SYNCHRONIZING AUTHENTICATION SESSIONS BETWEEN APPLICATIONS

US 20150341334A1
Filed: 08/04/2015
Published: 11/26/2015
Est. Priority Date: 09/11/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, via at least one of one or more computing devices, a first authentication token from a first application that is authenticated with a service provider;

requesting, via at least one of the one or more computing devices, a second authentication token from a token exchange service using the first authentication token;

configuring, via at least one of the one or more computing devices, a second application to use the second authentication token in order to access a resource of the service provider; and

wherein the first and second applications are executed in the one or more computing devices, one of the first or second applications comprises a native application, and another one of the first or second applications comprises a browser-based application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for synchronizing authentication sessions between applications. In one embodiment, a first authentication token is received from a first application in response to determining that the first application is authenticated with a service provider. A second authentication token is requested from a token exchange service associated with the service provider. The second authentication token is requested using the first authentication token. The second application is configured to use the second authentication token in order to access a resource of the service provider.

45 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving, via at least one of one or more computing devices, a first authentication token from a first application that is authenticated with a service provider;
  
  requesting, via at least one of the one or more computing devices, a second authentication token from a token exchange service using the first authentication token;
  
  configuring, via at least one of the one or more computing devices, a second application to use the second authentication token in order to access a resource of the service provider; and
  
  wherein the first and second applications are executed in the one or more computing devices, one of the first or second applications comprises a native application, and another one of the first or second applications comprises a browser-based application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein configuring the second application to use the second authentication token further comprises storing, via at least one of the one or more computing devices, a cookie including the second authentication token in a cookie jar of the second application.
  - 3. The method of claim 1, further comprising determining, via at least one of the one or more computing devices, that the second application permits a synchronized authentication session with the first application.
  - 4. The method of claim 1, further comprising:
    - receiving, via at least one of the one or more computing devices, a request to access a first service of the service provider from the first application; and
      
      receiving, via at least one of the one or more computing devices, a request to access a second service of the service provider from the second application.
  - 5. The method of claim 1, wherein the first authentication token has an indefinite maximum lifetime, and the second authentication token has a predetermined maximum lifetime.
  - 6. The method of claim 1, wherein the second application is embedded within the first application.
  - 7. The method of claim 1, further comprising initiating, via at least one of the one or more computing devices, a log out from the service provider in response to a user request, wherein the log out is configured to invalidate the first authentication token and the second authentication token.
  - 8. The method of claim 1, further comprising:
    - detecting, via at least one of the one or more computing devices, an access of a log out uniform resource locator (URL) by the second application; and
      
      initiating, via at least one of the one or more computing devices, a log out from the service provider in response to a user request.
  - 9. The method of claim 1, wherein the token exchange service is operated by a first organization that is different from a second organization that operates the service provider, and the first organization is trusted by the second organization.

10. A system, comprising:
- at least one computing device; and
  
  a token exchange service executed in the at least one computing device, wherein when executed the token exchange service is configured to at least;
  
  receive a first authentication token from a client computing device, the first authentication token corresponding to a registration of an application of the client computing device for a user account;
  
  validate the first authentication token;
  
  generate a second authentication token corresponding to a browser-based session for the user account; and
  
  send the second authentication token to the client computing device.
- View Dependent Claims (11, 12, 13)
- - 11. The system of claim 10, wherein the first authentication token is configured with an indefinite maximum lifetime, and the second authentication token is configured with a predetermined maximum lifetime.
  - 12. The system of claim 10, wherein the first authentication token is configured with a first level of permissions, and the second authentication token is configured with a second level of permissions that is less than the first level of permissions.
  - 13. The system of claim 10, wherein the first authentication token is received from a native application executed by the client computing device, and a browser embedded within the application is configured to employ the second authentication token.

14. A method, comprising:
- receiving, by a token exchange service executed via at least one of one or more computing devices, a first authentication token from a client computing device, the first authentication token corresponding to a registration of an application of the client computing device for a user account;
  
  validating, by the token exchange service, the first authentication token;
  
  generating, by the token exchange service, a second authentication token corresponding to a browser-based session for the user account; and
  
  sending, by the token exchange service, the second authentication token to the client computing device.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein generating the second authentication token further comprises generating, by the token exchange service, the second authentication token in a format specified by the client computing device.
  - 16. The method of claim 14, further comprising determining, via at least one of the one or more computing devices, that the first authentication token has not expired and has not been revoked.
  - 17. The method of claim 14, further comprising:
    - decrypting, by the token exchange service, at least a portion of the first authentication token; and
      
      determining, by the token exchange service, that the portion of the first authentication token corresponds to a correct identifier associated with the user account.
  - 18. The method of claim 14, wherein the first authentication token is configured with an indefinite maximum lifetime, and the second authentication token is configured with a predetermined maximum lifetime.
  - 19. The method of claim 14, wherein the token exchange service is operated by a first organization that is different from a second organization that operates a service provider that provides the user account, and the first organization is trusted by the second organization.
  - 20. The method of claim 14, wherein the first authentication token is configured with a first level of permissions, and the second authentication token is configured with a second level of permissions that is less than the first level of permissions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Bhimanaik, Bharath Kumar

Granted Patent

US 9,979,712 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

SYNCHRONIZING AUTHENTICATION SESSIONS BETWEEN APPLICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYNCHRONIZING AUTHENTICATION SESSIONS BETWEEN APPLICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links