ACCESS CONTROL USING IMPERSONIZATION

US 20180183837A1
Filed: 02/20/2018
Published: 06/28/2018
Est. Priority Date: 12/04/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

memory to store instructions that, if executed by one or more processors of the system, cause the system to at least;

receive a request from a user for a web-based service;

receive an authentication token as a result of authenticating the request; and

provide the authentication token to at least one other web-based service to enable the at least one other web-based service to perform at least one operation in response to the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

24 Citations

20 Claims

1. A system, comprising:
- memory to store instructions that, if executed by one or more processors of the system, cause the system to at least;
  
  receive a request from a user for a web-based service;
  
  receive an authentication token as a result of authenticating the request; and
  
  provide the authentication token to at least one other web-based service to enable the at least one other web-based service to perform at least one operation in response to the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the authentication token is encrypted using a cryptographic key so as to be decryptable by the at least one other web-based service.
  - 3. The system of claim 1, wherein the at least one other web-based service is identified based at least in part on the request.
  - 4. The system of claim 1, wherein authenticating the request is performed by an authentication service that evaluates an electronic signature associated with the request.
  - 5. The system of claim 4, wherein the authentication service, in response to the electronic signature being valid, provides the web-based service with a signing key and the authentication token.
  - 6. The system of claim 5, wherein the at least one other web-based service uses the signing key and the authentication token to generate another request to the authentication service to verify the request before performing the at least one operation.
  - 7. The system of claim 6, wherein the at least one other web-based service uses a copy of the cryptographic key to decrypt the authentication token to obtain a signing key.

8. A computer-implemented method, comprising:
- receiving a request from a user for a web-based service;
  
  receiving an authentication token as a result of authenticating the request; and
  
  providing the authentication token to at least one other web-based service to enable the at least one other web-based service to perform at least one operation in response to the request.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented method of claim 8, further comprising:
    - using a cryptographic key held secret between the web-based service and an authentication service to encrypt the authentication token; and
      
      storing the cryptographic key in a data storage device.
  - 10. The computer-implemented method of claim 8, further comprising:
    - identifying, based at least in part on information associated with the request, the at least one other web-based service from a plurality of other web-based services.
  - 11. The computer-implemented method of claim 8, wherein the web-based service is provided with the authentication token and a signing key by an authentication service, wherein the signing key is provided in response to evaluating an electronic signature associated with the request.
  - 12. The computer-implemented method of claim 11, wherein the other web-based service sends another request to the authentication service using the authentication token and the signing key.
  - 13. The computer-implemented method of claim 11, wherein the at least one other web-based service uses a copy of the cryptographic key to decrypt the authentication token to obtain a signing key.
  - 14. The computer-implemented method of claim 8, wherein the user is a customer of a computing resource service provider and the web-based service and the at least one other web-based service are services associated with the computing resource service provider.

15. A non-transitory computer-readable storage medium having stored thereon executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
- receive a request from a user for a web-based service;
  
  receive an authentication token as a result of authenticating the request; and
  
  provide the authentication token to at least one other web-based service to enable the at least one other web-based service to perform at least one operation in response to the request.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein a signing key is received with the authentication token.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the instructions, if executed by one or more processors, further cause the system to at least:
    - send a second request, from the web-based service, to the at least one other web-based service, the second request including the authentication token.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the at least one other web-based service is identified from a plurality of other web-based services based at least in part on information associated with the authentication token.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the authentication token enables the at least other web-based service to determine whether to perform at least one operation in response to the second request without having to communicate with an authentication service.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the authentication token enables the at least one other web-based service to determine whether to perform the at least one operation by decrypting the authentication token to obtain a signing key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Wren, Matthew James, Pratt, Brian Irl

Granted Patent

US 10,673,906 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/60   Protecting data

G06F 21/602   Providing cryptographic fac...

H04L 2463/062   applying encryption of the ...

H04L 63/126   the source of the received ...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 9/3247   involving digital signatures

ACCESS CONTROL USING IMPERSONIZATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS CONTROL USING IMPERSONIZATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links