METHOD FOR MANAGING ACCESS TO PROTECTED RESOURCES AND DELEGATING AUTHORITY IN A COMPUTER NETWORK

US 20120317624A1
Filed: 02/24/2010
Published: 12/13/2012
Est. Priority Date: 02/24/2010
Status: Active Grant

First Claim

Patent Images

1. Method carried out at least by a consumer, a service provider and a controller, whereina service provider is at least one of a software application and a web site that is configured to provide access to protected resources;

anda consumer is at least one of a software application and a web site that is configured to access a service provider on behalf of a user;

the method includingtransmitting, by the consumer to the service provider, a first message representing a request for authorization to access by the consumer on behalf of a first user, here referred to as delegatee, the protected resources of a second user, here referred to as delegator, from the service provider;

transmitting, by the service provider to the controller, a second message representing the request for authorization to access by the consumer on behalf of the delegatee the protected resources of the delegator from the service provider, the second message including a request token, whereina request token is a value used by a service provider to register a requested authorization to access protected resources;

determining, by the controller, whether the requested authorization represented by the second message meets policy settings governing the access to protected resources of the delegator; and

,if it is determined that the requested authorization meets the policy settings,granting, by the service provider, the authorization registered by the request token, andtransmitting, by at least one of the controller and the service provider, to the consumer, a third message including the request token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a method, a consumer (100), being a software application or web site accessing a service provider (200) on behalf of a user, transmits (s10) to a service provider (200), being a software application or web site providing access to protected resources, a request for authorization to access by the consumer (100) on behalf of a delegatee (410) the protected resources of a delegator (420). The service provider (200) transmits (s20) to a controller (300) the request for authorization. A request token is also transmitted, which is a value used by the service provider (200) to register a requested authorization. The controller (300) determines (s30) whether the requested authorization meets policy settings governing the access to the delegator'"'"'s protected resources. If so, the service provider (200) grants the authorization registered by the request token, and a third message including the request token is transmitted (s50) to the consumer (100).

58 Citations

View as Search Results

15 Claims

1. Method carried out at least by a consumer, a service provider and a controller, whereina service provider is at least one of a software application and a web site that is configured to provide access to protected resources;
- anda consumer is at least one of a software application and a web site that is configured to access a service provider on behalf of a user;
  
  the method includingtransmitting, by the consumer to the service provider, a first message representing a request for authorization to access by the consumer on behalf of a first user, here referred to as delegatee, the protected resources of a second user, here referred to as delegator, from the service provider;
  
  transmitting, by the service provider to the controller, a second message representing the request for authorization to access by the consumer on behalf of the delegatee the protected resources of the delegator from the service provider, the second message including a request token, whereina request token is a value used by a service provider to register a requested authorization to access protected resources;
  
  determining, by the controller, whether the requested authorization represented by the second message meets policy settings governing the access to protected resources of the delegator; and
  
  ,if it is determined that the requested authorization meets the policy settings,granting, by the service provider, the authorization registered by the request token, andtransmitting, by at least one of the controller and the service provider, to the consumer, a third message including the request token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. Method of claim 1, further including,before the step of transmitting by the consumer to the service provider, the first message,transmitting, by at least one of a software application and a physical device controlled by the delegatee, to the consumer, a request for a service involving access by the consumer on behalf of the delegatee to the protected resources of the delegator from the service provider.
  - 3. Method of claim 1, whereinthe step of transmitting, by the consumer to the service provider, the first messageincludestransmitting the first message by the consumer to the service provider through at least one of a software application and a physical device controlled by the delegates.
  - 4. Method according to claim 1, further including,between the steps ofdetermining, by the controller, whether the requested authorization represented by the second message meets policy settings governing the access to protected resources of the delegator, andgranting, by the service provider, the authorization registered by the request token,and, if it is determined that the requested authorization meets the policy settings,transmitting, from the controller to the service provider, a message indicating that the requested authorization represented by the second message can be accepted.
  - 5. Method according to claim 1, further including,between the steps ofgranting, by the service provider, the authorization registered by the request token, andtransmitting, by at least one of the controller and the service provider, to the consumer, the third message including the request token;
6. Method according to claim 1, wherein the step of transmitting, to the consumer, the third message including the request token is performed from the controller.
7. Method according to claim 1, wherein the controller includesa delegation assistant being executed on behalf of the delegatee, anda delegation assistant being executed on behalf of the delegatorwherein a delegation assistant is at least one of a software application and a physical device.
8. Method according to claim 1, whereindetermining, by the controller, whether the requested authorization represented by the second message meets policy settings governing the access to protected resources of the delegatorincludesextracting from the second message at least one ofinformation about the consumer from which the requested authorization originates;
- information about the delegatee on behalf of which the consumer requests authorization to access the protected resources of the delegator;
  
  information about the protected resources on which one or more operations are requested to be authorized by means of the request token; and
  
  information about the one or more operations which are requested to be authorized by means of the request token; and
  
  determining whether the extracted information meets the policy settings.

9. Delegation assistant includinga receiver configured for receiving, from another delegation assistant, a message, here referred to as request message, representing a request for authorization to access by a consumer on behalf of a first user, here referred to as delegatee, the protected resources of a second user, here referred to as delegator, from the service provider, the request message including a request token, whereina service provider is at least one of a software application and a web site that is configured to provide access to protected resources;
- a consumer is at least one of a software application and a web site that is configured to access a service provider on behalf of a user; and
  
  a request token is a value used by a service provider to register a requested authorization to access protected resources;
  
  a determiner configured for determining whether the requested authorization represented by the request message meets policy settings governing the access to protected resources of the delegator; and
  
  ,a transmitter configured for, if it is determined that the requested authorization meets the policy settings, transmitting, to the service provider, a response message indicating that the requested authorization represented by the request message can be granted.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. Delegation assistant of claim 9, wherein the determiner includesan extracter configured for extracting from the request message at least one ofinformation about the consumer from which the requested authorization originates;
    - information about the delegatee on behalf of which the consumer requests authorization to access the protected resources of the delegator;
      
      information about the protected resources on which one or more operations are requested to be authorized by means of the request token; and
      
      information about the one or more operations which are requested to be authorized by means of the request token; and
      
      a sub-determiner configured for determining whether the extracted information meets the policy settings.
  - 11. Delegation assistant of claim 9, configured to be executed in parallel to a browser.
  - 12. Delegation assistant of claim 11, configured to be executed in parallel to a browser as an add-on to the browser.
  - 13. Delegation assistant of claim 9, configured to be executed on a server.
  - 14. Delegation assistant according to claim 9, wherein the transmitter further configured for transmitting, to the other delegation assistant or to yet another delegation assistant, a message, here referred to as second request message, representing a request for authorization to access by the consumer or another consumer on behalf of the second user the protected resources of the first user or of a third user, here referred to as second delegator, from the service provider or from another servicer provider, wherein the request message includes another request token.
  - 15. Computer program including instructions configured, when executed on a server or on a computer, to cause the server or the computer respectively to operate as a delegation assistant as defined in claim 9.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Monjas Llorente, Miguel Angel, Yelmo García, Juan Carlos, Del Álamo Ramir, José María

Granted Patent

US 8,819,784 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/105 Multiple levels of security

METHOD FOR MANAGING ACCESS TO PROTECTED RESOURCES AND DELEGATING AUTHORITY IN A COMPUTER NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR MANAGING ACCESS TO PROTECTED RESOURCES AND DELEGATING AUTHORITY IN A COMPUTER NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links