Authentication and authorization protocol for secure web-based access to a protected resource
First Claim
1. A method for determining whether to allow access to a protected resource from a server, comprising the steps of:
- at a client, responsive to a request to retrieve the protected resource, generating a one-time only use piece of data which can be used to authenticate that the request is bound to a given identity contained in a cookie previously set by an authentication server;
forwarding the piece of data to the server in the request;
at the server, determining whether the piece of data is valid; and
if the piece of data is valid, executing an access control decision to determine whether to invoke the request.
1 Assignment
0 Petitions
Accused Products
Abstract
When a user makes a request to access a protected resource identified by a URL, client-side code in a web browser is used to generate an authentication token, which is then sent to the server along with an identity cookie that was set by that server. The authenticated token is then used by the server to authenticate that the request is properly tied to a given identity contained in the identity cookie. If the authentication token can be validated at the server, an access control decision is then executed to determine whether to invoke the request for the protected resource. If the authentication token cannot be validated, an access denied request is returned to the requesting client.
-
Citations
35 Claims
-
1. A method for determining whether to allow access to a protected resource from a server, comprising the steps of:
-
at a client, responsive to a request to retrieve the protected resource, generating a one-time only use piece of data which can be used to authenticate that the request is bound to a given identity contained in a cookie previously set by an authentication server; forwarding the piece of data to the server in the request; at the server, determining whether the piece of data is valid; and if the piece of data is valid, executing an access control decision to determine whether to invoke the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of accessing a protected resource at a server, comprising the steps of:
-
at the server, receiving a request for a URL together with an identity cookie and a one-time only use authentication token associated with the request; determining whether the authentication token is valid; if the authentication token is not valid, returning to a requesting client an access denied message; and if the authentication token is valid, executing an access decision function to determine whether to allow access to the protected resource. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A computer program product in a computer-useable medium executable by a processor in a client computer, comprising:
-
code, responsive to a request to a server for retrieval of a protected resource, which generates a unforgeable piece of data which can be used at the server to authenticate that the request is bound to a given identity contained in a cookie previously set by an authentication server; and code for inserting the piece of data into the request to the server. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A computer program product for use in a computer-useable medium executable by a processor in a server, comprising:
-
code responsive to receipt of a request for a URL for a protected resource together with a one-time only use authentication token associated with the request for determining whether the authentication token is valid; code for returning to a requesting client an access denied message if the authentication token is not valid; and code for controlling execution of an access decision function if the authentication token is valid. - View Dependent Claims (24, 25, 26, 27)
-
-
28. A method for issuing an access request from a client browser to a server hosting a protected resource, wherein an identity cookie has been set on the client browser by an authentication server, comprising:
-
using a symmetric key to derive a message authentication code (MAC) on a URL of the protected resource and a timestamp; inserting the MAC together with the timestamp, the nonce set by the server, the server'"'"'s identity, and a user'"'"'s identity into a header of the request; and forwarding the request to the server together with the identity cookie to enable the server to determine whether a requestor is authorized to access the protected resource. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
-
Specification