Delegated authentication for web services

US 8,402,508 B2
Filed: 04/02/2008
Issued: 03/19/2013
Est. Priority Date: 04/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method for attempting to establish permission to enable delegated authentication for web services, the method comprising:

receiving an access request in a host application executing on a first computing system from a delegate application executing on a second computing system to access protected data stored on the first computing system, the protected data comprising a plurality of units of data;

determining whether the delegate application has been pre-approved to access the protected data;

automatically granting access to the protected data to the delegate application when the delegate application has been pre-approved;

when the delegate application has not been pre-approved to access the protected data;

a) receiving a request that references an offer from the delegate application to access the protected data;

b) referencing an offer database for a definition of the offer comprising a plurality of parameters, the plurality of parameters including at least one of;

a scope and a duration of the access;

c) presenting the offer referenced by the delegate application to an owner of the protected data via a user interface executing on a third computing system;

c) receiving a response from the owner of the protected data to the requested offer from the delegate application, the response comprising a user-selection of units of the protected data for which access is granted;

d) providing access to the protected data to the delegate application based on the response to the owner; and

e) sending a delegation token to the delegate application, the delegation token defining an access to the protected data for the delegate application based on the response of the owner of the protected data,wherein c) presenting the offer referenced by the delegate application to the owner comprises presenting potential hazards or risks to the owner from granting access to the delegate application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the claimed subject matter provide a method and an apparatus for enabling delegated authentication for web services. Delegated authentication is provided without divulging the information the user requires to complete an authorization procedure of another web service or otherwise subjecting the user to unnecessary risk. Furthermore, delegated authentication is granted for a limited duration and access is subject to further limitations to prevent unnecessary intrusion to the user, the user'"'"'s data, and the host web service.

One embodiment of the claimed subject matter is implemented as a method for enabling delegated authentication to allow a third party service access to protected data on a host service. A user attempting to utilize functionality of a third party website that requests access to the user'"'"'s data stored on a separate host website is enabled as a delegate with authorization to access the data stored on the host website.

26 Citations

View as Search Results

28 Claims

1. A method for attempting to establish permission to enable delegated authentication for web services, the method comprising:
- receiving an access request in a host application executing on a first computing system from a delegate application executing on a second computing system to access protected data stored on the first computing system, the protected data comprising a plurality of units of data;
  
  determining whether the delegate application has been pre-approved to access the protected data;
  
  automatically granting access to the protected data to the delegate application when the delegate application has been pre-approved;
  
  when the delegate application has not been pre-approved to access the protected data;
  
  a) receiving a request that references an offer from the delegate application to access the protected data;
  
  b) referencing an offer database for a definition of the offer comprising a plurality of parameters, the plurality of parameters including at least one of;
  
  a scope and a duration of the access;
  
  c) presenting the offer referenced by the delegate application to an owner of the protected data via a user interface executing on a third computing system;
  
  c) receiving a response from the owner of the protected data to the requested offer from the delegate application, the response comprising a user-selection of units of the protected data for which access is granted;
  
  d) providing access to the protected data to the delegate application based on the response to the owner; and
  
  e) sending a delegation token to the delegate application, the delegation token defining an access to the protected data for the delegate application based on the response of the owner of the protected data,wherein c) presenting the offer referenced by the delegate application to the owner comprises presenting potential hazards or risks to the owner from granting access to the delegate application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein receiving a response from the owner of the protected data further comprises recording the response from the owner of the protected data to the offer from the delegate application.
  - 3. The method according to claim 2, wherein the response from the owner of the protected data is recorded in a database.
  - 4. The method according to claim 1, wherein the delegation token further comprises:
    - a form of encryption;
      
      a scope of consent;
      
      a signature;
      
      a duration; and
      
      an association with one or more offers.
  - 5. The method according to claim 4, wherein existing permissions are stored within a database.
  - 6. The method according to claim 1, wherein determining whether the delegate application has been pre-approved to access the protected data comprises checking stored permissions for corresponding existing permissions.
  - 7. The method according to claim 1, wherein the delegation token sent to the delegate application indicates the owner of the protected data'"'"'s consent or lack thereof.
  - 8. The method according to claim 1, wherein presenting the offer from the delegate application to the owner of the protected data further comprises presenting the definition of the offer, wherein the definition is provided by the offer from the delegate application or is retrieved from an offer database.
  - 9. The method according to claim 1, wherein the response from the owner of the protected data comprises an automatic pre-approval.
  - 10. The method according to claim 9, wherein the owner of the protected data comprises a user of a plurality of users comprising an associated user group collectively managed by an administrator, and wherein the automatic pre-approval comprises an implicit consent established by the administrator for users of the associated user group.
  - 11. The method according to claim 1, wherein presenting the offer referenced by the delegate application to the owner of the protected data via a user interface executing on the third computing system comprises presenting, in the user interface, a plurality of files comprised in the protected data identified by the scope of the offer.
  - 12. The method according to claim 1, wherein presenting the offer referenced by the delegate application to the owner of the protected data via a user interface executing on the third computing system comprises presenting a user interface operable to allow the owner of the protected data to granularly consent to specific units of data comprising the protected data by selecting units of the protected data from the offer to grant access to.
  - 13. The method according to claim 1, wherein providing access to the protected data to the delegate application based on the response to the owner comprises providing access to the protected data that does not include the selected units of the protected data.

14. A method for enabling delegated authentication to allow access to a protected data, the method comprising:
- establishing permission from an owner of the protected data for a delegate service to access the protected data via an exchange of a delegation token by receiving, in a first computing system in which the protected data is stored, an access request and a pre-defined offer sent from a delegate service executing on a second computing system and seeking access to the protected data;
  
  presenting the offer to the owner via a user interface on a third computing system;
  
  receiving a response of the owner, the response comprising a user-selection of units of the protected data for which access is granted;
  
  sending a delegation token based on the response of the owner to the delegate service that provides a plurality of parameters defining the access allowed to the delegate service, the offer being sent from the delegate service by referencing an offer database to obtain a definition of the offer comprising at least one of;
  
  a scope and a duration of the access;
  
  validating the delegation token of the delegate service to access the protected data; and
  
  providing access to the protected data when the request of the delegate service to access the protected data is valid,wherein presenting the offer comprises presenting potential hazards or risks to the owner from granting access to the delegate application.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method according to claim 14, wherein establishing permission from the owner of the protected data for the delegate service to access the protected data further comprises an attempt made by the owner of the protected data to utilize functionality of a delegate service that requires access to protected data in a storage service, the attempt occurring during a period of time prior to the time permission is established.
  - 16. The method according to claim 14, wherein, establishing permission for the delegate service to access protected data further comprises checking stored permissions for an existing permission corresponding to the received offer.
  - 17. The method according to claim 14, wherein validating the delegation token of the delegate service to access the protected data further comprises denying access if the delegation token is invalid.
  - 18. The method of claim 14, wherein validating the delegation token further comprises:
    - decrypting the token;
      
      verifying a token signature corresponding to the token;
      
      verifying an expiration time corresponding to the token; and
      
      verifying the offer corresponding to the token.
  - 19. The method of claim 14, wherein validating the delegation token further comprises obtaining another delegation token if an allowed duration corresponding to the current delegation token has expired.
  - 20. The method according to claim 14, wherein the establishing permission from the owner of the protected data comprises receiving an automatic pre-approval.
  - 21. The method according to claim 20, wherein the owner of the protected data comprises a user of a plurality of users comprising an associated user group collectively managed by an administrator, and wherein the automatic pre-approval comprises an implicit consent established by the administrator for users of the associated user group.

22. A system for enabling delegated authentication for web services, the system comprising:
- a computer system having a processor coupled to a memory, the memory having computer readable code, which when executed by the processor causes the computer system to implement a storage application for facilitating delegated authentication to allow access to protected data,wherein, the storage application receives a request and an offer obtained by referencing an offer database to obtain a definition of the offer comprising at least one of a scope and a duration of the offer from a delegate application to access the protected data, presents the offer from the delegate application to an owner of the protected data, receives a response from the owner of the protected data to the offer from the delegate application, and sends a delegation token to the delegate application that provides a plurality of parameters defining any access allowed to the delegate service,wherein, when presenting the offer from the delegate application to the owner of the protected data, potential hazards or risks to the owner from granting access to the delegation application are also presentedfurther wherein the response comprises a user-selection of units of the protected data for which access is granted.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The system according to claim 22, wherein the access request and the offer are sent from a remote computing device.
  - 24. The system according to claim 23, wherein the remote computing device is a computer system.
  - 25. The system according to claim 23, wherein the remote computing device is a hand-held computing device.
  - 26. The system according to claim 23, wherein the access request and offer is sent via the Internet.
  - 27. The system according to claim 22, wherein the response from the owner of the protected data comprises an automatic pre-approval.
  - 28. The method according to claim 27, wherein the owner of the protected data comprises a user of a plurality of users comprising an associated user group collectively managed by an administrator, and wherein the automatic pre-approval comprises an implicit consent established by the administrator for users of the associated user group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Rouskov, Yordan, Guo, Michael, Chen, Rui, Young, Kyle
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US12/060,869
Publication Number

US 20090254978A1
Time in Patent Office

1,812 Days
Field of Search

726/4, 726/2, 709/229, 713/159
US Class Current

726/2
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 2209/60   Digital content management,...

H04L 63/102   Entity profiles

H04L 9/321   involving a third party or ...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

Delegated authentication for web services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Delegated authentication for web services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links