REMOTELY DEAUTHENTICATING A USER FROM A WEB-BASED APPLICATION USING A CENTRALIZED LOGIN SERVER

US 20170366547A1
Filed: 08/11/2017
Published: 12/21/2017
Est. Priority Date: 06/02/2015
Status: Active Grant

First Claim

Patent Images

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:

relaying, with a server at a first domain, at least part of a plurality application-layer messages between a client web browser executing on a client computing device and one or more destination servers at a second domain, wherein;

at least some of the destination servers host content by which a user accesses resources via the client web browser;

inbound messages, among the plurality of messages, include content by which a user interface is rendered in a web page on the client web browser;

memory of the client web browser stores an access token provided by at least one of the destination servers;

outbound messages, among the plurality of messages, include requests for content to at least some of the destination servers from the client web browser executing on the client computing device;

at least some of the outbound messages include a value that demonstrates possession of the access token to at least some of the destination servers; and

the first domain is defined by an identifier of an application-layer protocol, an identifier of a network host, and an identifier of a port of the server with which the server at the first domain communicates with the client web browser;

determining, with one or more processors, to terminate subsequent authenticated access by the client web browser to at least some of the one or more destination servers;

sending, from the server at the first domain, after the client web browser obtains the access token, instructions that cause the client web browser to delete or modify the access token stored in memory of the client web browser such that the access token ceases to be effective to demonstrate that the client web browser is authenticated to at least some of the one or more destination servers, wherein;

the client web browser implements a same origin policy that prohibits content from one domain from modifying values stored in browser memory by content from another domain; and

the access token is obtained from at least some of the one or more destination servers after authenticating the client web browser to at least some of the one or more destination servers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a process including: relaying, with a server at a first domain, at least part of a plurality application-layer messages between a client web browser and one or more destination servers; determining to terminate subsequent authenticated access by the client web browser; and sending, from the server at the first domain, instructions that cause the client web browser to delete or modify an access token stored in memory of the client web browser.

41 Citations

View as Search Results

20 Claims

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
- relaying, with a server at a first domain, at least part of a plurality application-layer messages between a client web browser executing on a client computing device and one or more destination servers at a second domain, wherein;
  
  at least some of the destination servers host content by which a user accesses resources via the client web browser;
  
  inbound messages, among the plurality of messages, include content by which a user interface is rendered in a web page on the client web browser;
  
  memory of the client web browser stores an access token provided by at least one of the destination servers;
  
  outbound messages, among the plurality of messages, include requests for content to at least some of the destination servers from the client web browser executing on the client computing device;
  
  at least some of the outbound messages include a value that demonstrates possession of the access token to at least some of the destination servers; and
  
  the first domain is defined by an identifier of an application-layer protocol, an identifier of a network host, and an identifier of a port of the server with which the server at the first domain communicates with the client web browser;
  
  determining, with one or more processors, to terminate subsequent authenticated access by the client web browser to at least some of the one or more destination servers;
  
  sending, from the server at the first domain, after the client web browser obtains the access token, instructions that cause the client web browser to delete or modify the access token stored in memory of the client web browser such that the access token ceases to be effective to demonstrate that the client web browser is authenticated to at least some of the one or more destination servers, wherein;
  
  the client web browser implements a same origin policy that prohibits content from one domain from modifying values stored in browser memory by content from another domain; and
  
  the access token is obtained from at least some of the one or more destination servers after authenticating the client web browser to at least some of the one or more destination servers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The medium of claim 1, wherein:
    - the access token is deleted before the access token expires;
      
      the value that demonstrates possession of the access token is the access token; and
      
      the one or more destination servers include servers hosting a software-as-a-service application.
  - 3. The medium of claim 1 wherein the operations comprise:
    - after determining to terminate subsequent authenticated access by the client web browser, sending instructions to the client computing device that cause the client computing device to close an instance of the client web browser or a tab of an instance of the client web browser.
  - 4. The medium of claim 1, wherein relaying at least part of a plurality application-layer messages comprises:
    - receiving a given one of the inbound messages from a given one of the one or more destination servers, the given one of the inbound messages having a transport-protocol header that identifies the second domain in an origin host field;
      
      forming a version of the given inbound message in which the first domain is identified in the origin host field instead of the second domain; and
      
      sending the version of the given inbound message in which the first domain is identified in the origin host field to the client web browser.
  - 5. The medium of claim 4, wherein:
    - the first domain is designated in the given one of the inbound messages by a first uniform resource identifier; and
      
      the second domain is designated in the version of the given inbound message in which the first domain is identified in the origin host field by a second uniform resource identifier, the second uniform resource identifier being a different uniform resource identifier from the first uniform resource identifier.
  - 6. The medium of claim 1, wherein relaying the messages comprises:
    - sending at least some of the one or more destination servers a value that demonstrates possession of an authentication credential without making the value that demonstrates possession of an authentication credential available to the client web browser;
      
      receiving, from at least some of the one or more destination servers, the authentication token after sending the value that demonstrates possession of an authentication credential; and
      
      sending, from the first domain, to the client web browser instructions to store the access token in a cookie in the client web browser memory.
  - 7. The medium of claim 1, wherein:
    - the client computing device is configured to use a private domain name service to obtain an Internet Protocol address of the one or more destination servers;
      
      the operations comprise changing a mapping of the domain name service for the second domain to match an Internet Protocol address of the server at the first domain.
  - 8. The medium of claim 1, wherein the operations comprise:
    - steps for circumventing the same origin policy to de-authenticate a web browser.
  - 9. The medium of claim 1, wherein the operations comprise:
    - after determining to terminate subsequent authenticated access by the client web browser, sending from the first domain to the client web browser instructions that, when executed, cause the client web browser to obfuscate rendered content by deleting or modifying content of a document object model or virtual document object model previously rendered by the client computing device.
  - 10. The medium of claim 1, wherein the operations comprise:
    - maintaining a continuously open connection from the client web browser to the server at the first domain; and
      
      after determining to terminate subsequent authenticated access by the client web browser, sending, via the open connection, instructions to the client computing device that cause the client web browser to delete all cookies for a designated domain.
  - 11. The medium of claim 10, wherein the operations comprise:
    - mirroring state of the client web browser with a headless web browser executed by the server at the first domain.
  - 12. The medium of claim 1, wherein:
    - relaying all application-layer messages between the client web browser executing on the client computing device and all destination servers accessed by the client web browser on the Internet.
  - 13. The medium of claim 1, wherein the operations comprise:
    - sending, from the server at the first domain, to at least one of the destination servers, a message that causes the at least one of the destination servers to terminate an authenticated session with the client web browser.
  - 14. The medium of claim 1, wherein:
    - relaying messages comprise augmenting content from the one or more destination servers to add scripting instructions to monitor, at the client web browser, for the instructions that cause the client web browser to delete or modify the access token stored in memory of the client web browser.
  - 15. The medium of claim 14, wherein:
    - monitoring comprises creating a websocket connection with the server at the first domain.
  - 16. The medium of claim 1, wherein the instructions that cause the client web browser to delete or modify the access token stored in memory of the client web browser cause the client web browser to delete the access token.
  - 17. The medium of claim 1, wherein the operations comprise:
    - segmenting the access credential into a plurality of segments; and
      
      storing the plurality of segments in different tamper-evident, immutable directed acyclic graphs having edges defined by cryptographic hash pointers with cryptographic hash values based on at least some of the segments.
  - 18. The medium of claim 1, wherein:
    - the operations comprise;
      
      logging data documenting access requests by the client web browser into a tamper-evident, immutable directed acyclic graph having edges defined by cryptographic hash pointers with cryptographic hash values based the data documenting access requests.
  - 19. The medium of claim 1, wherein the operations comprise:
    - providing an identity management system.

20. A method, comprising:
- relaying, with a server at a first domain, at least part of a plurality application-layer messages between a client web browser executing on a client computing device and one or more destination servers at a second domain, wherein;
  
  at least some of the destination servers host content by which a user accesses resources via the client web browser;
  
  inbound messages, among the plurality of messages, include content by which a user interface is rendered in a web page on the client web browser;
  
  memory of the client web browser stores an access token provided by at least one of the destination servers;
  
  outbound messages, among the plurality of messages, include requests for content to at least some of the destination servers from the client web browser executing on the client computing device;
  
  at least some of the outbound messages include a value that demonstrates possession of the access token to at least some of the destination servers; and
  
  the first domain is defined by an identifier of an application-layer protocol, an identifier of a network host, and an identifier of a port of the server with which the server at the first domain communicates with the client web browser;
  
  determining, with one or more processors, to terminate subsequent authenticated access by the client web browser to at least some of the one or more destination servers;
  
  sending, from the server at the first domain, after the client web browser obtains the access token, instructions that cause the client web browser to delete or modify the access token stored in memory of the client web browser such that the access token ceases to be effective to demonstrate that the client web browser is authenticated to at least some of the one or more destination servers, wherein;
  
  the client web browser implements a same origin policy that prohibits content from one domain from modifying values stored in browser memory by content from another domain; and
  
  the access token is obtained from at least some of the one or more destination servers after authenticating the client web browser to at least some of the one or more destination servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Altr Solutions, Inc.
Original Assignee
Altr Solutions, Inc.
Inventors
Goldfarb, Scott Nathaniel, Beecham, James Douglas

Granted Patent

US 10,038,695 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 3/0481   based on specific propertie...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/143   Termination or inactivation...

REMOTELY DEAUTHENTICATING A USER FROM A WEB-BASED APPLICATION USING A CENTRALIZED LOGIN SERVER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

REMOTELY DEAUTHENTICATING A USER FROM A WEB-BASED APPLICATION USING A CENTRALIZED LOGIN SERVER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links