User impersonation/delegation in a token-based authentication system
First Claim
1. A method, operable within a trusted service, of enabling access to an application executing in a computing entity, comprising:
- establishing a trust relationship with an identity provider;
requesting a token from the identity provider;
receiving the token from the identity provider, the token having been generated by the identity provider without requiring a user credential;
on behalf of a user, using the token and a user credential to establish the trusted service as an authenticated user to the application; and
upon establishing the trusted service as an authenticated user, accessing the application.
1 Assignment
0 Petitions
Accused Products
Abstract
A “trusted service” establishes a trust relationship with an identity provider and interacts with the identity provider over a trusted connection. The trusted service acquires a token from the identity provider for a given user (or set of users) without having to present the user'"'"'s credentials. The trusted service then uses this token (e.g., directly, by invoking an API, by acquiring another token, or the like) to access and obtain a cloud service on a user'"'"'s behalf even in the user'"'"'s absence. This approach enables background services to perform operations within a hosted session (e.g., via OAuth-based APIs) without presenting user credentials or even having the user present.
181 Citations
25 Claims
-
1. A method, operable within a trusted service, of enabling access to an application executing in a computing entity, comprising:
-
establishing a trust relationship with an identity provider; requesting a token from the identity provider; receiving the token from the identity provider, the token having been generated by the identity provider without requiring a user credential; on behalf of a user, using the token and a user credential to establish the trusted service as an authenticated user to the application; and upon establishing the trusted service as an authenticated user, accessing the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. Apparatus, comprising:
-
a processor; computer memory holding computer program instructions that when executed by the processor perform a method of enabling access to an application executing in a computing entity, the method comprising; establishing a trust relationship with an identity provider; requesting a token from the identity provider; receiving the token from the identity provider, the token having been generated by the identity provider without requiring a user credential; on behalf of a user, using the token and a user credential to obtain an authenticated user identity by which the user can be impersonated to the application; and upon receiving the authenticated user identity, accessing the application. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer program product in a computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method of enabling access to an application executing in a computing entity, the method comprising:
-
establishing a trust relationship with an identity provider; requesting a token from the identity provider; receiving the token from the identity provider, the token having been generated by the identity provider without requiring a user credential; on behalf of a user, using the token and a user credential to obtain an authenticated user identity by which the user can be impersonated to the application; and upon receiving the authenticated user identity, accessing the application. - View Dependent Claims (17, 18, 19)
-
- 20. The computer program product as described in 17 wherein the token is a specific token for an authorized user.
-
22. An identity provider apparatus, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to perform a method, comprising; establishing a trust relationship with a trusted service over a trusted connection; receiving from the trusted service a request for a token; generating the token without requiring a user credential; and returning the token to the trusted service to enable the trusted service to impersonate a user by using the token and a user credential to obtain an authenticated user identity. - View Dependent Claims (23, 24, 25)
-
Specification