SINGLE SIGN-ON (SSO) FOR MOBILE APPLICATIONS

US 20150089617A1
Filed: 04/30/2014
Published: 03/26/2015
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, at a server, a first client registration token from a first application executing on a first mobile device that is separate from the server;

determining, at the server, whether a first hardware identifier specified in the first client registration token matches any hardware identifier specified in any user session stored at the server;

in response to determining that the first hardware identifier specified in the first client registration token matches a hardware identifier specified in a first user session stored at the server, the server instructing the first application to allow a user of the first application to access functionality of the first application without requiring the user of the first application to re-engage in an authentication process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

69 Citations

View as Search Results

18 Claims

1. A computer-implemented method comprising:
- receiving, at a server, a first client registration token from a first application executing on a first mobile device that is separate from the server;
  
  determining, at the server, whether a first hardware identifier specified in the first client registration token matches any hardware identifier specified in any user session stored at the server;
  
  in response to determining that the first hardware identifier specified in the first client registration token matches a hardware identifier specified in a first user session stored at the server, the server instructing the first application to allow a user of the first application to access functionality of the first application without requiring the user of the first application to re-engage in an authentication process.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving, at the server, a second client registration token from a second application executing on a second mobile device that is separate from the server and from the first mobile device;
      
      determining, at the server, whether a second hardware identifier specified in the second client registration token matches any hardware identifier specified in any user session stored at the server;
      
      in response to determining that the second hardware identifier specified in the second client registration token does not match any hardware identifier specified in any user session stored at the server, the server instructing the second application to engage a user of the second application to engage in an authentication process prior to allowing the user of the second application to access functionality of the second application.
  - 3. The computer-implemented method of claim 2, further comprising:
    - in response to a user of the second application successfully engaging in an authentication process, performing steps comprising;
      
      generating, at the server, a second user session that specifies the second hardware identifier;
      
      storing the second user session at the server; and
      
      instructing the second application to allow the user of the second application to access functionality of the second application;
      
      wherein the second user session differs from the first user session.
  - 4. The computer-implemented method of claim 3, further comprising:
    - receiving, at the server, a third client registration token from a third application executing on the second mobile device;
      
      determining, at the server, whether the second hardware identifier specified in the third client registration token matches any hardware identifier specified in any user session stored at the server;
      
      in response to determining that the second hardware identifier specified in the third client registration token matches a hardware identifier specified in the second user session stored at the server, the server instructing the third application to allow a user of the third application to access functionality of the third application without requiring the user of the third application to re-engage in an authentication process.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving, at the server, a first registration request from the first application;
      
      in response to receiving the first registration request, the server performing an authentication process relative to the first application; and
      
      in response to the first application successfully passing an authentication process, generating the first client registration token at the server and sending the first client registration token to the first application;
      
      wherein the first registration request specifies a hardware identifier of the first mobile device; and
      
      wherein the first client registration token specifies the hardware identifier of the first mobile device.
  - 6. The computer-implemented method of claim 5, further comprising:
    - receiving, at the server, a second registration request from a second application that executes on a second mobile device that is separate from the first mobile device;
      
      in response to receiving the second registration request, the server performing an authentication process relative to the second application; and
      
      in response to the second application successfully passing an authentication process, generating a second client registration token at the server and sending the second client registration token to the second application;
      
      wherein the second registration request specifies a hardware identifier of the second mobile device;
      
      wherein the second client registration token specifies the hardware identifier of the second mobile device;
      
      wherein the hardware identifier of the first mobile device is a Media Access Control (MAC) address of the first mobile device; and
      
      wherein the hardware identifier of the second mobile device is a Media Access Control (MAC) address of the second mobile device.

7. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
- receiving, at a server, a first client registration token from a first application executing on a first mobile device that is separate from the server;
  
  determining, at the server, whether a first hardware identifier specified in the first client registration token matches any hardware identifier specified in any user session stored at the server;
  
  in response to determining that the first hardware identifier specified in the first client registration token matches a hardware identifier specified in a first user session stored at the server, the server instructing the first application to allow a user of the first application to access functionality of the first application without requiring the user of the first application to re-engage in an authentication process.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable memory of claim 7, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, at the server, a second client registration token from a second application executing on a second mobile device that is separate from the server and from the first mobile device;
      
      determining, at the server, whether a second hardware identifier specified in the second client registration token matches any hardware identifier specified in any user session stored at the server;
      
      in response to determining that the second hardware identifier specified in the second client registration token does not match any hardware identifier specified in any user session stored at the server, the server instructing the second application to engage a user of the second application to engage in an authentication process prior to allowing the user of the second application to access functionality of the second application.
  - 9. The computer-readable memory of claim 8, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - in response to a user of the second application successfully engaging in an authentication process, performing steps comprising;
      
      generating, at the server, a second user session that specifies the second hardware identifier;
      
      storing the second user session at the server; and
      
      instructing the second application to allow the user of the second application to access functionality of the second application;
      
      wherein the second user session differs from the first user session.
  - 10. The computer-readable memory of claim 9, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, at the server, a third client registration token from a third application executing on the second mobile device;
      
      determining, at the server, whether the second hardware identifier specified in the third client registration token matches any hardware identifier specified in any user session stored at the server;
      
      in response to determining that the second hardware identifier specified in the third client registration token matches a hardware identifier specified in the second user session stored at the server, the server instructing the third application to allow a user of the third application to access functionality of the third application without requiring the user of the third application to re-engage in an authentication process.
  - 11. The computer-readable memory of claim 7, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, at the server, a first registration request from the first application;
      
      in response to receiving the first registration request, the server performing an authentication process relative to the first application; and
      
      in response to the first application successfully passing an authentication process, generating the first client registration token at the server and sending the first client registration token to the first application;
      
      wherein the first registration request specifies a hardware identifier of the first mobile device; and
      
      wherein the first client registration token specifies the hardware identifier of the first mobile device.
  - 12. The computer-readable memory of claim 11, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, at the server, a second registration request from a second application that executes on a second mobile device that is separate from the first mobile device;
      
      in response to receiving the second registration request, the server performing an authentication process relative to the second application; and
      
      in response to the second application successfully passing an authentication process, generating a second client registration token at the server and sending the second client registration token to the second application;
      
      wherein the second registration request specifies a hardware identifier of the second mobile device;
      
      wherein the second client registration token specifies the hardware identifier of the second mobile device;
      
      wherein the hardware identifier of the first mobile device is a Media Access Control (MAC) address of the first mobile device; and
      
      wherein the hardware identifier of the second mobile device is a Media Access Control (MAC) address of the second mobile device.

13. A system comprising:
- a first mobile device that stores a first application; and
  
  a machine that is separate from the first mobile device and that stores an OAuth authorization server that is configured to;
  
  receive a first client registration token from the first application;
  
  determine whether a first hardware identifier specified in the first client registration token matches any hardware identifier specified in any user session stored at the server; and
  
  instruct the first application to allow a user of the first application to access functionality of the first application without requiring the user of the first application to re-engage in an authentication process in response to determining that the first hardware identifier specified in the first client registration token matches a hardware identifier specified in a first user session stored at the server.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, further comprising a second mobile device that stores a second application;
    - and wherein the OAuth authorization server is configured to;
      
      receive a second client registration token from the second application;
      
      determine whether a second hardware identifier specified in the second client registration token matches any hardware identifier specified in any user session stored at the server; and
      
      instruct the second application to engage a user of the second application to engage in an authentication process prior to allowing the user of the second application to access functionality of the second application in response to determining that the second hardware identifier specified in the second client registration token does not match any hardware identifier specified in any user session stored at the server.
  - 15. The system of claim 14, wherein the OAuth authorization server is configured to:
    - generate a second user session that specifies the second hardware identifier in response to a user of the second application successfully engaging in an authentication process;
      
      store the second user session at the server in response to the user of the second application successfully engaging in an authentication process; and
      
      instruct the second application to allow the user of the second application to access functionality of the second application in response to the user of the second application successfully engaging in an authentication process;
      
      wherein the second user session differs from the first user session.
  - 16. The system of claim 15, wherein the OAuth authorization server is configured to:
    - receive a third client registration token from a third application executing on the second mobile device;
      
      determine whether the second hardware identifier specified in the third client registration token matches any hardware identifier specified in any user session stored at the server;
      
      instruct the third application to allow a user of the third application to access functionality of the third application without requiring the user of the third application to re-engage in an authentication process in response to determining that the second hardware identifier specified in the third client registration token matches a hardware identifier specified in the second user session stored at the server.
  - 17. The system of claim 13, wherein the OAuth authorization server is configured to:
    - receive a first registration request from the first application;
      
      perform an authentication process relative to the first application in response to receiving the first registration request; and
      
      generate the first client registration token in response to the first application successfully passing an authentication process; and
      
      send the first client registration token to the first application in response to the first application successfully passing an authentication process;
      
      wherein the first registration request specifies a hardware identifier of the first mobile device; and
      
      wherein the first client registration token specifies the hardware identifier of the first mobile device.
  - 18. The system of claim 17, wherein the OAuth authorization server is configured to:
    - receive a second registration request from a second application that executes on a second mobile device that is separate from the first mobile device;
      
      perform an authentication process relative to the second application in response to receiving the second registration request; and
      
      generate a second client registration token at the server in response to the second application successfully passing an authentication process; and
      
      send the second client registration token to the second application in response to the second application successfully passing an authentication process;
      
      wherein the second registration request specifies a hardware identifier of the second mobile device;
      
      wherein the second client registration token specifies the hardware identifier of the second mobile device;
      
      wherein the hardware identifier of the first mobile device is a Media Access Control (MAC) address of the first mobile device; and
      
      wherein the hardware identifier of the second mobile device is a Media Access Control (MAC) address of the second mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sondhi, Ajay, Hingarajiya, Ravi, Bhat, Shivaram, Wong, Wai Leung William

Granted Patent

US 9,237,145 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 2221/2103   Challenge-response

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

SINGLE SIGN-ON (SSO) FOR MOBILE APPLICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

69 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SINGLE SIGN-ON (SSO) FOR MOBILE APPLICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links