Unified authentication for web method platforms

US 7,992,198 B2
Filed: 09/14/2007
Issued: 08/02/2011
Est. Priority Date: 04/13/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented system configured to authenticate one or more clients on a web method platform, the computer-implemented system comprising:

a processor;

a platform component configured to allow authenticated access to one or more web methods by a plurality of clients;

a unified session authentication component configured to bootstrap an authenticated session unique to a type of client and utilize a subsequent mechanism to facilitate accessing the web methods, wherein the subsequent mechanism is common to the plurality of clients;

a trust-tier determination component configured to assign a trust-tier level to one or more of the plurality of clients and control access to the web methods based, at least, in part, on the trust-tier level, wherein the trust-tier level is assigned based, at least, in part, on a type of device using one or more of the plurality of the clients, wherein at least one of the plurality of clients is an application server in a farm of application servers and one or more of the application servers comprise a keyset manager synchronized between the farm of application servers to ensure validity of shared secrets and private keys; and

a computer-readable storage medium storing instructions that, when executed by the processor, cause the processor to implement at least one of the platform component, the unified session authentication component or the trust-tier determination component.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication mechanism is provided for a web method platform that allows homogeneous access for different types of clients according to a bootstrapping procedure utilized to establish the session. Different clients can be assigned different levels of trust based in part on the bootstrapping procedure and/or information provided during the procedure. The bootstrapping procedure can produce a token that is used by the clients in subsequent requests to provide previous authentication or state information to the platform. The token can comprise a shared secret used to ensure integrity of communications in some cases, and the token can be opaque to the client. Tokens can expire and require a client to re-bootstrap to provide higher levels of authentication protection, and tokens can be shared among a plurality of application servers to facilitate effective handling of requests in a farmed environment.

Citations

17 Claims

1. A computer-implemented system configured to authenticate one or more clients on a web method platform, the computer-implemented system comprising:
- a processor;
  
  a platform component configured to allow authenticated access to one or more web methods by a plurality of clients;
  
  a unified session authentication component configured to bootstrap an authenticated session unique to a type of client and utilize a subsequent mechanism to facilitate accessing the web methods, wherein the subsequent mechanism is common to the plurality of clients;
  
  a trust-tier determination component configured to assign a trust-tier level to one or more of the plurality of clients and control access to the web methods based, at least, in part, on the trust-tier level, wherein the trust-tier level is assigned based, at least, in part, on a type of device using one or more of the plurality of the clients, wherein at least one of the plurality of clients is an application server in a farm of application servers and one or more of the application servers comprise a keyset manager synchronized between the farm of application servers to ensure validity of shared secrets and private keys; and
  
  a computer-readable storage medium storing instructions that, when executed by the processor, cause the processor to implement at least one of the platform component, the unified session authentication component or the trust-tier determination component.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented system of claim 1, wherein the trust-tier level is further assigned based, at least, in part on information gathered during bootstrapping of the authenticated session.
  - 3. The computer-implemented system of claim 1, further comprising a token creation component configured to generate a token during bootstrapping of the authenticated session, wherein the token comprises information about the client and is transmitted with subsequent requests to access the web methods.
  - 4. The computer-implemented system of claim 3, wherein the token is opaque to the client.
  - 5. The computer-implemented system of claim 3, wherein the token comprises a shared secret configured to be applied by the unified session authentication component to a subsequent request and compared to an application of the shared secret by the client that is transmitted with the subsequent request to ensure integrity of the subsequent request.
  - 6. The computer-implemented system of claim 1, wherein at the application server facilitates accessing one or more of the web methods based on a request related to a user, and wherein credentials related to the user are specified during bootstrapping of the authenticated session.
  - 7. The computer-implemented system of claim 6, wherein the private keys are configured to protect the bootstrapping of the authenticated session and subsequent requests for the web methods.

8. A computer-implemented method to provide one or more application servers authenticated access to platform data, the computer-implemented method comprising:
- executing on a processor, instructions that, when executed, perform a method comprising;
  
  receiving credentials related to a user of an application server and a message authentication code key related to the application server;
  
  generating a token for subsequent requests, wherein the token includes the message authentication code key;
  
  sending the token to the application server as part of a bootstrapping procedure; and
  
  assigning a trust-tier level to the application server, wherein the trust-tier level is assigned based, at least, in part, on the application server and a device accessing the application server, and wherein the application server functions in a farm of application servers and one or more of the application servers comprise a keyset manager synchronized between the farm of application servers to ensure validity of shared secrets and private keys.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The computer-implemented method of claim 8, further comprising receiving a request to establish a session, wherein the request includes the token, and wherein the request is signed by the application server using a private key.
  - 10. The computer-implemented method of claim 9, further comprising:
    - decrypting the request using a public key associated with the application server; and
      
      sending an authentication status to the application server.
  - 11. The computer-implemented method of claim 10, further comprising receiving a request from the application server for access to one or more exposed web methods, wherein the request includes the token.
  - 12. The computer-implemented method of claim 11, further comprising:
    - retrieving the message authentication code key from the token;
      
      applying the message authentication code key to the request; and
      
      comparing a result to a message authentication code transmitted with the request to ensure integrity of the request.
  - 13. The computer-implemented method of claim 8, further comprising regulating access to requests from the application server based, at least, in part, on an assigned trust-tier level.
  - 14. The computer-implemented method of claim 8, wherein the trust-tier level is further assigned based, at least, in part on a specified user of the application server.
  - 15. The computer-implemented method of claim 8, wherein the credentials are received from a partner authentication server.

16. A computer-readable storage medium, where the medium is not a signal, storing computer-executable instructions that, when executed by a computing device, cause the computing device to perform operations comprising:
- bootstrapping an authenticated session request with one or more disparate clients to provide subsequent access to one or more exposed web methods; and
  
  assigning a trust-tier level to the one or more disparate clients based, at least, in part on the bootstrapping and a device by which the one or more disparate clients access the one or more exposed web methods, wherein access to the one or more web methods is controlled based, at least, in part on the trust-tier level, wherein at least one of the disparate clients is an application server in a farm of application servers and one or more of the application servers comprise a keyset manager synchronized between the farm of application servers to ensure validity of shared secrets and private keys.
- View Dependent Claims (17)
- - 17. The computer-readable storage medium of claim 16, the operations further comprising providing a homogeneous mechanism to the one or more disparate clients to request access to the one or more web methods following the bootstrapping of the authenticated session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Guarraci, Brian J., Varadan, Vijay, White, Christopher C., Ferguson, Niels Thomas, Apacible, Johnson T., Jones, Jeffrey Dick, Nolan, Sean Patrick
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US11/855,364
Publication Number

US 20080256616A1
Time in Patent Office

1,418 Days
Field of Search

726 4- 9, 713175-176, 713/182, 713/185, 713/179, 713/181
US Class Current

726/9
CPC Class Codes

H04L 2209/42   Anonymization, e.g. involvi...

H04L 63/08   for authentication of entit...

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

Unified authentication for web method platforms

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Unified authentication for web method platforms

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links