, the service key, and the service secret;
      
      determine a user identification, token secret, and client secret that are associated with the access token; and
      
      send a message comprising the determined user identification, client key, and token secret to the service.

25. An apparatus comprising:
- means for receiving a request for an access token from a remote entity, wherein the request includes an indication of a requested service;
  
  means for determining a request type, wherein the request type may be a user identification and password combination, a request token exchange, or an access token exchange;
  
  means for extracting one or more parameters included in the request based upon the determined request type;
  
  means for performing one or more security checks based at least in part upon the one or more extracted parameters;
  
  means for creating an access token based at least in part upon results of the one or more security checks; and
  
  means for providing the access token to the remote entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Karjala, Jari, Maki, Jussi, Vepsalainen, Ari

Application Number

US12/109,644
Publication Number

US 20090271847A1
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

H04L 2209/80   Wireless network architectu...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

Methods, Apparatuses, and Computer Program Products for Providing a Single Service Sign-On

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, Apparatuses, and Computer Program Products for Providing a Single Service Sign-On

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links