UNIFIED SYSTEM INTERFACE FOR AUTHENTICATION AND AUTHORIZATION

US 20110113484A1
Filed: 11/06/2009
Published: 05/12/2011
Est. Priority Date: 11/06/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authorizing access of a privileged application, the method comprising:

receiving, at an authorization framework via an authorization application programming interface (API), a request from a trusted application for authorizing a client application, the client application requesting a service provided by the trusted application;

authorizing, by the authorization framework in response to the request, the client application in view of one or more authorization policies associated with the client application to determine whether the client application is authorized to access the requested service;

authenticating, by the authorization framework, a user associated with the client application to determine whether the user is allowed to access the requested service; and

returning, from the authorization framework via the authorization API, a value to the trusted application indicating whether the client application can access the requested service provided by the trusted application, based on results of the authorization and authentication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request is received at an authorization framework via an authorization application programming interface (API) from a trusted application for authorizing a client application, where the client application requests a service provided by the trusted application. In response to the request, the client application is authorized in view of one or more authorization policies associated with the client application to determine whether the client application is authorized to access the requested service. A user associated with the client application is authenticated to determine whether the user is allowed to access the requested service. Thereafter, a value is returned from the authorization framework via the authorization API to the trusted application indicating whether the client application can access the requested service provided by the trusted application, based on results of the authorization and authentication.

Citations

21 Claims

1. A computer-implemented method for authorizing access of a privileged application, the method comprising:
- receiving, at an authorization framework via an authorization application programming interface (API), a request from a trusted application for authorizing a client application, the client application requesting a service provided by the trusted application;
  
  authorizing, by the authorization framework in response to the request, the client application in view of one or more authorization policies associated with the client application to determine whether the client application is authorized to access the requested service;
  
  authenticating, by the authorization framework, a user associated with the client application to determine whether the user is allowed to access the requested service; and
  
  returning, from the authorization framework via the authorization API, a value to the trusted application indicating whether the client application can access the requested service provided by the trusted application, based on results of the authorization and authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the authentication is performed only after the client application has been successfully authorized via the authorization and the authorization indicates that authentication is required.
  - 3. The method of claim 2, wherein the request includes a user identifier (ID) identifying the user of the client application, a process ID identifying the client application, and an action ID identifying an action to be carried out by the trusted application, wherein the authorization is performed to determine whether the client application is entitled to the service by carrying out the identified action by the trusted application, and wherein the authentication is performed to determine whether the user of the client application is entitled to the service by carrying out the identified action by the trusted application.
  - 4. The method of claim 1, wherein authenticating the user associated with the client application comprises invoking an authentication agent running within an identical user session of the user accessing the client application, wherein the authentication agent is configured to collect one or more credentials from the user that are required to access the requested service.
  - 5. The method of claim 4, wherein the authentication agent is configured to display a graphical user interface (GUI) page to allow the user to enter the one or more credentials, including a credential associated with a super user that is required to access the requested service.
  - 6. The method of claim 4, wherein the authentication agent is configured to display a graphical user interface (GUI) page to allow the user to select one of one or more predetermined authorized users and a credential associated with the selected authorized user that is required to access the requested service.
  - 7. The method of claim 1, further comprising accessing, via an extension API, a third-party authority to perform additional at least one of authorization of the client application and authentication of the user of the client application.

8. A computer readable storage medium including instructions that, when executed by a processing system, cause the processing system to perform a method comprising:
- receiving, at an authorization framework via an authorization application programming interface (API), a request from a trusted application for authorizing a client application, the client application requesting a service provided by the trusted application;
  
  authorizing, by the authorization framework in response to the request, the client application in view of one or more authorization policies associated with the client application to determine whether the client application is authorized to access the requested service;
  
  authenticating, by the authorization framework, a user associated with the client application to determine whether the user is allowed to access the requested service; and
  
  returning, from the authorization framework via the authorization API, a value to the trusted application indicating whether the client application can access the requested service provided by the trusted application, based on results of the authorization and authentication.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable storage medium of claim 8, wherein the authentication is performed only after the client application has been successfully authorized via the authorization and the authorization indicates that authentication is required.
  - 10. The computer readable storage medium of claim 9, wherein the request includes a user identifier (ID) identifying the user of the client application, a process ID identifying the client application, and an action ID identifying an action to be carried out by the trusted application, wherein the authorization is performed to determine whether the client application is entitled to the service by carrying out the identified action by the trusted application, and wherein the authentication is performed to determine whether the user of the client application is entitled to the service by carrying out the identified action by the trusted application.
  - 11. The computer readable storage medium of claim 8, wherein authenticating the user associated with the client application comprises invoking an authentication agent running within an identical user session of the user accessing the client application, wherein the authentication agent is configured to collect one or more credentials from the user that are required to access the requested service.
  - 12. The computer readable storage medium of claim 11, wherein the authentication agent is configured to display a graphical user interface (GUI) page to allow the user to enter the one or more credentials, including a credential associated with a super user that is required to access the requested service.
  - 13. The computer readable storage medium of claim 11, wherein the authentication agent is configured to display a graphical user interface (GUI) page to allow the user to select one of one or more predetermined authorized users and a credential associated with the selected authorized user that is required to access the requested service.
  - 14. The computer readable storage medium of claim 8, wherein the method further comprises accessing, via an extension API, a third-party authority to perform additional at least one of authorization of the client application and authentication of the user of the client application.

15. A system for authorizing access of a privileged application, the system comprising:
- an authorization application programming interface (API) to receive an authorization application programming interface (API), a request from a trusted application for authorizing a client application, the client application requesting a service provided by the trusted application;
  
  an authorization unit coupled to the authorization API to authorize, in response to the request, the client application in view of one or more authorization policies associated with the client application to determine whether the client application is authorized to access the requested service; and
  
  an authentication unit coupled to the authorization unit to authenticate a user associated with the client application to determine whether the user is allowed to access the requested service, wherein a value is returned via the authorization API to the trusted application indicating whether the client application can access the requested service provided by the trusted application, based on results of the authorization and authentication.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the authentication is performed only after the client application has been successfully authorized via the authorization and the authorization indicates that authentication is required.
  - 17. The system of claim 16, wherein the request includes a user identifier (ID) identifying the user of the client application, a process ID identifying the client application and an action ID identifying an action to be carried out by the trusted application, wherein the authorization is performed to determine whether the client application is entitled to the service by carrying out the identified action by the trusted application, and wherein the authentication is performed to determine whether the user of the client application is entitled to the service by carrying out the identified action by the trusted application.
  - 18. The system of claim 15, wherein authenticating the user associated with the client application comprises invoking an authentication agent running within an identical user session of the user accessing the client application, wherein the authentication agent is configured to collect one or more credentials from the user that are required to access the requested service.
  - 19. The system of claim 18, wherein the authentication agent is configured to display a graphical user interface (GUI) page to allow the user to enter the one or more credentials, including a credential associated with a super user that is required to access the requested service.
  - 20. The system of claim 18, wherein the authentication agent is configured to display a graphical user interface (GUI) page to allow the user to select one of one or more predetermined authorized users and a credential associated with the selected authorized user that is required to access the requested service.
  - 21. The system of claim 15, further comprising an extension API coupled to the authorization unit and the authentication unit to access a third-party authority to perform additional at least one of authorization of the client application and authentication of the user of the client application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Zeuthen, David

Granted Patent

US 9,479,509 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/19
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/32   using biometric data, e.g. ...

G06F 21/44   Program or device authentic...

G06F 21/445   by mutual authentication, e...

G06F 21/62   Protecting access to data v...

G06F 21/6281   at program execution time, ...

G06F 21/629   to features or functions of...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 9/3228   One-time or temporary data,...

UNIFIED SYSTEM INTERFACE FOR AUTHENTICATION AND AUTHORIZATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

UNIFIED SYSTEM INTERFACE FOR AUTHENTICATION AND AUTHORIZATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links