AUTHORIZATION TOKEN CACHE SYSTEM AND METHOD

US 20150350186A1
Filed: 05/30/2014
Published: 12/03/2015
Est. Priority Date: 05/30/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one processor to;

send an initialization message from an application to a token client, the initialization message comprising credentials information and token metadata;

cache the credentials information and the token metadata in a token cache and return a session identifier that maps to a cache key to retrieve the token metadata and the credentials information, wherein the token metadata comprises at least one service property used for obtaining an access token from a token service;

send a first access token request based on the credentials information and the token metadata;

receive a first access token response and retrieve a first access token from the access token response using the token metadata;

cache the first access token in the token cache by associating the first access token with the cache key;

send a resource request for protected resources;

receive a resource response from a resource server, the resource response having a representation of the protected resources; and

send, based on the resource response, the representation of the protected resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes one or more processors to request access tokens from a token service computer, cache the access tokens and related information in a token cache, transmit the access tokens with a resource request to a resource server, and receive requested resources in response to the resource request. The resource server transmits representations of requested resources to computing devices having valid tokens. The access tokens and related information including credentials information and token metadata are stored in the token cache.

150 Citations

23 Claims

1. A system, comprising:
- at least one processor to;
  
  send an initialization message from an application to a token client, the initialization message comprising credentials information and token metadata;
  
  cache the credentials information and the token metadata in a token cache and return a session identifier that maps to a cache key to retrieve the token metadata and the credentials information, wherein the token metadata comprises at least one service property used for obtaining an access token from a token service;
  
  send a first access token request based on the credentials information and the token metadata;
  
  receive a first access token response and retrieve a first access token from the access token response using the token metadata;
  
  cache the first access token in the token cache by associating the first access token with the cache key;
  
  send a resource request for protected resources;
  
  receive a resource response from a resource server, the resource response having a representation of the protected resources; and
  
  send, based on the resource response, the representation of the protected resources.

2. A method, comprising:
- sending, by at least one processor, an initialization message from an application to a token client, the initialization message comprising credentials information and token metadata;
  
  caching, by the at least one processor, the credentials information and the token metadata in a token cache and returning a session identifier that maps to a cache key to retrieve the token metadata and the credentials information, wherein the token metadata comprises at least one service property used for obtaining an access token from a token service;
  
  sending, by the at least one processor, a first access token request based on the credentials information and the token metadata;
  
  receiving, by the at least one processor, a first access token response and retrieving a first access token from the access token response using the token metadata;
  
  caching, by the at least one processor, the first access token in the token cache by associating the first access token with the cache key;
  
  sending, by the at least one processor, a resource request for protected resources;
  
  receiving, by the at least one processor, a resource response from a resource server, the resource response having a representation of the protected resources; and
  
  sending, based on the resource response, by the at least one processor, the representation of the protected resources.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 3. The method of claim 2, further comprising:
    - receiving by the token client a second access token from the resource server in response to the resource request for protected resources;
      
      retrieving the second access token using the token metadata; and
      
      caching the second access token in the token cache by associating the second access token with the cache key.
  - 4. The method of claim 2, further comprising:
    - sending the first access token request to a token service computer;
      
      receiving the first access token response from the token service computer;
      
      receiving by the token client the resource response from the resource server, the resource response indicating that the resource request is one of an unauthorized request and a bad request;
      
      sending a second access token request to the token service computer based on the credentials information and the token metadata;
      
      receiving a second access token response from the token service computer and retrieving a second access token from the access token response using the token metadata; and
      
      caching the second access token in the token cache by associating the second access token with the cache key.
  - 5. The method of claim 2, further comprising:
    - retrieving the first access token from a particular XPath expression within an extensible markup language (XML) document of the first access token response, wherein the XPath expression is associated with the at least one service property.
  - 6. The method of claim 2, further comprising:
    - retrieving the first access token from a particular JSONPath expression within a Javascript Object Notation (JSON) document of the first access token response, wherein the JSONPath expression is associated with the at least one service property.
  - 7. The method of claim 2, further comprising:
    - binding the first access token to a particular position in a body of the resource request using a particular XPath expression in an XML document, wherein the XPath expression is associated with the at least one service property.
  - 8. The method of claim 2, further comprising:
    - binding the first access token to a particular position in a body of the resource request using a particular JSONPath expression in a JSON document, wherein the JSONPath expression is associated with the at least one service property.
  - 9. The method of claim 2, further comprising:
    - executing a cryptographic hash function on the credentials information comprising a first username and a first password to obtain a first hash-based message authentication code;
      
      receiving input comprising a second username and a second password and executing the cryptographic hash function on the second username and the second password to obtain a second hash-based message authentication code;
      
      comparing the first hash-based message authentication code with the second hash-based message authentication code and determining that the credentials information is valid; and
      
      sending the resource request for protected resources having the first access token to the resource server.
  - 10. The method of claim 2, wherein the token metadata is associated with a particular token service of a plurality of token services and includes at least one service property used for obtaining an access token from the particular token service.
  - 11. The method of claim 2, wherein the token cache comprises a hash table stored in transitory memory and the application comprises a representational state transfer (REST)ful application.
  - 12. The method of claim 2, wherein the first access token comprises one of an Oauth access token, a Nimbula access token, and a WebCenter Authorization access token that grants the application access to the protected resources.

13. A non-transitory computer-readable medium including instructions stored thereon that, when executed by at least one processor, cause the at least one processor to perform operations comprising:
- sending an initialization message from an application to a token client, the initialization message comprising credentials information and token metadata;
  
  caching the credentials information and the token metadata in a token cache and returning a session identifier that maps to a cache key to retrieve the token metadata and the credentials information, wherein the token metadata comprises at least one service property used for obtaining an access token from a token service;
  
  sending a first access token request based on the credentials information and the token metadata;
  
  receiving a first access token response and retrieving a first access token from the access token response using the token metadata;
  
  caching the first access token in the token cache by associating the first access token with the cache key;
  
  sending a resource request for protected resources;
  
  receiving a resource response from a resource server, the resource response having a representation of the protected resources; and
  
  sending, based on the resource response, the representation of the protected resources.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The non-transitory computer-readable medium of claim 13, the operations further comprising:
    - receiving by the token client a second access token from the resource server in response to the resource request for protected resources;
      
      retrieving the second access token using the token metadata; and
      
      caching the second access token in the token cache by associating the second access token with the cache key.
  - 15. The non-transitory computer-readable medium of claim 13, the operations further comprising:
    - sending the first access token request to a token service computer;
      
      receiving the first access token response from the token service computer;
      
      receiving by the token client the resource response from the resource server, the resource response indicating that the resource request is one of an unauthorized request and a bad request;
      
      sending a second access token request to the token service computer based on the credentials information and the token metadata;
      
      receiving a second access token response from the token service computer and retrieving a second access token from the access token response using the token metadata; and
      
      caching the second access token in the token cache by associating the second access token with the cache key.
  - 16. The non-transitory computer-readable medium of claim 13, the operations further comprising:
    - retrieving the first access token from a particular XPath expression within an Extensible Markup Language (XML) document of the first access token response, wherein the XPath expression is associated with the at least one service property.
  - 17. The non-transitory computer-readable medium of claim 13, the operations further comprising:
    - retrieving the first access token from a particular JSONPath expression within a Javascript Object Notation (JSON) document of the first access token response, wherein the JSONPath expression is associated with the at least one service property.
  - 18. The non-transitory computer-readable medium of claim 13, the operations further comprising:
    - binding the first access token to a particular position in a body of the resource request using a particular XPath expression in an XML document, wherein the XPath expression is associated with the at least one service property.
  - 19. The non-transitory computer-readable medium of claim 13, the operations further comprising:
    - binding the first access token to a particular position in a body of the resource request using a particular JSONPath expression in a JSON document, wherein the JSONPath expression is associated with the at least one service property.
  - 20. The non-transitory computer-readable medium of claim 13, the operations further comprising:
    - executing a cryptographic hash function on the credentials information comprising a first username and a first password to obtain a first hash-based message authentication code;
      
      receiving input comprising a second username and a second password and executing the cryptographic hash function on the second username and the second password to obtain a second hash-based message authentication code;
      
      comparing the first hash-based message authentication code with the second hash-based message authentication code and determining that the credentials information is valid; and
      
      sending the resource request for protected resources having the first access token to the resource server.
  - 21. The non-transitory computer-readable medium of claim 13, wherein the token metadata is associated with a particular token service of a plurality of token services and includes at least one service property used for obtaining an access token from the particular token service
  - 22. The non-transitory computer-readable medium of claim 13, wherein the token cache comprises a hash table stored in transitory memory and the application comprises a representational state transfer (REST)ful application.
  - 23. The non-transitory computer-readable medium of claim 13, wherein the first access token comprises one of an Oauth access token, a Nimbula access token, and a WebCenter Authorization access token that grants the application access to the protected resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Chan, Daniel, Kunisetty, Sunil

Granted Patent

US 9,306,939 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 67/568   Storing data temporarily at...

H04L 9/3242   involving keyed hash functi...

AUTHORIZATION TOKEN CACHE SYSTEM AND METHOD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

150 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHORIZATION TOKEN CACHE SYSTEM AND METHOD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

150 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links