Automated authentication of software applications using a limited-use token

US 8,132,242 B1
Filed: 02/13/2006
Issued: 03/06/2012
Est. Priority Date: 02/13/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting a first request for a resource stored on a server, wherein the first request originates from a first software application executing on a client device, wherein the first software application comprises a web browser, wherein the web browser is authenticated with an intermediate device by actual authentication credentials associated with a user;

issuing a temporary token from the intermediate device to the client device when the requested resource will result in the first software application launching a second software application external to the web browser on the client device, wherein the intermediate device is located between the client device and the server, and wherein the temporary token is valid for a limited time and for a limited number of uses and is based in part on the actual authentication credentials;

receiving a second request from the second software application to access the resource, wherein the second request includes the temporary token, and wherein the second request identifies a type of the second software application;

in response to determining, by the intermediate device, that the temporary token is valid based in part on the actual authentication credentials associated with the user, forwarding the second request to the server;

intercepting, by the intermediate device, a response from the server based in part on the second request;

injecting the actual authentication credentials into the response as an application-specific cookie, wherein the application-specific cookie is specific to the second software application and based in part on the type of the second software application; and

forwarding the response including the application-specific cookie to the client device to replace the temporary token.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, the invention is directed to techniques of automated authentication of network-enabled software applications launched by a web browser. For example, an intermediate device, such as a Virtual Private Network (VPN) gateway, intercepts communications between a client device and a server. The gateway device automatically issues a temporary token to the client device when the web browser requests a resource that will result in the launch of an additional software application external to the web browser. This temporary token is only valid for a limited time and a limited number of uses. Subsequently, the gateway device uses the temporary token to authenticate the second software application, thereby avoiding passing user credentials from the web browser to the second application on the client device via an insecure persistent cookie.

270 Citations

18 Claims

1. A method comprising:
- intercepting a first request for a resource stored on a server, wherein the first request originates from a first software application executing on a client device, wherein the first software application comprises a web browser, wherein the web browser is authenticated with an intermediate device by actual authentication credentials associated with a user;
  
  issuing a temporary token from the intermediate device to the client device when the requested resource will result in the first software application launching a second software application external to the web browser on the client device, wherein the intermediate device is located between the client device and the server, and wherein the temporary token is valid for a limited time and for a limited number of uses and is based in part on the actual authentication credentials;
  
  receiving a second request from the second software application to access the resource, wherein the second request includes the temporary token, and wherein the second request identifies a type of the second software application;
  
  in response to determining, by the intermediate device, that the temporary token is valid based in part on the actual authentication credentials associated with the user, forwarding the second request to the server;
  
  intercepting, by the intermediate device, a response from the server based in part on the second request;
  
  injecting the actual authentication credentials into the response as an application-specific cookie, wherein the application-specific cookie is specific to the second software application and based in part on the type of the second software application; and
  
  forwarding the response including the application-specific cookie to the client device to replace the temporary token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1,wherein intercepting comprises intercepting the first request with the intermediate device located between the client device and the server, andwherein issuing comprises:
    - determining at the intermediate device that the first request will result in the first software application launching the second software application on the client device; and
      
      issuing the temporary token from the intermediate device to the client device.
  - 3. The method of claim 1, wherein authenticating comprises updating a database on the intermediate device by decrementing a number of uses remaining for the temporary token when the second software application is authenticated.
  - 4. The method of claim 1, further comprising:
    - intercepting with the intermediate device a response from the server;
      
      injecting the temporary token into the response; and
      
      forwarding the response having the temporary token from the intermediate device to the client device.
  - 5. The method of claim 1, wherein intercepting the first request comprises intercepting the first request at the client device.
  - 6. The method of claim 5, wherein authenticating comprises:
    - after intercepting the first request at the client device, determining at the client device that the first request will result in the first software application launching a second software application on the client device;
      
      opening a new channel of communication between the client device and the intermediate device; and
      
      sending a request for the temporary token from the client device to the intermediate device via the new channel.
  - 7. The method of claim 1, wherein authenticating the temporary token with the intermediate device comprises:
    - obtaining from a database an expiration time and a number of remaining uses for the temporary token,determining that the temporary token is valid when a current time is not later than the expiration time and the number of remaining uses is greater than zero.
  - 8. The method of claim 1, further comprising generating the first request for the resource in response to a user clicking on a link displayed by the web browser.
  - 9. The method of claim 1, further comprising creating the temporary token in accordance with one or more policy rules stored in a policy database.
  - 10. The method of claim 9, wherein creating the temporary token comprises:
    - applying regular expressions within the policy rules to identify one of the policy rules having regular expressions that match patterns of strings within the first request; and
      
      determining the limited time and the limited number of uses for which the temporary token is valid based on the identified policy rule.
  - 11. The method of claim 1, wherein issuing a temporary token comprises issuing a persistent cookie associated with the limited time and the limited number of uses, wherein the persistent cookie does not contain any user credentials.

12. A network device comprising a control unit having one or more processors:
- a network interface to intercept a first request for a resource, wherein the first request originates from a first software application executing on a client device, wherein the first software application comprises a web browser, and wherein the web browser is authenticated by the network device using actual authentication credentials associated with a user;
  
  a token creation module operable by the control unit to create a temporary token when the resource is associated with a second software application that will result in the first software application launching the second software application external to the web browser, wherein the temporary token is valid for a limited time and a limited number of uses and is based in part on the actual authentication credentials;
  
  wherein the network interface receives a second request from the second software application to access the resource, wherein the second request includes the temporary token, and wherein the second request identifies a type of the second software application;
  
  a secure socket layer (SSL) virtual private network (VPN) manager operable by the control unit to, in response to determining that the temporary token is valid based in part on the actual authentication credentials associated with the user, forward the second request to a server;
  
  wherein the SSL VPN manager intercepts a response from the server based in part on the second request and injects the actual authentication credentials into the response as an application-specific cookie, wherein the application-specific cookie is specific to the second software application and based in part on the type of the second software application; and
  
  wherein the network interface forwards the response including the application-specific cookie to the client device to replace the temporary token.
- View Dependent Claims (13, 14, 15)
- - 13. The network device of claim 12, further comprisinga database storing data defining an expiration time and a number of remaining uses for the temporary token;
    - anda token verification module to verify that the temporary token to access the database is valid when a current time is not later than the expiration time and when the number of remaining uses is greater than zero.
  - 14. The network device of claim 12, further comprisinga policy database defining a set of rules, wherein each of the rules specifies regular expressions for matching patterns within the intercepted request, and wherein each of the rules specifies a corresponding valid time and number of uses,wherein the token creation module creates the temporary token in accordance with policy rules stored in a policy database.
  - 15. The network device of claim 12, wherein the temporary token is a persistent cookie that does not contain any user credentials.

16. A system comprising:
- a client device on which a first software application and a second software application execute, the first software application issuing a first request for a resource, wherein the first software application comprises a web browser;
  
  a resource server for providing the client device with access to the resource; and
  
  an intermediate device located between the client device and the resource server, wherein the intermediate device intercepts the first request and issues a temporary token to the client device when the requested resource is associated with the second software application that will result in the first software application launching the second software application external to the web browser, and wherein the web browser is authenticated with the intermediate device by actual authentication credentials associated with a user, wherein the temporary token is valid for a limited time and for a limited number of uses and is based in part on the actual authentication credentials, receives a second request from the second software application to access the resource, wherein the second request includes the temporary token, wherein the second request identifies a type of the second software application, in response to determining that the temporary token is valid based in part on the actual authentication credentials associated with the user, forwards the second request to the resource server, intercepts a response from the resource server based in part on the second request and injecting the actual authentication credentials into the response as an application-specific cookie, wherein the application-specific cookie is specific to the second software application and based in part on the type of the second software application, and forwards the response including the application-specific cookie to the client device to replace the temporary token.
- View Dependent Claims (17)
- - 17. The system of claim 16, wherein the intermediate device issues the temporary token as a persistent cookie that does not contain any user credentials.

18. A non-transitory computer-readable medium comprising instructions for causing a programmable processor of an intermediate network device to:
- Intercept, with an intermediate network device located between a client device and a server, a first request from a first software application executing on the client device, wherein the first software application comprises a web browser, wherein the web browser is authenticated by the intermediate network device using actual authentication credentials associated with a user;
  
  issue a temporary token to the client device when the first request identifies a resource associated with a second software application that will result in the first software application launching a second software application external to the web browser, wherein the temporary token is valid for a limited time and for a limited number of uses and is based in part on the actual authentication credentials;
  
  receives a second request from the second software application to access the resource, wherein the second request includes the temporary token, wherein the second request identifies a type of the second software application;
  
  in response to determining that the temporary token is valid based in part on the actual authentication credentials associated with the user, forwarding the second request to the server;
  
  intercept a response from the server based in part on the second request and injecting the actual authentication credentials into the response as an application-specific cookie, wherein the application-specific cookie is specific to the second software application and based in part on the type of the second software application; and
  
  forward the response including the application-specific cookie to the client device to replace the temporary token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Wu, Yuhua
Primary Examiner(s)
Pyzocha, Michael
Assistant Examiner(s)
VU, PHY ANH TRAN

Application Number

US11/352,621
Time in Patent Office

2,213 Days
Field of Search

713/155, 713/168, 713/182, 713/172, 726 8- 10
US Class Current

726/8
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0884   by delegation of authentica...

H04L 63/108   when the policy decisions a...

H04L 63/166   at the transport layer

Automated authentication of software applications using a limited-use token

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

270 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Automated authentication of software applications using a limited-use token

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

270 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links