CREDENTIAL-FREE USER LOGIN TO REMOTELY EXECUTED APPLICATIONS
First Claim
1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
- relaying, with a server at a first domain, at least part of a plurality application-layer messages between a client web browser executing on a client computing device and one or more destination servers at a second domain, wherein;
at least some of the destination servers host content by which a user accesses resources via the client web browser;
inbound messages, among the plurality of messages, include content by which a user interface is rendered in a web page on the client web browser;
memory of the client web browser stores an access token provided by at least one of the destination servers;
outbound messages, among the plurality of messages, include requests for content to at least some of the destination servers from the client web browser executing on the client computing device;
at least some of the outbound messages include a value that demonstrates possession of the access token to at least some of the destination servers; and
the first domain is defined by an identifier of an application-layer protocol, an identifier of a network host, and an identifier of a port of the server with which the server at the first domain communicates with the client web browser;
determining, with one or more processors, to terminate subsequent authenticated access by the client web browser to at least some of the one or more destination servers;
sending, from the server at the first domain, after the client web browser obtains the access token, instructions that cause the client web browser to delete or modify the access token stored in memory of the client web browser such that the access token ceases to be effective to demonstrate that the client web browser is authenticated to at least some of the one or more destination servers, wherein;
the client web browser implements a same origin policy that prohibits content from one domain from modifying values stored in browser memory by content from another domain; and
the access token is obtained from at least some of the one or more destination servers after authenticating the client web browser to at least some of the one or more destination servers.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided is a process including: receiving, with an intermediary server, a request to access web content at a web server; submitting, from the intermediary server a value by which possession of an access credential is demonstrated, wherein the value is withheld from the client web browser; receiving, by the intermediary web browser, instructions to store in web browser memory an access token; and sending, from the intermediary server, to the client web browser executing on the client computing device, instructions to store the access token in browser memory of the client web browser, thereby authenticating the client web browser without the client web browser having access to the value by which possession of the access credential is demonstrated.
-
Citations
20 Claims
-
1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
-
relaying, with a server at a first domain, at least part of a plurality application-layer messages between a client web browser executing on a client computing device and one or more destination servers at a second domain, wherein; at least some of the destination servers host content by which a user accesses resources via the client web browser; inbound messages, among the plurality of messages, include content by which a user interface is rendered in a web page on the client web browser; memory of the client web browser stores an access token provided by at least one of the destination servers; outbound messages, among the plurality of messages, include requests for content to at least some of the destination servers from the client web browser executing on the client computing device; at least some of the outbound messages include a value that demonstrates possession of the access token to at least some of the destination servers; and the first domain is defined by an identifier of an application-layer protocol, an identifier of a network host, and an identifier of a port of the server with which the server at the first domain communicates with the client web browser; determining, with one or more processors, to terminate subsequent authenticated access by the client web browser to at least some of the one or more destination servers; sending, from the server at the first domain, after the client web browser obtains the access token, instructions that cause the client web browser to delete or modify the access token stored in memory of the client web browser such that the access token ceases to be effective to demonstrate that the client web browser is authenticated to at least some of the one or more destination servers, wherein; the client web browser implements a same origin policy that prohibits content from one domain from modifying values stored in browser memory by content from another domain; and the access token is obtained from at least some of the one or more destination servers after authenticating the client web browser to at least some of the one or more destination servers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method, comprising:
-
relaying, with a server at a first domain, at least part of a plurality application-layer messages between a client web browser executing on a client computing device and one or more destination servers at a second domain, wherein; at least some of the destination servers host content by which a user accesses resources via the client web browser; inbound messages, among the plurality of messages, include content by which a user interface is rendered in a web page on the client web browser; memory of the client web browser stores an access token provided by at least one of the destination servers; outbound messages, among the plurality of messages, include requests for content to at least some of the destination servers from the client web browser executing on the client computing device; at least some of the outbound messages include a value that demonstrates possession of the access token to at least some of the destination servers; and the first domain is defined by an identifier of an application-layer protocol, an identifier of a network host, and an identifier of a port of the server with which the server at the first domain communicates with the client web browser; determining, with one or more processors, to terminate subsequent authenticated access by the client web browser to at least some of the one or more destination servers; sending, from the server at the first domain, after the client web browser obtains the access token, instructions that cause the client web browser to delete or modify the access token stored in memory of the client web browser such that the access token ceases to be effective to demonstrate that the client web browser is authenticated to at least some of the one or more destination servers, wherein; the client web browser implements a same origin policy that prohibits content from one domain from modifying values stored in browser memory by content from another domain; and the access token is obtained from at least some of the one or more destination servers after authenticating the client web browser to at least some of the one or more destination servers.
-
Specification