Request-specific authentication for accessing web service resources

US 8,656,472 B2
Filed: 02/01/2008
Issued: 02/18/2014
Est. Priority Date: 04/20/2007
Status: Active Grant

First Claim

Patent Images

1. A computing system for controlling access to a protected Web service resource, the computing system comprising:

a communication device for communicating across a communication network having a type;

a processor communicatively connected to the communication device; and

memory storing program instructions, which when executed by the processor cause the computing system to;

receiving a first request from a client to access the protected Web service resource from the communication network, the first request being associated with a first authentication level, a type and one or more properties of the Web service resource, and further including credentials of the client;

evaluating the first request upon receiving the first request, and determining whether authentication is required to access the protected Web service resource by evaluating the type of the communication network, the type and the one or more properties of the protected Web service resource associated with the first request, and the credentials of the client associated with the first request;

responding with a fault generated by the processor indicating that at least one authentication process must be completed in order for the first request to be processed when it is determined by the processor that authentication is required;

receiving a first authentication token from the client after the client has been authenticated by an authentication service according to a first factor and using the first authentication token to determine that the client has been authenticated according to the first factor;

granting the first request to access the protected Web service resource after determining that the client requires authentication and has been authenticated according to the first factor, and that authentication according to the first factor is sufficient for the first authentication level;

receiving a second request from the client to access the protected Web service resource from the communication network, the second request being associated with a second authentication level higher than the first authentication level;

denying the second request to access the protected Web service resource, based on the first authentication token according to the first factor being insufficient for the second authentication level;

responding with a second fault generated by the processor indicating that at least one additional authentication process must be completed in order for the second request to be processed when it is determined by the processor that authentication is required;

receiving a second authentication token from the client after the client has been authenticated by the authentication service according to a second factor and using the second authentication token to determine that the client has been authenticated according to the second factor; and

granting the second request to access the protected Web service resource after determining that the client has been authenticated according to the second factor, and that authentication according to the second factor is sufficient for the second authentication level.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

Citations

11 Claims

1. A computing system for controlling access to a protected Web service resource, the computing system comprising:
- a communication device for communicating across a communication network having a type;
  
  a processor communicatively connected to the communication device; and
  
  memory storing program instructions, which when executed by the processor cause the computing system to;
  
  receiving a first request from a client to access the protected Web service resource from the communication network, the first request being associated with a first authentication level, a type and one or more properties of the Web service resource, and further including credentials of the client;
  
  evaluating the first request upon receiving the first request, and determining whether authentication is required to access the protected Web service resource by evaluating the type of the communication network, the type and the one or more properties of the protected Web service resource associated with the first request, and the credentials of the client associated with the first request;
  
  responding with a fault generated by the processor indicating that at least one authentication process must be completed in order for the first request to be processed when it is determined by the processor that authentication is required;
  
  receiving a first authentication token from the client after the client has been authenticated by an authentication service according to a first factor and using the first authentication token to determine that the client has been authenticated according to the first factor;
  
  granting the first request to access the protected Web service resource after determining that the client requires authentication and has been authenticated according to the first factor, and that authentication according to the first factor is sufficient for the first authentication level;
  
  receiving a second request from the client to access the protected Web service resource from the communication network, the second request being associated with a second authentication level higher than the first authentication level;
  
  denying the second request to access the protected Web service resource, based on the first authentication token according to the first factor being insufficient for the second authentication level;
  
  responding with a second fault generated by the processor indicating that at least one additional authentication process must be completed in order for the second request to be processed when it is determined by the processor that authentication is required;
  
  receiving a second authentication token from the client after the client has been authenticated by the authentication service according to a second factor and using the second authentication token to determine that the client has been authenticated according to the second factor; and
  
  granting the second request to access the protected Web service resource after determining that the client has been authenticated according to the second factor, and that authentication according to the second factor is sufficient for the second authentication level.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computing system of claim 1, wherein the first factor is selected from the group comprising:
    - a password, an answer to a security question, a biometric identifier, an object, and client specific information.
  - 3. The computing system of claim 1, wherein the second factor is different from the first factor.
  - 4. The computing system of claim 1, wherein the method further comprises receiving a first authentication token from the client after the client has been authenticated by an authentication service according to the first factor and using the first authentication token to determine that the client has been authenticated according to the first factor.
  - 5. The computing system of claim 4, wherein determining that the client has been authenticated comprises:
    - decrypting the first authentication token with a public key of the authentication service; and
      
      determining that a claim made by the authentication service in the first authentication token satisfies a condition for access.
  - 6. The computing system of claim 1, wherein granting the second request to access the protected Web service resource is based on an evaluation of the second authentication token.

7. A physical computer readable storage device containing computer executable instructions which when executed by a computer perform a method of controlling access to a protected resource, the protected resource having a type and one or more properties, the method comprising:
- receiving a first request to access the protected resource from a communication network with a computing device from a client identifying the protected resource of a Web service, the first request being associated with a first authentication level, a type and one or more properties of the protected resource, and further including credentials of the client, wherein the communication network has a type;
  
  evaluating the first request upon receiving the first request, and determining whether authentication is required to access the protected resource by evaluating the type of the communication network, the type and one or more properties of the protected resource associated with the request, and the credentials of the client associated with the first request;
  
  responding with a fault generated by the Web service indicating that the first authentication level must be satisfied in order for the request to be processed, the first authentication level being associated with at least one authentication process that must be completed in order for the first authentication level to be satisfied;
  
  receiving a first authentication token from the client after being authenticated from the authentication service according to a first factor;
  
  using the first authentication token to determine whether the client has been authenticated according to the first factor;
  
  determining whether the authentication meets the first authentication level so as to be sufficient to grant the request;
  
  granting the first request to access the protected resource when the authentication is sufficient to grant the request;
  
  denying the first request when the authentication is insufficient to grant the request;
  
  receiving a second request from the client to access the protected resource, the second request identifying the protected resource of the Web service and being associated with a second authentication level and including the first authentication token at the first authentication level;
  
  determining whether the first authentication token at the first authentication level is sufficient to grant the second request;
  
  granting the second request when the second authentication level is lower than or equal to the first authentication level so as to be sufficient to grant the second request;
  
  denying the second request when the second authentication level is higher than the first authentication level so as to be insufficient to grant the second request and responding with a second fault generated by the Web service indicating that at least one additional authentication process must be completed in order for the second request to be granted; and
  
  when the second request is denied, receiving a second authentication token from the client after the client has been authenticated by the authentication service according to a second factor and using the second authentication token to determine that the client has been authenticated according to the second factor.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The physical computer readable storage device of claim 7, wherein the authentication token is encrypted using public key cryptography.
  - 9. The physical computer readable storage device of claim 7, the method further comprising granting access to the protected resource of the Web service after granting the request if the authentication is sufficient.
  - 10. The physical computer readable storage device of claim 7, wherein denying the request comprises communicating the denial to the client with a message, the message including information about the authentication service configured to authenticate the client.
  - 11. The physical computer readable storage device of claim 7, wherein denying the request comprises sending a fault message according to a Simple Object Access Protocol, and wherein receiving an authentication comprises receiving a Web Services Trust Request Security Token Response Message according to a Web Services Trust specification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
McMurtry, Craig V., Weinert, Alexander T., Meleshuk, Vadim, Gabarra, Mark E.
Primary Examiner(s)
Shaw, Peter
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US12/024,901
Publication Number

US 20080263652A1
Time in Patent Office

2,209 Days
Field of Search

726/9, 713/185, 713/186
US Class Current

726/9
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/335   for accessing specific reso...

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/602   Providing cryptographic fac...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/0869   for achieving mutual authen...

H04L 63/10   for controlling access to d...

Request-specific authentication for accessing web service resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Request-specific authentication for accessing web service resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links