CREDENTIAL GATHERING WITH DEFERRED INSTANTIATION
First Claim
1. One or more computer-readable storage media that store executable instructions that, when executed by a computer, cause the computer to perform acts to facilitate obtaining access to a resource, the acts comprising:
- identifying a first set of assertions that a first provider will make, said first set of assertions including at least a first assertion, said first assertion comprising a variable, said first assertion, when made to a guard of the resource, supporting access to the resource;
generating a second assertion that asserts a first fact asserted in said first assertion and that imposes, as a condition on asserting said first fact, that a second provider, or said second provider'"'"'s delegate, instantiate said variable;
generating a third assertion that delegates, to said second provider, a right to instantiate said variable;
creating a first template that comprises said second assertion and said third assertion; and
sending said first template to said second provider.
2 Assignments
0 Petitions
Accused Products
Abstract
Credentials may be gathered to support an access request. In one example, a template describes the credentials to be gathered. A set of credential providers may be consulted, in a particular sequence, to provide the credentials. Credentials may contain variables, and each credential provider may impose its own constraints on the values to be assigned to the variables. Instantiation of the variables may be deferred to a downstream credential provider, thereby allowing each credential provider to specify its constraints on the variables before specific values for the variables are chosen. In one example, an instantiation fact (or “inst fact”) is used to represent the deferred instantiation. A provider may use an inst fact to make its credentials conditional on the instantiation of the variables that the credential contains, where some downstream provider may attempt to instantiate the variables to specific values.
85 Citations
20 Claims
-
1. One or more computer-readable storage media that store executable instructions that, when executed by a computer, cause the computer to perform acts to facilitate obtaining access to a resource, the acts comprising:
-
identifying a first set of assertions that a first provider will make, said first set of assertions including at least a first assertion, said first assertion comprising a variable, said first assertion, when made to a guard of the resource, supporting access to the resource; generating a second assertion that asserts a first fact asserted in said first assertion and that imposes, as a condition on asserting said first fact, that a second provider, or said second provider'"'"'s delegate, instantiate said variable; generating a third assertion that delegates, to said second provider, a right to instantiate said variable; creating a first template that comprises said second assertion and said third assertion; and sending said first template to said second provider. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system to obtain credentials to gain access to a resource, the system comprising:
a first credential provider that receives a template that describes a set of assertions that, when presented to a guard of the resource, cause the guard to grant access to the resource, said first credential provider identifying a first assertion that said first credential provider is willing to provide that that satisfies a second assertion contained in said set of assertions, said first assertion comprising a variable, said first credential provider creating a third assertion that comprises said first assertion with instantiation of said variable as a conditional fact, said first credential provider further creating a fourth assertion that delegates to a second credential provider a right to instantiate said variable, said first credential provider being communicatively connected to said second credential provider through a network, said first credential provider sending, to said second credential provider, a template comprising said third assertion and said fourth assertion. - View Dependent Claims (11, 12, 13, 14, 15)
-
16. A method of allowing access to a resource, the method comprising using a processor to perform acts comprising:
-
receiving, from a first credential provider at a second credential provider, a template that comprises a first set of assertions to be made to support access to the resource, said first set of assertions comprising a first assertion that asserts instantiation of a variable and a second assertion in which said first credential provider delegates to said second credential provider a right to instantiate said variable, said template further comprising a first constraint on said variable; finding a ground substitution that assigns a value to said variable that satisfies said first constraint; providing a third assertion that asserts an instantiation fact to instantiate said variable at said value; issuing a credential that comprises said third assertion; and providing said credential to a guard of said resource. - View Dependent Claims (17, 18, 19, 20)
-
Specification