APPROACHES FOR SECURING MIDDLEWARE DATA ACCESS

US 20200137111A1
Filed: 10/25/2018
Published: 04/30/2020
Est. Priority Date: 10/25/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

determining, by a computing system, an access request provided by an entity that seeks to interact with one or more backend systems through a middleware system, the access request including a genuine access token;

authenticating, by the computing system, the entity based on the genuine access token; and

providing, by the computing system, the access request to the middleware system, wherein the access request is modified to replace the genuine access token with an invalid access token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for determining an access request provided by an entity that seeks to interact with one or more backend systems through a middleware system, the access request including a genuine access token. The entity can be authenticated based on the genuine access token. When a client request is made to the middleware system with a genuine access token, the request can be made through a smart ingress and egress proxy which intercepts the request and replaces the genuine access token with an invalid access token. The middleware system can subsequently make authorized requests to downstream systems on behalf of the middleware system'"'"'s client by treating the smart proxy as an egress proxy for those subsequent requests, and the smart proxy replaces the invalid access token with a genuine one.

0 Citations

20 Claims

1. A computer-implemented method, comprising:
- determining, by a computing system, an access request provided by an entity that seeks to interact with one or more backend systems through a middleware system, the access request including a genuine access token;
  
  authenticating, by the computing system, the entity based on the genuine access token; and
  
  providing, by the computing system, the access request to the middleware system, wherein the access request is modified to replace the genuine access token with an invalid access token.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising:
    - determining, by the computing system, that the middleware system has made an access request to the one or more backend systems using the invalid access token in response to the access request provided by the entity; and
      
      intercepting, by the computing system, the access request to the one or more backend systems, wherein the intercepted access request is modified to replace the invalid access token with the genuine access token.
  - 3. The computer-implemented method of claim 2, wherein the genuine access token is not made accessible to the middleware system.
  - 4. The computer-implemented method of claim 1, wherein the entity is a user, a software application, or a computing device.
  - 5. The computer-implemented method of claim 1, wherein the invalid access token has no rights to access data from the one or more backend systems.
  - 6. The computer-implemented method of claim 1, further comprising:
    - receiving, by the computing system, a request from the one or more backend systems to replace the invalid access token with the genuine access token; and
      
      providing, by the computing system, the genuine access token to the one or more backend systems, wherein the genuine access token is used to authenticate an access request made by the middleware system to the one or more backend systems.
  - 7. The computer-implemented method of claim 6, further comprising:
    - determining, by the computing system, that the one or more backend systems from which the request was received are included in a whitelist of entities that are permitted to receive genuine access tokens.

8. A system, comprising:
- one or more processors; and
  
  a memory storing instructions that, when executed by the one or more processors, cause the system to perform;
  
  determining an access request provided by an entity that seeks to interact with one or more backend systems through a middleware system, the access request including a genuine access token;
  
  authenticating the entity based on the genuine access token; and
  
  providing the access request to the middleware system, wherein the access request is modified to replace the genuine access token with an invalid access token.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the instructions further cause the system to perform:
    - determining that the middleware system has made an access request to the one or more backend systems using the invalid access token in response to the access request provided by the entity; and
      
      intercepting the access request to the one or more backend systems, wherein the intercepted access request is modified to replace the invalid access token with the genuine access token.
  - 10. The system of claim 9, wherein the genuine access token is not made accessible to the middleware system.
  - 11. The system of claim 8, wherein the entity is a user, a software application, or a computing device.
  - 12. The system of claim 8, wherein the invalid access token has no rights to access data from the one or more backend systems.
  - 13. The system of claim 8, wherein the instructions further cause the system to perform:
    - receiving a request from the one or more backend systems to replace the invalid access token with the genuine access token; and
      
      providing the genuine access token to the one or more backend systems, wherein the genuine access token is used to authenticate an access request made by the middleware system to the one or more backend systems.
  - 14. The system of claim 13, wherein the instructions further cause the system to perform:
    - determining that the one or more backend systems from which the request was received are included in a whitelist of entities that are permitted to receive genuine access tokens.

15. A non-transitory computer readable medium comprising instructions that, when executed, cause one or more processors to perform:
- determining an access request provided by an entity that seeks to interact with one or more backend systems through a middleware system, the access request including a genuine access token;
  
  authenticating the entity based on the genuine access token; and
  
  providing the access request to the middleware system, wherein the access request is modified to replace the genuine access token with an invalid access token.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable medium of claim 15, wherein the instructions further cause the processors to perform:
    - determining that the middleware system has made an access request to the one or more backend systems using the invalid access token in response to the access request provided by the entity; and
      
      intercepting the access request to the one or more backend systems, wherein the intercepted access request is modified to replace the invalid access token with the genuine access token.
  - 17. The non-transitory computer readable medium of claim 16, wherein the genuine access token is not made accessible to the middleware system.
  - 18. The non-transitory computer readable medium of claim 15, wherein the entity is a user, a software application, or a computing device.
  - 19. The non-transitory computer readable medium of claim 15, wherein the invalid access token has no rights to access data from the one or more backend systems.
  - 20. The non-transitory computer readable medium of claim 15, wherein the instructions further cause the system to perform:
    - receiving a request from the one or more backend systems to replace the invalid access token with the genuine access token; and
      
      providing the genuine access token to the one or more backend systems, wherein the genuine access token is used to authenticate an access request made by the middleware system to the one or more backend systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Ding, James

Granted Patent

US 11,025,672 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/062   for key distribution, e.g. ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/1466   Active attacks involving in...

H04L 63/1491   using deception as counterm...

APPROACHES FOR SECURING MIDDLEWARE DATA ACCESS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

0 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

APPROACHES FOR SECURING MIDDLEWARE DATA ACCESS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

0 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others