Methods and apparatus for selecting an authentication mode at time of issuance of an access token

US 8,613,055 B1
Filed: 02/22/2013
Issued: 12/17/2013
Est. Priority Date: 02/22/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

an authorization module implemented in at least one of a memory or a processing device, the authorization module configured to receive, from an application, a request for an access token associated with the application, the request including a scope identifier from a plurality of scope identifiers associated with the application,the authorization module configured to select, based on the scope identifier, a first authentication mode from a plurality of predefined authentication modes when the scope identifier is associated with a first level of access to a resource module, the authorization module configured to select the first authentication mode and a second authentication mode from the plurality of predefined authentication modes when the scope identifier is associated with a second level of access to the resource module, the authorization module configured to receive at least one credential assigned to at least one of the first authentication mode or the second authentication mode, the authorization module configured to send the access token to the application in response to authenticating a user of the application based on the at least one credential.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, an apparatus includes an authorization module implemented in at least one of a memory or a processing device. The authorization module can receive from an application a request for an access token associated with the application that includes a scope identifier associated with a level of access to a resource module. The authorization module can select based on the scope identifier at least one authentication mode from a set of predefined authentication modes. The authorization module can also receive at least one credential assigned to at least one authentication mode. Additionally, the authorization module can send the access token to the application in response to authenticating a user of the application based on the at least one credential.

68 Citations

View as Search Results

20 Claims

1. An apparatus, comprising:
- an authorization module implemented in at least one of a memory or a processing device, the authorization module configured to receive, from an application, a request for an access token associated with the application, the request including a scope identifier from a plurality of scope identifiers associated with the application,the authorization module configured to select, based on the scope identifier, a first authentication mode from a plurality of predefined authentication modes when the scope identifier is associated with a first level of access to a resource module, the authorization module configured to select the first authentication mode and a second authentication mode from the plurality of predefined authentication modes when the scope identifier is associated with a second level of access to the resource module, the authorization module configured to receive at least one credential assigned to at least one of the first authentication mode or the second authentication mode, the authorization module configured to send the access token to the application in response to authenticating a user of the application based on the at least one credential.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the access token is an Open Authorization (OAuth) access token.
  - 3. The apparatus of claim 1, wherein the at least one credential includes at least one of a user name, a password, an answer to a knowledge-based question, a short message service (SMS) code, a telephonic communication, an internet protocol (IP) address, or a time of day.
  - 4. The apparatus of claim 1, wherein the authorization module is configured to send the access token to the application such that the application provides the access token to the resource module.
  - 5. The apparatus of claim 1, wherein the application is a native mobile application on a mobile device.
  - 6. The apparatus of claim 1, wherein the authorization module is implemented at a device different than a device implementing the resource module.
  - 7. The apparatus of claim 1, wherein the authorization module is configured to select the first authentication mode by selecting an entry associated with the first authentication mode from an authorization mode database based on the scope identifier and an identifier associated with the resource module when the scope identifier is associated with the first level of access.
  - 8. The apparatus of claim 1, wherein each scope identifier from the plurality of scope identifiers is associated with a different predetermined authentication mode from the plurality of predefined authentication modes.

9. An apparatus, comprising:
- an application implemented in at least one of a memory or a processing device, the application configured to send, to an authorization module, a request (1) for an access token associated with the application and (2) including a scope identifier from a plurality of scope identifiers associated with the application, such that the authorization module selects, based on the scope identifier, (1) a first authentication mode from a plurality of predefined authentication modes when the scope identifier is associated with a first level of access to a resource module or (2) the first authentication mode and a second authentication mode from the plurality of predefined authentication modes when the scope identifier is associated with a second level of access to the resource module;
  
  the application configured to receive, from the authorization module, the access token in response to the authorization module authenticating a user of the application using at least one of the first authentication mode or the second authentication mode, the application is configured to send the access token to the resource module such that the resource module verifies the access token.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The apparatus of claim 9, wherein the access token is an Open Authorization (OAuth) access token.
  - 11. The apparatus of claim 9, wherein the application is a native mobile application on a mobile device.
  - 12. The apparatus of claim 9, wherein the application is configured to receive data associated with the application in response to the resource module verifying the access token.
  - 13. The apparatus of claim 9, wherein the first authentication mode is associated with at least one of a user name, a password, an answer to a knowledge-based question, a short message service (SMS) code, a telephonic communication, an internet protocol (IP) address, or a time of day.

14. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- receive, from an application, a request for an access token, the request including a scope identifier from a plurality of scope identifiers associated with the application;
  
  select, based on the scope identifier, (1) a first authentication mode from a plurality of predefined authentication modes when the scope identifier is associated with a first level of access to a resource module or (2) the first authentication mode and a second authentication mode from the plurality of predefined authentication modes when the scope identifier is associated with a second level of access to the resource module;
  
  authenticate a user of the application (1) using at least one of the first authentication mode or the second authentication mode and (2) based on at least one credential associated with the user; and
  
  send the access token to the application in response to authenticating the user.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory processor-readable medium of claim 14, further comprising code to cause the processor to:
    - provide, to a user device, a request for the at least one credential; and
      
      receive, from the user device, the at least one credential.
  - 16. The non-transitory processor-readable medium of claim 14, wherein the access token is an Open Authorization (OAuth) access token.
  - 17. The non-transitory processor-readable medium of claim 14, wherein the application is a native mobile application on a mobile device.
  - 18. The non-transitory processor-readable medium of claim 14, wherein the at least one credential includes at least one of a user name, a password, an answer to a knowledge-based question, a short message service (SMS) code, a telephonic communication, an internet protocol (IP) address, or a time of day.
  - 19. The non-transitory processor-readable medium of claim 14, wherein the code to cause the processor to send includes code to cause the processor to send the access token to the application such that the application provides the access token to the resource module.
  - 20. The non-transitory processor-readable medium of claim 14, wherein the code to cause the processor to select includes code to cause the processor to select the first authentication mode by selecting an entry associated with the first authentication mode from an authorization mode database based on the scope identifier and an identifier associated with the resource module when the scope identifier is associated with the first level of access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ping Identity Corporation
Original Assignee
Ping Identity Corporation
Inventors
Campbell, Brian, Tomilson, Scott
Primary Examiner(s)
Yalew, Fikremariam A
Assistant Examiner(s)
DOLLY, KENDALL LYNN

Application Number

US13/774,653
Time in Patent Office

298 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/335   for accessing specific reso...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/105   Multiple levels of security

H04L 63/205   involving negotiation or de...

Methods and apparatus for selecting an authentication mode at time of issuance of an access token

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for selecting an authentication mode at time of issuance of an access token

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links