REQUEST-SPECIFIC AUTHENTICATION FOR ACCESSING WEB SERVICE RESOURCES

US 20170134368A1
Filed: 01/23/2017
Published: 05/11/2017
Est. Priority Date: 04/20/2007
Status: Active Grant

First Claim

Patent Images

1. A computing system for controlling access to a protected Web service resource, the computing system comprising:

a communication device for communicating across a communication network;

a processor communicatively connected to the communication device; and

memory storing program instructions, which when executed by the processor cause the computing system to perform a method of controlling access to the protected Web service resource, the method comprising;

(i) receiving a first request from a client to access the protected Web service resource from the communication network;

(ii) determining that the client has been authenticated according to a first factor;

(iii) granting the first request to access the protected Web service resource based on authentication according to the first factor;

(iv) receiving a second request from the client to access the protected Web service resource from the communication network;

(v) denying the second request to access the protected Web service resource based on the authentication according to the first factor being insufficient to grant the second request;

(vi) determining that the client has been authenticated according to a second factor, and(vii) granting the second request to access the protected Web service resource based on authentication according to the second factor.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

14 Citations

20 Claims

1. A computing system for controlling access to a protected Web service resource, the computing system comprising:
- a communication device for communicating across a communication network;
  
  a processor communicatively connected to the communication device; and
  
  memory storing program instructions, which when executed by the processor cause the computing system to perform a method of controlling access to the protected Web service resource, the method comprising;
  
  (i) receiving a first request from a client to access the protected Web service resource from the communication network;
  
  (ii) determining that the client has been authenticated according to a first factor;
  
  (iii) granting the first request to access the protected Web service resource based on authentication according to the first factor;
  
  (iv) receiving a second request from the client to access the protected Web service resource from the communication network;
  
  (v) denying the second request to access the protected Web service resource based on the authentication according to the first factor being insufficient to grant the second request;
  
  (vi) determining that the client has been authenticated according to a second factor, and(vii) granting the second request to access the protected Web service resource based on authentication according to the second factor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computing system of claim 1, wherein the first factor is selected from the group comprising:
    - a password, an answer to a security question, a biometric identifier, an object, and client specific information.
  - 3. The computing system of claim 1, wherein the second factor is different from the first factor.
  - 4. The computing system of claim 1, wherein the method further comprises receiving a first authentication token from the client after the client has been authenticated by an authentication service according to the first factor and using the first authentication token to determine that the client has been authenticated according to the first factor.
  - 5. The computing system of claim 4, wherein determining that the client has been authenticated comprises:
    - decrypting the first authentication token with a public key of the authentication service; and
      
      determining that a claim made by the authentication service in the first authentication token satisfies a condition for access.
  - 6. The computing system of claim 1, wherein denying the second request comprises sending a message to the client directing the client to an authentication service to be authenticated according to a second factor.
  - 7. The computing system of claim 6, wherein determining that the client has been authenticated according to a second factor comprises receiving an authentication token from the client after being authenticated by the authentication service according to the second factor.
  - 8. The computing system of claim 6, wherein granting the second request to access the protected Web service resource is based on an evaluation of an authentication token.

9. A method of authenticating a client for access to a Web service resource, the method comprising:
- (i) receiving a request from the client to be authenticated;
  
  (ii) sending a challenge message to the client;
  
  (iii) receiving a confirmation response to the challenge message from the client;
  
  (iv) determining that the confirmation response meets a predetermined criterion;
  
  (v) determining that the request to be authenticated requires further authentication;
  
  (iv) repeating (ii) through (iv) with a second challenge message, a second confirmation response, and a second predetermined criterion; and
  
  (v) sending an authentication message to the client.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein determining that the request to be authenticated requires further authentication comprises reading data from the request and comparing the data from the request with an authentication level associated with the challenge message.
  - 11. The method of claim 9, wherein sending the authentication message to the client comprises sending an authentication token to the client.
  - 12. The method of claim 11, wherein the authentication token includes a claim from an authentication service relating to a factor that was used to authenticate the client.
  - 13. The method of claim 9, further comprising repeating (ii) through (iv) with a third challenge message, a third confirmation response, and a third predetermined criterion, prior to sending the authentication message to the client.

14. A computer readable storage medium containing computer executable instructions which when executed by a computer perform a method of controlling access to a protected resource, the method comprising:
- receiving a request from a client identifying the protected resource of a Web service,sending a response to the client requesting authentication from an authentication service;
  
  receiving an authentication from the client after being authenticated from the authentication service;
  
  determining whether the authentication is sufficient to grant the request;
  
  granting the request if the authentication is sufficient; and
  
  denying the request if the authentication is not sufficient to grant the request.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer readable storage medium of claim 14, wherein the authentication is an authentication token.
  - 16. The computer readable storage medium of claim 15, wherein the authentication token is encrypted using public key cryptography.
  - 17. The computer readable storage medium of claim 14, the method further comprising granting access to the protected resource of the Web service after granting the request if the authentication is sufficient.
  - 18. The computer readable storage medium of claim 14, wherein denying the request comprises communicating the denial to the client with a message, the message including information about the authentication service configured to authenticate the client.
  - 19. The computer readable storage medium of claim 14, the method further comprising:
    - receiving a second request from the client identifying the protected resource of the Web service, the second request including the authentication;
      
      determining whether the authentication is sufficient to grant the second request;
      
      granting the second request if the authentication is sufficient to grant the second request; and
      
      denying the second request if the authentication is not sufficient to grant the second request.
  - 20. The computer readable storage medium of claim 14, wherein denying the request comprises sending a fault message according to a Simple Object Access Protocol, and wherein receiving an authentication comprises receiving a Web Services Trust Request Security Token Response Message according to a Web Services Trust specification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
McMurtry, Craig V., Weinert, Alexander T., Meleshuk, Vadim, Gabarra, Mark E.

Granted Patent

US 9,832,185 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/335   for accessing specific reso...

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/602   Providing cryptographic fac...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/0869   for achieving mutual authen...

H04L 63/10   for controlling access to d...

REQUEST-SPECIFIC AUTHENTICATION FOR ACCESSING WEB SERVICE RESOURCES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

REQUEST-SPECIFIC AUTHENTICATION FOR ACCESSING WEB SERVICE RESOURCES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others