Message authentication using message gates in a distributed computing environment
First Claim
1. A method for communicating in a distributed computing environment, comprising:
- a client accessing an authentication service to obtain an authentication credential to use a first service;
determining client capabilities for said client, wherein said client capabilities are capabilities of said first service that said client is permitted to use, wherein said determining client capabilities comprises accessing an access policy service to obtain a capability token indicating which capabilities of said first service said client is permitted to access;
binding said client capabilities to said authentication credential;
said client sending a first message to said first service, wherein said first message includes said authentication credential;
said first service using said authentication service to authenticate said authentication credential received in said first message; and
said first service responding to said first message if said authentication credential in said first message is determined to be authentic as from said client.
3 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of a system and method using message authentication with message gates are described. A message gate is the message endpoint for a client or service in a distributed computing environment. A message gate may provide a secure endpoint that sends and receives type-safe messages. Gates may perform the sending and receiving of messages between clients and services using a protocol specified in a service advertisement. In one embodiment, the messages are eXtensible Markup Language (XML) messages. For a client, a message gate represents the authority to use some or all of a service'"'"'s capabilities. Each capability may be expressed in terms of a message that may be sent to the service. Creation of a message gate may involve an authentication service that may authenticate the client and/or service and that generates an authentication credential. A message gate may perform verification of messages against a message schema to ensure that the messages are allowed. Message gates may embed the authentication credential in outgoing messages so that the receiving message gate may authenticate the message. Messages may also include information to allow the receiving gate to verify that the message has not been compromised prior to receipt.
-
Citations
63 Claims
-
1. A method for communicating in a distributed computing environment, comprising:
-
a client accessing an authentication service to obtain an authentication credential to use a first service; determining client capabilities for said client, wherein said client capabilities are capabilities of said first service that said client is permitted to use, wherein said determining client capabilities comprises accessing an access policy service to obtain a capability token indicating which capabilities of said first service said client is permitted to access; binding said client capabilities to said authentication credential; said client sending a first message to said first service, wherein said first message includes said authentication credential; said first service using said authentication service to authenticate said authentication credential received in said first message; and said first service responding to said first message if said authentication credential in said first message is determined to be authentic as from said client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for communication in a distributed computing environment, comprising:
-
a client obtaining a service advertisement for a first service, wherein said service advertisement includes an address for an authentication service; said client sending a request message to said authentication service to obtain an authentication credential to use said first service; said client generating a message gate for accessing said first service, wherein said message gate embeds said authentication credential in every message from said client to said first service; and said client accessing said first service through said message gate. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A client device configured to:
-
access an authentication service to obtain an authentication credential to use a first service; determine client capabilities for said client device, wherein said client capabilities are capabilities of said first service that said client device is permitted to use; and bind said client capabilities to said authentication credential; generate a message gate for accessing said first service, wherein said message gate sends request messages from said client to said first service to access said first service, and wherein said message gate includes said authentication credential in each message to said first service; send a first message to said first service, wherein said first message includes said authentication credential, wherein said first service is configured to use said authentication service to authenticate said authentication credential received in said first message; and receive a response to said first message from said first service if said authentication credential in said first message is determined to be authentic as from said client device. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A service device configured to:
-
provide to a client an advertisement for said service device, wherein said advertisement includes a data representation language schema defining a message interface for accessing said service device; receive from said client a first message including an authentication credential, wherein said first message corresponds to a message defined in said data representation language schema, wherein said client accesses an authentication service to obtain said authentication credential to use said service device; use said authentication service to authenticate said authentication credential received in said first message; determine client capabilities for said client, wherein said client capabilities are capabilities of said service device that said client is permitted to use; bind said client capabilities to said authentication credential; respond to said first message if said authentication credential in said first message is determined to be authentic as from said client; and receive additional messages from said client to use said service device, wherein said authentication credential is included with each one of said additional messages, and wherein each one of said additional messages is defined by said data representation language schema. - View Dependent Claims (41, 42, 43)
-
-
44. A distributed computing system, comprising:
-
a client device; and a service device; wherein said client device is configured to; obtain an address for an authentication service from an advertisement for said service device; access said authentication service to obtain an authentication credential to use said service device, wherein to access said authentication service, the client device is further configured to send a message to said address for said authentication service requesting said authentication credential to use said advertised service device; and determine client capabilities for said client device, wherein said client capabilities are capabilities of said service device that said client device is permitted to use; and bind said client capabilities to said authentication credential; send a first message to said service device, wherein said first message includes said authentication credential; and wherein said service device is configured to; provide to said client device said advertisement for said service device, wherein said advertisement includes a data representation language schema defining a message interface for accessing said service device; use said authentication service to authenticate said authentication credential received in said first message; and respond to said first message if said authentication credential in said first message is determined to be authentic as from said client. - View Dependent Claims (45, 46, 47, 48, 49)
-
-
50. A distributed computing system, comprising:
-
a client device; a service device; wherein said client device is configured to; obtain a service advertisement for said service device, wherein said service advertisement includes an address for an authentication service; send a request message to said authentication service to obtain an authentication credential to use said service device; generate a message gate for accessing said service device, wherein said message gate is configured to embed said authentication credential in every message from said client device to said service device; and access said service device through said message gate. - View Dependent Claims (51, 52, 53)
-
-
54. A computer-readable, storage medium comprising program instructions, wherein the program instructions are computer-executable to implement:
-
providing to a client an advertisement for a service, wherein said advertisement includes a data representation language schema defining a message interface for accessing said service, wherein said client accesses an authentication service to obtain an authentication credential to use said service; determining client capabilities for said client, wherein said client capabilities are capabilities of said service that said client is permitted to use; binding said client capabilities to said authentication credential; receiving from said client a first message to said service, wherein said first message corresponds to a message defined in said data representation language schema, wherein said first message includes said authentication credential; using said authentication service to authenticate said authentication credential received in said first message; responding to said first message if said authentication credential in said first message is determined to be authentic as from said client; and receive additional messages from said client to use said service, wherein said authentication credential is included with each one of said additional messages, and wherein each one of said additional messages is defined by said data representation language schema. - View Dependent Claims (55, 56, 57, 58, 59)
-
-
60. A computer-readable, storage medium comprising program instructions, wherein the program instructions are computer-executable to implement:
-
a client obtaining a service advertisement for a first service, wherein said service advertisement includes an address for an authentication service; said client sending a request message to said authentication service to obtain an authentication credential to use said first service; said client generating a message gate for accessing said first service, wherein said message gate embeds said authentication credential in every message from said client to said first service; and said client accessing said first service through said message gate. - View Dependent Claims (61, 62, 63)
-
Specification