COORDINATING ACCESS AUTHORIZATION ACROSS MULTIPLE SYSTEMS AT DIFFERENT MUTUAL TRUST LEVELS
First Claim
1. A method comprising:
- receiving, from a beneficiary application via a network, an initiation message requesting the beneficiary application be authorized to access data hosted at a resource server connected to the network;
verifying that a valid session for a user exists between the application and an agent executing at a user device;
instructing the agent to obtain an authorization code on behalf of the application from an authorization server associated with the resource server;
receiving the authorization code from the agent;
obtaining an access token and a refresh token from the authorization server based on the authorization code;
generating a partner authorization (PA) token associated with the access token and the refresh token; and
transmitting the PA token to the beneficiary application to allow the beneficiary application to retrieve the access token when the user is logged in to the application.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments presented herein provide a partner authentication (PA) system that coordinates a network-based authorization process for an application. The PA system exchanges a series of messages with the application seeking an access token for a protected resource, an authorization server associated with the resource, and an agent executing on a device accessed by a user who wants the application to access the resource. The PA system and the agent communicate with the authorization server on behalf of the application throughout the authorization process. At the completion of the authorization process, the PA system receives an access token and a refresh token from the server on behalf of the application and sends a partner authorization (PA) token to the application. When the application seeks access to the resource that is available to authorized parties via the resource server, the application sends the PA token to the PA system and receives the access token in return.
31 Citations
20 Claims
-
1. A method comprising:
-
receiving, from a beneficiary application via a network, an initiation message requesting the beneficiary application be authorized to access data hosted at a resource server connected to the network; verifying that a valid session for a user exists between the application and an agent executing at a user device; instructing the agent to obtain an authorization code on behalf of the application from an authorization server associated with the resource server; receiving the authorization code from the agent; obtaining an access token and a refresh token from the authorization server based on the authorization code; generating a partner authorization (PA) token associated with the access token and the refresh token; and transmitting the PA token to the beneficiary application to allow the beneficiary application to retrieve the access token when the user is logged in to the application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
one or more processors; and memory storing one or more applications that, when executed on the one or more processors, perform an operation comprising; receiving, from a beneficiary application via a network, an initiation message requesting the beneficiary application be authorized to access data hosted at a resource server connected to the network; verifying that a valid session for a user exists between the application and an agent executing at a user device; instructing the agent to obtain an authorization code on behalf of the application from an authorization server associated with the resource server; receiving the authorization code from the agent; obtaining an access token and a refresh token from the authorization server based on the authorization code; generating a partner authorization (PA) token associated with the access token and the refresh token; and transmitting the PA token to the beneficiary application to allow the beneficiary application to retrieve the access token when the user is logged in to the application. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium containing instructions that, when executed by one or more processors, perform an operation comprising:
-
receiving, at a partner authorization (PA) system from an application hosted at a beneficiary server via a network, a first message indicating a user wants to authorize the application to access data hosted at a resource server; generating a request token and a state identifier based on the first message; sending, to the application in a second message via the network, the request token and the state identifier; receiving, at the PA system from an agent executing at a client device via the network, a third message, wherein the third message includes a first copy of the request token and a first copy of the state identifier; verifying the first copy of the state identifier received in the third message matches the state identifier sent in the second message; and verifying the first copy of the request token received in the third message matches the request token sent in the second message to confirm the agent is in communication with the application. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification