REGULATING ACCESS TO PROTECTED DATA RESOURCES USING UPGRADED ACCESS TOKENS

US 20120144501A1
Filed: 04/18/2011
Published: 06/07/2012
Est. Priority Date: 12/03/2010
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method of regulating access to protected data resources, the method comprising:

sending a first access token from a client module, the first access token having first data access attributes associated therewith; and

in response to sending the first access token, receiving a second access token at the client module, the second access token having second data access attributes associated therewith, the first data access attributes and the second data access attributes being different.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various techniques and procedures related to client authorization and the management of protected data resources are presented here. One approach employs a computer-implemented method of regulating access to protected data resources. In accordance with this approach, a client sends a first access token to a server, the first access token having first data access attributes associated therewith. In response to receiving the first access token, the server sends a second access token to the client module, the second access token having second data access attributes associated therewith. The second data access attributes represent expanded or additional data access capabilities granted to the client. The client may then access protected data resources using the second data access token.

131 Citations

20 Claims

1. A computer-implemented method of regulating access to protected data resources, the method comprising:
- sending a first access token from a client module, the first access token having first data access attributes associated therewith; and
  
  in response to sending the first access token, receiving a second access token at the client module, the second access token having second data access attributes associated therewith, the first data access attributes and the second data access attributes being different.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising generating a protected data request with the client module, the protected data request including the second access token.
  - 3. The method of claim 1, wherein:
    - the first data access attributes define a first scope of data access granted to the client module;
      
      the second data access attributes define a second scope of data access granted to the client module; and
      
      the second scope of data access exceeds the first scope of data access.
  - 4. The method of claim 1, wherein:
    - the first data access attributes define a first duration of data access granted to the client module;
      
      the second data access attributes define a second duration of data access granted to the client module; and
      
      the second duration of data access is longer than the first duration of data access.
  - 5. The method of claim 1, wherein:
    - the first data access attributes define first data access capabilities granted to the client module;
      
      the second data access attributes define second data access capabilities granted to the client module; and
      
      the second data access capabilities represent expanded data access capabilities, relative to the first data access capabilities.
  - 6. The method of claim 1, wherein the sending step also sends an assertion on behalf of the client module, the assertion facilitating authentication of the client module.
  - 7. The method of claim 1, wherein the sending step also sends credentials of the client module, the credentials facilitating authentication of the client module.
  - 8. The method of claim 1, further comprising the step of generating a POST request that includes the first access token, wherein:
    - the sending step sends the POST request; and
      
      the receiving step also receives a redirect uniform resource locator that redirects the client module to access protected data resources.
  - 9. The method of claim 1, further comprising the step of generating a GET request that includes the first access token, wherein:
    - the sending step sends the GET request;
      
      receiving the second access token comprises receiving a redirect uniform resource locator that includes the second access token; and
      
      the redirect uniform resource locator redirects the client module to access protected data resources.

10. A computer-implemented method of regulating access to protected data resources, the method comprising:
- receiving a first access token at a server module, the first access token being associated with first data access attributes granted to a client module; and
  
  in response to receiving the first access token, sending a second access token from the server module to the client module, the second access token being associated with second data access attributes granted to the client module, the first data access attributes and the second data access attributes being different.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein:
    - the first data access attributes define a first scope of data access granted to the client module;
      
      the second data access attributes define a second scope of data access granted to the client module; and
      
      the second scope of data access exceeds the first scope of data access.
  - 12. The method of claim 10, wherein:
    - the first data access attributes define a first duration of data access granted to the client module;
      
      the second data access attributes define a second duration of data access granted to the client module; and
      
      the second duration of data access is longer than the first duration of data access.
  - 13. The method of claim 10, wherein:
    - the first data access attributes define first data access capabilities granted to the client module;
      
      the second data access attributes define second data access capabilities granted to the client module; and
      
      the second data access capabilities represent expanded data access capabilities, relative to the first data access capabilities.
  - 14. The method of claim 10, wherein:
    - the receiving step also receives an assertion on behalf of the client module; and
      
      the method further comprises processing the assertion to authenticate the client module.
  - 15. The method of claim 10, wherein:
    - the receiving step also receives credentials of the client module; and
      
      the method further comprises processing the credentials to authenticate the client module.
  - 16. The method of claim 10, wherein:
    - receiving the first access token comprises receiving a POST request that includes the first access token; and
      
      the sending step also sends a redirect uniform resource locator that redirects the client module to access protected data resources.
  - 17. The method of claim 10, wherein:
    - receiving the first access token comprises receiving a GET request that includes the first access token;
      
      sending the second access token comprises sending a redirect uniform resource locator that includes the second access token; and
      
      the redirect uniform resource locator redirects the client module to access protected data resources.

18. A server system comprising a processor and a memory, wherein the memory comprises computer-executable instructions that, when executed by the processor, cause the server system to:
- receive a request on behalf of a client module, the request including credentials of the client module and a first access token associated with first data access capabilities of the client module, the first data access capabilities defining a restricted scope of data access for the client module;
  
  authenticating the client module, using the credentials of the client module; and
  
  in response to the authenticating, granting second data access capabilities to the client module, the second data access capabilities defining an expanded scope of data access for the client module, relative to the first data access capabilities.
- View Dependent Claims (19, 20)
- - 19. The server system of claim 18, wherein the computer-executable instructions cause the server system to send a second access token to the client module, the second access token being associated with the second data access capabilities granted to the client module.
  - 20. The server system of claim 19, wherein the computer-executable instructions cause the server system to send the second access token in conjunction with a redirect uniform resource locator that redirects the client module to access protected data resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Vangpat, Alan, Mortimore, William Charles Jr.

Application Number

US13/088,908
Publication Number

US 20120144501A1
Time in Patent Office

Days
Field of Search
US Class Current

726/28
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/108 when the policy decisions a...

REGULATING ACCESS TO PROTECTED DATA RESOURCES USING UPGRADED ACCESS TOKENS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

131 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

REGULATING ACCESS TO PROTECTED DATA RESOURCES USING UPGRADED ACCESS TOKENS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links