Providing application programs with access to secured resources

US 8,533,796 B1
Filed: 04/26/2011
Issued: 09/10/2013
Est. Priority Date: 03/16/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing access to secured resources, the method comprising:

storing, by a token providing system at a computer, primary authentication token information that an authentication system of a service provider generated in response to receiving authentication credentials for a user account, wherein the primary authentication token information can be used to obtain multiple temporary authentication token information that can be used to access secured resources that the service provider stores in association with the user account, and wherein the token providing system does not have access to the authentication credentials;

receiving, by the token providing system and from a first application program of multiple application programs, a first request to obtain first temporary authentication token information for use in accessing a first portion of the secured resources, wherein the first application program does not have access to the authentication credentials and the first request does not include the primary authentication token information, wherein the first request includes a first requested scope that is for use in identifying the first portion of the secured resources;

transmitting, by the token providing system and to the authentication system, a second request to obtain the first temporary authentication token information, wherein the second request includes the primary authentication token information that was stored by the token providing system;

receiving, by the token providing system and from the authentication system, the first temporary authentication token information;

providing, by the token providing system and to the first application program, the first temporary authentication token information for use by the first application program in accessing the first portion of the secured resources;

receiving, by the token providing system and from a second application program of the application programs, a third request to obtain second temporary authentication token information for use in accessing a second portion of the secured resources, wherein the third request includes a second requested scope that is for use in identifying the second portion of the secured resources and does not include the primary authentication token information;

transmitting, by the token providing system and to the authentication system, a fourth request to obtain the second temporary authentication token information, the fourth request including the primary authentication token information and the second requested scope;

receiving, by the token providing system and from the authentication system, the second temporary authentication token information; and

providing, by the token providing system and to the second application program, the second temporary authentication token information for use by the second application program in accessing the second portion of the secured resources, wherein the first portion of the secured resources is different than the second portion of the secured resources.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, the subject matter described in this specification can be embodied in methods, systems, and program products for providing access to secured resources. A token providing system stores a primary authentication token that is used to obtain temporary authentication tokens. The token providing system provides, to application programs that are unable to access the primary authentication token, the temporary authentication tokens. The token providing system receives, from a first application program of the application programs, a first request to obtain a first temporary authentication token. The first request does not include the primary authentication token. The token providing system transmits a second request to obtain the first temporary authentication token. The second request includes the primary authentication token. The token providing system receives the first temporary authentication token. The token providing system provides the first temporary authentication token for use by the first application program.

164 Citations

18 Claims

1. A computer-implemented method for providing access to secured resources, the method comprising:
- storing, by a token providing system at a computer, primary authentication token information that an authentication system of a service provider generated in response to receiving authentication credentials for a user account, wherein the primary authentication token information can be used to obtain multiple temporary authentication token information that can be used to access secured resources that the service provider stores in association with the user account, and wherein the token providing system does not have access to the authentication credentials;
  
  receiving, by the token providing system and from a first application program of multiple application programs, a first request to obtain first temporary authentication token information for use in accessing a first portion of the secured resources, wherein the first application program does not have access to the authentication credentials and the first request does not include the primary authentication token information, wherein the first request includes a first requested scope that is for use in identifying the first portion of the secured resources;
  
  transmitting, by the token providing system and to the authentication system, a second request to obtain the first temporary authentication token information, wherein the second request includes the primary authentication token information that was stored by the token providing system;
  
  receiving, by the token providing system and from the authentication system, the first temporary authentication token information;
  
  providing, by the token providing system and to the first application program, the first temporary authentication token information for use by the first application program in accessing the first portion of the secured resources;
  
  receiving, by the token providing system and from a second application program of the application programs, a third request to obtain second temporary authentication token information for use in accessing a second portion of the secured resources, wherein the third request includes a second requested scope that is for use in identifying the second portion of the secured resources and does not include the primary authentication token information;
  
  transmitting, by the token providing system and to the authentication system, a fourth request to obtain the second temporary authentication token information, the fourth request including the primary authentication token information and the second requested scope;
  
  receiving, by the token providing system and from the authentication system, the second temporary authentication token information; and
  
  providing, by the token providing system and to the second application program, the second temporary authentication token information for use by the second application program in accessing the second portion of the secured resources, wherein the first portion of the secured resources is different than the second portion of the secured resources.

2. A computer-implemented method for providing access to secured resources, the method comprising:
- storing, by a token providing system at a computer system, primary authentication token information that is used to obtain temporary authentication token information from an authentication system of a service provider, wherein the token providing system provides, to application programs that are unable to access the primary authentication token information, the temporary authentication token information for use in accessing portions of secured resources of the service provider;
  
  receiving, by the token providing system and from a first application program of the application programs, a first request to obtain first temporary authentication token information for use in accessing a first portion of the secured resources, wherein the first request does not include the primary authentication token information, wherein the first request includes a first requested scope that is for use in identifying the first portion of the secured resources;
  
  transmitting, by the token providing system and to the authentication system at the service provider, a second request to obtain the first temporary authentication token information, wherein the second request includes the primary authentication token information;
  
  receiving, by the token providing system and from the authentication system, the first temporary authentication token information;
  
  providing, by the token providing system and to the first application program, the first temporary authentication token information for use by the first application program in accessing the first portion of the secured resources;
  
  receiving, by the token providing system and from a second application program of the application programs, a third request to obtain second temporary authentication token information for use in accessing a second portion of the secured resources, wherein the third request includes a second requested scope that is for use in identifying the second portion of the secured resources and does not include the primary authentication token information;
  
  transmitting, by the token providing system and to the authentication system, a fourth request to obtain the second temporary authentication token information, the fourth request including the primary authentication token information and the second requested scope;
  
  receiving, by the token providing system and from the authentication system, the second temporary authentication token information; and
  
  providing, by the token providing system and to the second application program, the second temporary authentication token information for use by the second application program in accessing the second portion of the secured resources, wherein the first portion of the secured resources is different than the second portion of the secured resources.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 3. The method of claim 2, wherein the authentication system generated the primary authentication token information in response a user providing authentication credentials for a user account, wherein the primary authentication token information can be used to obtain secured resources of the service provider that are associated with the user account.
  - 4. The method of claim 3, wherein the primary authentication token information cannot be used to access secured resources of the service provider that cannot be accessed using the authentication credentials.
  - 5. The method of claim 3, wherein the authentication credentials include a username and a shared secret that are associated with the user account.
  - 6. The method of claim 2, wherein the token providing system does not have access to authentication credentials that are associated with the primary authentication token information.
  - 7. The method of claim 6, wherein:
    - the first application program does not have access to the authentication credentials, the authentication credentials are for a user account at the service provider, and the first temporary authentication token information is for use in accessing a portion of resources that are associated with the user account at the service provider.
  - 8. The method of claim 2, wherein the second request includes the first requested scope.
  - 9. The method of claim 8, wherein the first temporary authentication token information provides the first application program access, based on the first requested scope, to the first portion of the secured resources in distinction to other portions of the secured resources.
  - 10. The method of claim 2, wherein the first temporary authentication token information can be used, for accessing the first portion of the secured resources, for a limited time duration.
  - 11. The method of claim 10, wherein the limited time duration is shorter than a time duration during which the authentication system provides temporary authentication token information to the token providing system in response to the token providing system providing, to the authentication system, requests that include the primary authentication token information.
  - 12. The method of claim 2, wherein the primary authentication token information cannot be used to retrieve secured resources from the service provider without obtaining one or more temporary authentication token information using the primary authentication token information.

13. A computer system for providing access to secured resources, the system comprising:
- one or more processors; and
  
  one or more computer-readable devices that store;
  
  application programs that are hosted by a computer system for third-party users that are provided an ability to administer the application programs upon providing valid user credentials;
  
  primary token information, at the computer system, that an authentication system of a service provider generated in response to the service provider receiving user credentials that are associated with a user account, the service provider storing resources in association with the user account; and
  
  a temporary token program, at the computer system, to;
  
  (i) receive, from a first application program of the application programs, a first request to obtain first temporary authentication token information for use in accessing a first portion of the stored resources, wherein the first request does not include the primary token information, wherein the first request includes a first requested scope that is used in identifying the first portion of the stored resources,(ii) transmit, to the authentication system, a second request to obtain the first temporary authentication token information, the second request including the primary token information,(iii) receive, from the authentication system, the first temporary authentication token information,(iv) provide, to the first application program, the first temporary authentication token information for use by the first application program in accessing the first portion of the stored resources,(v) receive, from a second application program of the application programs, a third request to obtain second temporary authentication token information for use in accessing a second portion of the stored resources, wherein the third request includes a second requested scope that is used in identifying the second portion of the stored resources,(vi) transmit, to the authentication system, a fourth request to obtain the second temporary authentication token information, the fourth request including the primary token information and the second requested scope,(vii) receive, from the authentication system, the second temporary authentication token information, and(viii) provide, to the second application program, the second temporary authentication token information for use by the second application program in accessing the second portion of the stored resources.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer system of claim 13, wherein a first subset of the application programs is stored by a first virtual machine that the computer system hosts for a first third-party user of the third-party users;
    - and wherein a second subset of the application programs is stored by a second virtual machine that the computer system hosts for a second third-party user of the third-party users.
  - 15. The computer system of claim 13, further comprising a scope authorizer, at the computer system, to determine whether the first requested scope and the second requested scope are valid for permissions provided to the first application program and second application program, respectively.
  - 16. The computer system of claim 13, wherein the computer system does not store the user credentials.
  - 17. The computer system of claim 13, wherein none of the application programs store the user credentials and none of the application programs store the primary token information.
  - 18. The computer system of claim 13, further comprising the authentication system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Shenoy, Vittaldas Sachin, Risbood, Pankaj, Sahasranaman, Vivek, Kern, Christoph, Anderson, Evan K.
Primary Examiner(s)
Shaw, Yin-Chen
Assistant Examiner(s)
MOHAMMADI, FAHIMEH M

Application Number

US13/094,385
Time in Patent Office

868 Days
Field of Search

726 1- 26, 713156-158, 713172-174, 380/229, 705 65- 69
US Class Current

726/6
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0846   using time-dependent-passwo...

H04L 9/3226   using a predetermined code,...

Providing application programs with access to secured resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

164 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Providing application programs with access to secured resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

164 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links