Controlling Access by Web Applications to Resources on Servers

US 20150200948A1
Filed: 04/23/2012
Published: 07/16/2015
Est. Priority Date: 04/23/2012
Status: Active Grant

First Claim

Patent Images

1. A system that facilitates granting a third-party application access to a user resource located on a network system, the system comprising:

a user-based access control list (ACL) checking utility configured to determine whether a first user has permission to access the user resource;

a token-grant server checking utility configured to determine whether a token grant server has authenticated the third-party application with the network system;

a resource-based ACL checking utility configured to determine whether the third-party application has permission to access the user resource on behalf of the first user, based at least in part on metadata associated with the user resource, wherein the metadata includes information indicating whether a second user has used the third-party application to access the user resource, wherein the first user is not the second user; and

an authentication-fulfillment utility configured to fulfill the third-party application access request upon receiving affirmative determinations in all of the determinations made by the system, the fulfillment including enabling an authentication of the third-party application and granting the third-party application permission to access the user resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are shown for providing third-party applications access to user resources based on user actions and processes that provide the third-party applications with the correct security tokens. The scope of access granted in various implementations of the disclosure is all documents which the user has already opened with the third-party application.

156 Citations

24 Claims

1. A system that facilitates granting a third-party application access to a user resource located on a network system, the system comprising:
- a user-based access control list (ACL) checking utility configured to determine whether a first user has permission to access the user resource;
  
  a token-grant server checking utility configured to determine whether a token grant server has authenticated the third-party application with the network system;
  
  a resource-based ACL checking utility configured to determine whether the third-party application has permission to access the user resource on behalf of the first user, based at least in part on metadata associated with the user resource, wherein the metadata includes information indicating whether a second user has used the third-party application to access the user resource, wherein the first user is not the second user; and
  
  an authentication-fulfillment utility configured to fulfill the third-party application access request upon receiving affirmative determinations in all of the determinations made by the system, the fulfillment including enabling an authentication of the third-party application and granting the third-party application permission to access the user resource.
- View Dependent Claims (2, 3, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system according to claim 1, further including:
    - an installation registry confirmation utility configured to determine whether the third-party application has been installed by the first user.
  - 3. The system according to claim 1, further including:
    - an application programming interface (API) configured to receive an application ID from the third-party application and an access token granted to the third-party application by the token-grant server.
  - 5. The system according to claim 1, wherein:
    - the resource-based ACL checking utility is further configured to write metadata to the user resource, the metadata containing an identification (ID) for the third-party application used by the first user to access the user resource and a user ID.
  - 6. The system according to claim 5, wherein:
    - the resource-based ACL checking utility is further configured to write to a file record data specifying that the third-party application has been used to access the user resource.
  - 7. The system according to claim 5, wherein:
    - the resource-based ACL checking utility is further configured to limit the number of different third-party applications that the first user can use simultaneously to access a particular user resource.
  - 8. The system according to claim 7, wherein:
    - the resource-based ACL checking utility is configured to remove the first of a series of third-party applications that the first user is using to simultaneously access a particular user resource when the series reaches a limit and the first user attempts to access the particular user resource using an additional third-party application.
  - 9. The system according to claim 1, wherein:
    - the token-grant server checking utility is configured to determine whether the token-grant server has sent an authorization code to a third-party application along with a document ID when the first user installs the third-party application for use with a resource identified by the document ID.
  - 10. The system according to claim 9, wherein:
    - the token-grant server checking utility is configured to determine whether the token-grant server has received the authorization code back from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code.
  - 11. The system according to claim 10, wherein:
    - the token-grant server checking utility is further configured to determine whether the token-grant server has sent the authorization access token to the third-party application after receiving the authorization code and client secret from the third-party application.

4. (canceled)

12. A computer implemented method that facilitates granting a third-party application access to one or more user resources located on a web-based storage system, the method comprising:
- determining whether a first user is on a user-based access control list (ACL) granting the first user access to the one or more user resources;
  
  determining whether an authorization access token has been granted by a token-grant server granting the third-party application limited access to the one or more resources;
  
  determining whether the third-party application is on a resource-specific ACL, indicating that a second user has used the third-party application to access the one or more resources, wherein the first user is not the second user;
  
  determining whether the third-party application has been installed by the first user; and
  
  in response to an affirmative determination for each of the determinings, fulfilling the third-party application access request, the fulfilling including enabling an authentication of the third-party application and granting the third-party application permission to access the one or more user resources.
- View Dependent Claims (13, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method according to claim 12, further including:
    - calling an application programming interface (API) configured to receive an application ID from the third-party application and an authorization access token granted to the third-party application by the token-grant server.
  - 15. The method according to claim 12, further including:
    - writing metadata to the one or more user resources, the metadata containing an ID for the third-party application used by the first user to access the one or more user resources and a first user ID corresponding to the first user.
  - 16. The method according to claim 15, further including:
    - writing data to a file record on the web-based storage system specifying that the third-party application has been used to access the one or more user resources.
  - 17. The method according to claim 15, further including:
    - limiting the number of different third-party applications that the first user can use simultaneously to access a particular user resource to a known number.
  - 18. The method according to claim 17, further including:
    - ending access to the resource for the first of a series of third-party applications that the first user is using to simultaneously access a particular user resource when the series reaches a limit equal to the known number and the first user attempts to access the particular user resource using an additional third-party application.
  - 19. The method according to claim 12, further including:
    - sending an authorization code from the token-grant server to a third-party application when the first user installs the third-party application.
  - 20. The method according to claim 19, further including:
    - receiving the authorization code at the token-grant server from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code.
  - 21. The method according to claim 20, further including:
    - sending the authorization access token from the token-grant server to the third-party application after receiving the authorization code and client secret at the token-grant server from the third-party application.

14. (canceled)

22. A tangible, machine-readable, non-transitory storage medium having stored thereon program instructions that facilitate granting a third-party application access to one or more user resources located on a web-based storage system, the instructions when executed by a machine cause the machine to perform operations comprising:
- determining whether a first user is on a user-based access control list (ACL) granting the first user access to the one or more user resources;
  
  determining whether an authorization access token has been granted by a token-grant server granting the third-party application limited access to the one or more resources;
  
  determining whether the third-party application is on a resource-specific ACL, indicating that a second user has used the third-party application to access the one or more resources, wherein the first user is not the second user;
  
  determining whether the third-party application has been installed by the first user; and
  
  in response to an affirmative determination for each of the determinings, fulfilling the third-party application access request, the fulfilling including enabling an authentication of the third-party application and granting the third-party application permission to access the one or more user resources.
- View Dependent Claims (23, 24)
- - 23. The non-transitory storage medium according to claim 22, the operations further comprising:
    - writing metadata to the one or more user resources, the metadata containing an ID for the third-party application used by the first user to access the one or more user resources and a first user ID corresponding to the first user.
  - 24. The non-transitory storage medium according to claim 22, the operations further comprising:
    - sending an authorization code from the token-grant server to a third-party application when the first user installs the third-party application;
      
      receiving the authorization code at the token-grant server from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code; and
      
      sending the authorization access token to the third-party application after receiving the authorization code and client secret from the third-party application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Cairns, Brian Lewis, Schoeffler, Eric Benson, Procopio, Michael Jeffrey, Besen, Adam Wayne, Wyrick, Robert Eugene, Richter, John Day, Eaton, Brian Edgar

Granted Patent

US 9,148,429 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/44   Program or device authentic...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 9/3213   using tickets or tokens, e....

Controlling Access by Web Applications to Resources on Servers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

156 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling Access by Web Applications to Resources on Servers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

156 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links