PROTECTING USER CREDENTIALS USING AN INTERMEDIARY COMPONENT

US 20110296510A1
Filed: 05/27/2010
Published: 12/01/2011
Est. Priority Date: 05/27/2010
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a first component, the method comprising:

receiving, from a second component, a first request to access a service or resource without credentials of a current user of the second component being revealed to the second component;

obtaining, in response to the first request, user credentials for the current user, wherein the user credentials are associated with the service or resource;

sending, to the service or resource, both a second request to access the service or resource and the user credentials;

receiving, in response to the second request, session state information from the service or resource; and

returning the session state information to the second component, wherein the session state information allows the second component and the service or resource to communicate with each other independently of the first component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access component sends an access request to an intermediary component, the access request being a request to access a service or resource without credentials of a current user of the intermediary component being revealed to the access component. The intermediary component obtains user credentials, for the current user, that are associated with the service or resource. The access request and the user credentials are sent to the service or resource, and in response session state information is received from the service or resource. The session state information is returned to the access component, which allows the access component and the service or resource to communicate with one another based on the session state information and independently of the first component.

121 Citations

20 Claims

1. A method implemented by a first component, the method comprising:
- receiving, from a second component, a first request to access a service or resource without credentials of a current user of the second component being revealed to the second component;
  
  obtaining, in response to the first request, user credentials for the current user, wherein the user credentials are associated with the service or resource;
  
  sending, to the service or resource, both a second request to access the service or resource and the user credentials;
  
  receiving, in response to the second request, session state information from the service or resource; and
  
  returning the session state information to the second component, wherein the session state information allows the second component and the service or resource to communicate with each other independently of the first component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method as recited in claim 1, wherein the session state information allows the second component and the service or resource to communicate with one another without the user credentials being revealed to the second component.
  - 3. A method as recited in claim 1, further comprising:
    - checking whether a user authorization to send the user credentials to the service or resource is received at the first component; and
      
      sending the user credentials to the service or resource only if the user authorization to send the user credentials to the service or resource is received at the first component, otherwise returning an indication to the second component that the first request is denied.
  - 4. A method as recited in claim 1, further comprising:
    - checking a user credential store of the first component to determine whether user credentials associated with the service or resource are present in the user credential store; and
      
      sending the user credentials to the service or resource only if user credentials associated with the service or resource are present in the user credential store, otherwise returning an indication to the second component that the first request is denied.
  - 5. A method as recited in claim 4, wherein the user credential store is implemented as part of the first component.
  - 6. A method as recited in claim 1, wherein obtaining the user credentials for the current user comprises:
    - prompting the current user to input user credentials at the first component; and
      
      receiving, at the first component, a user input of the user credentials.
  - 7. A method as recited in claim 1, wherein the user credentials were previously stored, in a user credential store of the first component, as associated with the service or resource prior to receiving the first request.
  - 8. A method as recited in claim 1, further comprising:
    - saving the session state information at the first component;
      
      receiving, from the second component, a third request to access the service or resource without the credentials of the current user of the second component being revealed to the second component;
      
      retrieving the saved session state information; and
      
      returning the retrieved session state information to the second component.
  - 9. A method as recited in claim 1, further comprising:
    - saving the session state information at the first component;
      
      receiving, from a third component, a third request to access the service or resource without the credentials of the current user being revealed to the third component, wherein the third component and the second component are two different components;
      
      retrieving the saved session state information; and
      
      returning the retrieved session state information to the third component, wherein the returned session state information allows the third component and the service or resource to communicate with each other independently of the first component.
  - 10. A method as recited in claim 1, wherein the service or resource comprises a Web site.
  - 11. A method as recited in claim 1, wherein the session state information comprises a cookie.
  - 12. A method as recited in claim 1, wherein the session state information comprises a secure socket layer (SSL) session state or a transport layer security (TLS) session state.
  - 13. A method as recited in claim 1, wherein the first component, the second component, and the service or resource are each implemented by different computing devices.

14. A method implemented by a first component, the method comprising:
- receiving a first request from a user of the first component to access a service or resource without credentials of the user being revealed to the first component;
  
  sending, to a second component and in response to the first request, a second request to access the service or resource based on user credentials for the user;
  
  receiving, from the second component and in response to the second request, session state information received by the second component from the service or resource; and
  
  communicating, using the session state information, with the service or resource.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. A method as recited in claim 14, wherein the second request includes an indication of the service or resource.
  - 16. A method as recited in claim 14, wherein the session state information allows the first component and the service or resource to communicate with one another without the user credentials being revealed to the first component.
  - 17. A method as recited in claim 16, wherein the session state information comprises a cookie.
  - 18. A method as recited in claim 14, further comprising receiving the session state information and communicating with the service or resource using the session state information only if both the user credentials associated with the service or resource are present in a user credential store of the second component and the user credentials are authenticated by the service or resource.
  - 19. A method as recited in claim 14, wherein the communicating comprises communicating with the service or resource independently of the second component.

20. One or more computer storage media having stored thereon multiple instructions that, when executed by one or more processors of a computing device, cause the one or more processors to:
- receive, from an access component, a first request to access a service, wherein the access component and the service are implemented by different computing devices, and wherein credentials of a current user of the access component are not revealed to the access component;
  
  check whether a user authorization to send user credentials to the service is received at the computing device;
  
  if the user authorization is not received then deny the first request; and
  
  if the user authorization is received then;
  
  obtain previously stored user credentials for a current user of the access component, wherein the user credentials are associated with the service;
  
  send, to the service, both a second request to access the service and the user credentials;
  
  receive, in response to the second request, session state information;
  
  return the session state information to the access component, wherein the session state information allows the access component and the service to communicate with each other independently of the computing device and without the user credentials being revealed to the access component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Nyström, Bo Gustaf Magnus, Hatlelid, Kristjan E., Barbour, Marc R.

Granted Patent

US 8,984,597 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6263   during internet communicati...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

H04L 2209/80   Wireless network architectu...

H04L 63/08   for authentication of entit...

H04L 63/0884   by delegation of authentica...

H04L 63/166   at the transport layer

H04L 67/142   Managing session states for...

H04L 9/3226   using a predetermined code,...

PROTECTING USER CREDENTIALS USING AN INTERMEDIARY COMPONENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTING USER CREDENTIALS USING AN INTERMEDIARY COMPONENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links