PLUGGABLE TOKEN PROVIDER MODEL TO IMPLEMENT AUTHENTICATION ACROSS MULTIPLE WEB SERVICES

US 20110231921A1
Filed: 03/18/2010
Published: 09/22/2011
Est. Priority Date: 03/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method to be executed at least in part in a computing device for message level authentication across multiple web services through a pluggable token provider model, the method comprising:

receiving a web service request from a local web service component at a client application;

locating metadata associated with the requested web service, wherein the metadata includes information associated with execution and authentication of the requested web service;

if a credential is associated with the requested web service, retrieving the credential;

retrieving a token associated with the retrieved credential;

authenticating the requested web service based on the retrieved token; and

if the authentication is successful, performing the requested web service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pluggable token provider model for message level authentication across multiple web services is provided. Web service and token provider implementations within a client application are separated from an actual component that operates the business logic to formulate and understand a web request. The web service components may request web services to be executed and supply the body for the web service message while a common framework maintains the web services metadata, which includes definitions associated with respective tokens. The framework may further maintain token provider implementations that actually fetch authentication tokens and perform the web requests.

50 Citations

View as Search Results

20 Claims

1. A method to be executed at least in part in a computing device for message level authentication across multiple web services through a pluggable token provider model, the method comprising:
- receiving a web service request from a local web service component at a client application;
  
  locating metadata associated with the requested web service, wherein the metadata includes information associated with execution and authentication of the requested web service;
  
  if a credential is associated with the requested web service, retrieving the credential;
  
  retrieving a token associated with the retrieved credential;
  
  authenticating the requested web service based on the retrieved token; and
  
  if the authentication is successful, performing the requested web service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein web service and token provider components within the client application are separated from a component operating business logic to formulate and understand the requested web service.
  - 3. The method of claim 2, wherein the token provider components represent token issuers interacting with the client application and are identified by one of a Universal Resource Identifier (URI) and a name.
  - 4. The method of claim 3, wherein a metadata model component maintaining metadata references the token provider components employing one of web service metadata and web service security (WSS) policy information retrieved from the web service components.
  - 5. The method of claim 4, wherein the metadata model component further maintains a mapping of metadata information with an identifier of a web service providing the metadata.
  - 6. The method of claim 4, wherein the metadata model component parses the metadata and maintains a plurality of binding entries.
  - 7. The method of claim 6, wherein the plurality of binding entries includes at least one from a set of:
    - a resource identifier against which the web service request is to be made, operation and action information to be included in a web service message, an authentication type supported by the resource, security policy information corresponding to the resource, and a token provider identification based on a token issuer identifier in the security policy.
  - 8. The method of claim 7, wherein a web service manager component is configured to:
    - retrieve the metadata from the metadata model component,cycle through the plurality of bindings,select one of the bindings based on the requested web service and associated authentication type, andconstruct an actual web service request.
  - 9. The method of claim 8, wherein a credential manager component is configured to identify credential services associated with the requested web service based on a user identifier provided by the web service manager component.
  - 10. The method of claim 6, wherein the metadata model component persists the parsed metadata such that the metadata is retrieved and parsed once.

11. A unified communication system employing message level authentication across multiple web services through a pluggable token provider model, the system comprising:
- a server configured to;
  
  manage communications between internal and external resources of the unified communication system and a plurality of client applications;
  
  a client device executing a client application, the client application including;
  
  at least one web service component;
  
  at least one token provider component representing token issuers interacting with the client application;
  
  a metadata model component for retrieving metadata from a web service, wherein the metadata includes information associated with execution and authentication of a requested web service; and
  
  a web service manager component configured to;
  
  retrieve the metadata from the metadata model component,cycle through a plurality of bindings parsed from the metadata by the metadata model component,select one of the bindings based on the requested web service and associated authentication type, andconstruct an actual web service request.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein the client application further includes a credential manager component for identifying credential services based on a user identifier, the credential manager component being capable of handling multiple types of credentials through one of:
    - associating a single user identity with multiple web services and associating multiple user identities with a single web service.
  - 13. The system of claim 12, wherein the multiple web services and the single web service are associated with one of:
    - a resource internal to the unified communication system and a resource external to the unified communication system.
  - 14. The system of claim 12, wherein the credential manager component is configured to save received credentials in volatile memory such that the saved credentials are purged in response to one of the client application shutting down and another user logging in.
  - 15. The system of claim 12, wherein the credential manager is further configured to maintain a success record for each web service, the success record including one of:
    - an “
      
      unknown”
      
      state for previously unused credentials, a “
      
      success”
      
      state for successful usage of a web service against a particular credential, and a “
      
      failure”
      
      state for logon failure of a web service against the particular credential.
  - 16. The system of claim 11, wherein the client application includes a pluggable token provider component for each web service, the token provider components and web services being one of:
    - statically bound and dynamically bound.

17. A computer-readable storage medium with instructions stored thereon for employing message level authentication across multiple web services through a pluggable token provider model, the instructions comprising:
- receiving a payload of a web service call to be made from a web service component of a client application;
  
  extracting a base identifier of the call;
  
  calling into a metadata model component requesting web service metadata;
  
  upon retrieval of the metadata, cycling thorough available bindings in the metadata;
  
  selecting an appropriate binding based on a requested operation and an authentication type depending on a credential associated with the requested web service; and
  
  fetching a token associated with the credential such that an actual web service request is constructed.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, further comprising:
    - processing the metadata for retrieving tokens on a per web service basis; and
      
      parsing the metadata to generate bindings that include at least one from a set of;
      
      a resource identifier against which the web service request is to be made, operation and action information to be included in a web service message, an authentication type supported by the resource, security policy information corresponding to the resource, and a token provider identification based on a token issuer identifier in the security policy.
  - 19. The computer-readable medium of claim 18, wherein the metadata is processed at a metadata model component per resource identifier such that an associated token provider is identified from security policy information associated with the requested web service.
  - 20. The computer-readable medium of claim 17, wherein the calls between components of the client application are made employing Simple Object Access Protocol (SOAP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Liang, Rui, Narayanan, Ranjith, Srinivasan, Srivatsa

Granted Patent

US 8,572,710 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/105   Multiple levels of security

H04L 63/168   above the transport layer

H04L 63/205   involving negotiation or de...

H04L 9/3213   using tickets or tokens, e....

PLUGGABLE TOKEN PROVIDER MODEL TO IMPLEMENT AUTHENTICATION ACROSS MULTIPLE WEB SERVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PLUGGABLE TOKEN PROVIDER MODEL TO IMPLEMENT AUTHENTICATION ACROSS MULTIPLE WEB SERVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links