Authorization and access control service for distributed network resources

US 7,685,206 B1
Filed: 02/12/2004
Issued: 03/23/2010
Est. Priority Date: 02/12/2004
Status: Active Grant

First Claim

Patent Images

1. A method of providing from a centralized location access control to a resource for one or more users, said method comprising:

receiving at the centralized location an authorization request from a first entity to issue authorization data for the one or more users based on roles associated with the users as part of an organization model, wherein said authorization data is required by a second entity for allowing the first entity to conditionally access a resource controlled by the second entity;

responsive to the received authorization request, creating a conditional scope expression identifying the resource by a resource name and by at least one property name-property value pair associated with the resource to conditionally define access to the resource, said property name-property value pair determining a list of conditions for access to the resource controlled by the second entity;

encrypting the created conditional scope expression;

responsive to the received authorization request, issuing the authorization data from the centralized location to the first entity, wherein the first entity provides the issued authorization data to the second entity to conditionally access the resource controlled by the second entity, said authorization data including the conditional scope expression identifying the resource said authorization data further including validation information;

receiving at the centralized location a validation request from the second entity to validate the issued authorization data provided to the second entity by the first entity;

responsive to the received validation request, validating the issued authorization data based on the validation information included the authorization data; and

responsive to validating the issued authorization data, sending from the centralized location a response to the second entity indicating a determined validation status, said second entity granting to the first entity access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization data is valid.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing access to a resource via authorization data that conditionally defines the access by an expression that identifies the resource by name and by at least one property of the resource. An authorization service issues the authorization data (e.g., as a token) and evaluating authorization data received from a client. The authorization service evaluates the expression in the authorization data to identify the resource and determine the rights associated with the user for the resource. The authorization service implements role-based access control to control access to resources in a distributed, multi-site network.

179 Citations

25 Claims

1. A method of providing from a centralized location access control to a resource for one or more users, said method comprising:
- receiving at the centralized location an authorization request from a first entity to issue authorization data for the one or more users based on roles associated with the users as part of an organization model, wherein said authorization data is required by a second entity for allowing the first entity to conditionally access a resource controlled by the second entity;
  
  responsive to the received authorization request, creating a conditional scope expression identifying the resource by a resource name and by at least one property name-property value pair associated with the resource to conditionally define access to the resource, said property name-property value pair determining a list of conditions for access to the resource controlled by the second entity;
  
  encrypting the created conditional scope expression;
  
  responsive to the received authorization request, issuing the authorization data from the centralized location to the first entity, wherein the first entity provides the issued authorization data to the second entity to conditionally access the resource controlled by the second entity, said authorization data including the conditional scope expression identifying the resource said authorization data further including validation information;
  
  receiving at the centralized location a validation request from the second entity to validate the issued authorization data provided to the second entity by the first entity;
  
  responsive to the received validation request, validating the issued authorization data based on the validation information included the authorization data; and
  
  responsive to validating the issued authorization data, sending from the centralized location a response to the second entity indicating a determined validation status, said second entity granting to the first entity access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization data is valid.
- View Dependent Claims (2, 3, 4, 20, 21, 22, 23, 24, 25)
- - 2. The method of claim 1, wherein receiving the requests and issuing the authorization data occur over a secure sockets layer.
  - 3. The method of claim 1, wherein receiving the requests and issuing the authorization data occur over a network such as the Internet.
  - 4. The method of claim 1, wherein one or more computer-readable storage media having stored thereon computer-executable instructions for performing the method of claim 1.
  - 20. The method of claim 1, wherein the first entity is an application program.
  - 21. The method of claim 1, wherein the first entity is a computing device.
  - 22. The method of claim 1, further comprising generating a signature based on the conditional scope expression identifying the resource, and wherein the validation information includes said generated signature.
  - 23. The method of claim 1 wherein the validation information includes an expiration date.
  - 24. The method of claim 1, wherein the validation information further includes a site identifier identifying the first entity.
  - 25. The method of claim 1 wherein said validation request includes the issued authorization data and wherein said validating includes:
    - retrieving the validation information from the received authorization data;
      
      evaluating the retrieved validation information; and
      
      sending a response to the second entity indicating the validation status of the received authorization data responsive to said evaluating the retrieved validation information.

5. A method for validating at a centralized location authorization data to provide conditional access to a resource for one or more users, said method comprising:
- receiving at the centralized location an authorization request from a client to issue authorization data for the one or more users based on roles associated with the users, wherein said authorization data is required by an affiliate server for allowing the client to conditionally access a resource controlled by said affiliate server;
  
  responsive to the received authorization request, generating at the centralized location an authorization token having a header field, a source field, and a claim field, said header field representing validation information, said source field representing the identity of the user, said claim field specifying the resource conditionally, said claim field including a conditional scope expression identifying the resource by a resource name and by at least one property name-property value pair associated with the resource to conditionally define access to the resource, said property name-property value pair determining a list of conditions for access to the resource controlled by the affiliate server;
  
  sending the authorization token from the centralized location to the client, wherein the client provides the authorization token to the affiliate server to conditionally access the resource controlled by the affiliate server;
  
  receiving at the centralized location over a secure sockets layer a validation request from the affiliate server to validate the authorization token provided by the client, said receiving the validation request comprises receiving a data packet according to the Simple Object Access Protocol (SOAP), and further comprising extracting the authorization token from the received data packet;
  
  responsive to the extracted authorization token, retrieving validation information from the header field of the received authorization token;
  
  responsive to the retrieved validation information, evaluating the retrieved validation information to determine a validation status of the received authorization token; and
  
  responsive to the determined validation status, sending from the centralized location a response to the affiliate server indicating the determined validation status, said affiliate server granting to the client access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization token is valid.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 6. The method of claim 5, further comprising evaluating the conditional scope expression to identify the resource.
  - 7. The method of claim 6, wherein evaluating the conditional scope expression comprises extracting a target scope from the received authorization token, said extracted target scope identifying the resource.
  - 8. The method of claim 5, wherein receiving the validation request including the authorization token occurs over a network such as the Internet.
  - 9. The method of claim 5, further comprising decrypting the received authorization token.
  - 10. The method of claim 5, wherein retrieving the validation information comprises retrieving a signature from the header of the received authorization token.
  - 11. The method of claim 10, wherein evaluating the retrieved validation information comprises determining that the retrieved signature is invalid, and wherein sending the response comprises sending a response indicating the invalidity of the received authorization token.
  - 12. The method of claim 5, wherein retrieving the validation information comprises retrieving an expiration date from the header of the received authorization token, and wherein evaluating the retrieved validation information comprises comparing the retrieved expiration date to a current time stamp to determine if the received authorization token has expired.
  - 13. The method of claim 12, wherein the received authorization token has been determined to be expired, and further comprising sending a response indicating the invalidity of the received authorization token.
  - 14. The method of claim 5, wherein one or more computer-readable storage media having stored thereon computer-executable instructions for performing the method recited in claim 5.

15. One or more computer-readable media having stored thereon computer-executable components to control access to a resource by one or more users from a centralized location, said components comprising:
- an interface component adapted to receive at the centralized location an authorization request from a first entity to issue authorization data for the one or more users based on roles associated with the users, wherein said authorization data is required by a second entity for allowing the client to conditionally access a resource controlled by said second entity;
  
  an authorization component adapted to issue at the centralized location the requested authorization data for the users based on the roles associated with the users to the first entity, said authorization data including an encrypted conditional scope expression created in response to the received authorization request, said conditional scope expression identifying a resource by a resource name and by at least one property name-property value pair associated with the resource, said property name-property value pair determining a list of conditions for access to the resource controlled by the second entity, and said authorization data including the validation information, wherein said interface component is further adapted to receive a validation request from the second entity, said validation request including the authorization data issued to the first entity;
  
  a parser component adapted to retrieve validation information from the received authorization data; and
  
  a validation component adapted to evaluate the retrieved validation information, wherein the interface component is further adapted to send a response from the centralized location to the second entity indicating a validation status of the received authorization data responsive to said evaluating the retrieved validation information, said second entity granting to the first entity access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization data is valid.
- View Dependent Claims (16)
- - 16. The computer-readable media of claim 15, further comprising a scope component to evaluate the conditional scope expression to identify the resource.

17. An authorization system in a centralized location comprising:
- a memory area accessible from the centralized location for storing authorization data for use in providing a first entity conditional access to a resource that is controlled by a second entity, said authorization data including an encrypted conditional scope expression created in response to the received authorization request, said conditional scope expression identifying the resource by a resource name and by at least one property associated with the resource, wherein the associated property includes at least one property name-property value pair, said property name-property value pair determining a list of conditions for access to the resource controlled by the second entity, and said authorization data including validation information; and
  
  a processor configured to execute computer-executable instructions for receiving a validation request from the second entity and issuing from the centralized location to the first entity, responsive to an authorization request from the first entity, the authorization data for a user based on a role associated with the user and for validating, in response to the validation request from the second entity, the authorization data issued to the first entity to provide access to the resource, said validation request including the authorization data issued to the first entity, said second entity granting to the first entity access to the resource according to the conditions determined by the property name-property value pair when the determined validation status indicates that the authorization data is valid.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein the processor is further configured to execute computer-executable instructions for evaluating the conditional scope expression to identify the resource.
  - 19. The system of claim 17, wherein the authorization data comprises a token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bailey, David Walter, Mathew, Ashvin Joseph, Radu, Costel, Oliver, Walter, Kelman, Barry I.
Primary Examiner(s)
Trujillo; James
Assistant Examiner(s)
Black; Linh

Application Number

US10/777,493
Time in Patent Office

2,231 Days
Field of Search

707/2, 707/9, 707783-787
US Class Current

707/785
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Authorization and access control service for distributed network resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

179 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Authorization and access control service for distributed network resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others