SINGLE SIGN-ON (SSO) FOR MOBILE APPLICATIONS

US 20160080361A1
Filed: 11/24/2015
Published: 03/17/2016
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

based on determining that a user is authenticated to access a first application of a plurality of applications stored on a mobile device;

storing, at an authorization computing system that is separate from the authorization computing system, a hardware identifier of the mobile device in association with session information of a session for the user;

receiving, from the mobile device, a request by the user to access a second application of the plurality of applications, wherein the request includes a client token, the client token indicating the hardware identifier of the mobile device;

determining that the hardware identifier indicated by the client token is stored at the authorization computing system for the session; and

based on determining that the hardware identifier is stored at the authorization computing system for the session, enabling the user to access the plurality of applications at the mobile device without determining authentication of the user to access any of the plurality of applications.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

72 Citations

View as Search Results

20 Claims

1. A method comprising:
- based on determining that a user is authenticated to access a first application of a plurality of applications stored on a mobile device;
  
  storing, at an authorization computing system that is separate from the authorization computing system, a hardware identifier of the mobile device in association with session information of a session for the user;
  
  receiving, from the mobile device, a request by the user to access a second application of the plurality of applications, wherein the request includes a client token, the client token indicating the hardware identifier of the mobile device;
  
  determining that the hardware identifier indicated by the client token is stored at the authorization computing system for the session; and
  
  based on determining that the hardware identifier is stored at the authorization computing system for the session, enabling the user to access the plurality of applications at the mobile device without determining authentication of the user to access any of the plurality of applications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - receiving, by the authorization computing system, a request to launch the first application; and
      
      determining, based on credential information provided by the user, whether the user is authenticated to access the first application.
  - 3. The method of claim 2, further comprising:
    - determining that the request to launch the first application is a first request to launch the first application; and
      
      registering the first application based on determining that the request is a first request to launch the first application, wherein registering the first application includes authenticating the user to access the first application.
  - 4. The method of claim 1, wherein each of the plurality of applications has been registered by the authorization computing system and is part of a trusted group of applications.
  - 5. The method of claim 1, wherein the user is enabled with access to the plurality of applications at the mobile device without determining authentication of the user based on determining that the plurality of applications are in a trusted group of applications.
  - 6. The method of claim 1, further comprising:
    - generating a first client token for the first application, the first client token including the hardware identifier and identification information of the first application; and
      
      sending, to the mobile device, the first client token based on determining that the user is authenticated to access the first application.
  - 7. The method of claim 6, further comprising:
    - generating a second client token for the second application based on determining that the user is authenticated to access the first application, wherein the second client token includes the hardware identifier and identification information of the second application;
      
      sending, to the mobile device, the second client token, wherein the client token in the request corresponds to the second client token for the second application.
  - 8. The method of claim 1, wherein the user is enabled with access to the plurality of applications at the mobile device based on determining that the session for the user is active.
  - 9. The method of claim 1, further comprising:
    - selecting a service profile based on an identity domain for the user, wherein the service profile indicates a trusted group of applications including the plurality of applications.

10. An authorization system comprising:
- one or more processors; and
  
  a memory coupled with and readable by the one or more processors, wherein the memory stores instructions that, when executed by the one or more processors, causes the one or more processors to;
  
  based on determining that a user is authenticated to access a first application of a plurality of applications stored on a mobile device;
  
  store a hardware identifier of the mobile device in association with session information of a session for the user;
  
  receive, from the mobile device, a request by the user to access a second application of the plurality of applications, wherein the request includes a client token, the client token indicating the hardware identifier of the mobile device;
  
  determine that the hardware identifier indicated by the client token is stored at the authorization system for the session; and
  
  based on determining that the hardware identifier is stored at the authorization system for the session, enable the user to access the plurality of applications at the mobile device without determining authentication of the user to access any of the plurality of applications.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The authorization system of claim 10, wherein the instructions, when executed by the one or more processors, further causes the one or more processors to:
    - generate a first client token for the first application, the first client token including the hardware identifier and identification information of the first application; and
      
      send, to the mobile device, the first client token based on determining that the user is authenticated to access the first application.
  - 12. The authorization system of claim 11, wherein the instructions, when executed by the one or more processors, further causes the one or more processors to:
    - generate a second client token for the second application based on determining that the user is authenticated to access the first application, wherein the second client token includes the hardware identifier and identification information of the second application;
      
      send, to the mobile device, the second client token, wherein the client token in the request corresponds to the second client token for the second application.
  - 13. The authorization system of claim 10, wherein the instructions, when executed by the one or more processors, further causes the one or more processors to:
    - select a service profile based on an identity domain for the user, wherein the service profile indicates a trusted group of applications including the plurality of applications.
  - 14. The authorization system of claim 10, wherein the user is enabled with access to the plurality of applications at the mobile device based on determining that the session for the user is active.
  - 15. The authorization system of claim 10, wherein the user is enabled with access to the plurality of applications at the mobile device without determining authentication of the user based on determining that the plurality of applications are in a trusted group of applications

16. A method comprising:
- sending, from a mobile device, to an authorization computing system that is separate from the mobile device, credential information for authentication of a user to access a first application of a plurality of applications stored on the mobile device, wherein the user is enabled with access to the plurality of applications at the mobile device upon successful authentication of the user by the authorization computing system;
  
  receiving, at the mobile device, from an authorization computing system, one or more client tokens for the plurality of applications stored on the mobile device, wherein each of the one or more client tokens includes a hardware identifier of the mobile device;
  
  sending, from the mobile device, to the authorization computing system, a request to access a second application of the plurality of applications, wherein the request includes the client token including the hardware identifier; and
  
  enabling, at the mobile device, access to the second application by the user, wherein access to the second application is enabled based on notification from the authorization computing system that access to the second application at the mobile device is permitted by authentication of the user to access the first application at the mobile device.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - receiving, from the authorization computing system, the notification indicating that the user is permitted to access the second application without authentication.
  - 18. The method of claim 16, further comprising:
    - sending a request to launch the first application, wherein the request is a first request to launch any of the plurality of applications; and
      
      in response to the request to launch the first application, receiving a request for the credential information to authenticate the user to access the first application;
      
      wherein the credential information is sent to the authorization computing system in response to the request for the credential information; and
      
      wherein the request to access the second application is a second request to launch any of the plurality of applications.
  - 19. The method of claim 16, wherein the one or more client tokens includes a first client token the first application, wherein the client token in the request is a second client token for the second application, and wherein the one or more client tokens includes the second client token for the second application.
  - 20. The method of claim 16, wherein the one or more client tokens are received based on determining that the user is authenticated to access the first application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Wong, Wai Leung William, Sondhi, Ajay, Hingarajiya, Ravi, Bhat, Shivaram

Granted Patent

US 9,407,628 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/068   using credential vaults, e....

SINGLE SIGN-ON (SSO) FOR MOBILE APPLICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SINGLE SIGN-ON (SSO) FOR MOBILE APPLICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links