Flexible authentication and authorization mechanism

US 8,763,089 B2
Filed: 01/12/2010
Issued: 06/24/2014
Est. Priority Date: 01/12/2010
Status: Active Grant

First Claim

Patent Images

1. In a computer system configured to authenticate services on a push notification framework (PNF), a method comprising:

receiving, by a PNF server, a request from one or more servers implementing a service to connect with the PNF to authenticate the service;

providing, by the PNF server, to the service an authenticated mode on the PNF, the authenticated mode requiring registration of the service with the PNF;

providing, by the PNF server, to the service an unauthenticated mode on the PNF, the unauthenticated mode allowing unregistered use of the PNF;

receiving, by the PNF server, identifying information provided by the service, wherein the identifying information comprises a certificate for the service;

selecting, by the PNF server, between the authenticated mode and the unauthenticated mode for the service based on the identifying information provided by the service; and

based at least in part on the selected mode, providing, by the PNF server, subscription information to the service that permits the service to send push notifications to one or more client devices over a network,wherein;

an authenticated service communicates with the PNF server via a secure data transmission protocol and its authorization is controlled by the PNF server, andan unauthenticated service communicates with the PNF server via an un-secured data transmission protocol and is regulated by the PNF server by throttling notification flow from the service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques and tools for flexible authentication and authorization of services on a push framework. For example, a push notification framework allows services (social networking web services, etc.) to use either an authenticated access mode or an unauthenticated access mode, in order to push information to client devices (e.g., mobile devices). In the authenticated mode, the push framework requires registration of the service with the push framework before allowing the service to push notifications to client devices. Different authenticated modes are provided for third-party and first-party services. In the unauthenticated mode, registration is not required, but notifications are throttled, thereby limiting risk of abuse by unauthenticated services. This allows flexibility for services that use the push framework.

48 Citations

View as Search Results

19 Claims

1. In a computer system configured to authenticate services on a push notification framework (PNF), a method comprising:
- receiving, by a PNF server, a request from one or more servers implementing a service to connect with the PNF to authenticate the service;
  
  providing, by the PNF server, to the service an authenticated mode on the PNF, the authenticated mode requiring registration of the service with the PNF;
  
  providing, by the PNF server, to the service an unauthenticated mode on the PNF, the unauthenticated mode allowing unregistered use of the PNF;
  
  receiving, by the PNF server, identifying information provided by the service, wherein the identifying information comprises a certificate for the service;
  
  selecting, by the PNF server, between the authenticated mode and the unauthenticated mode for the service based on the identifying information provided by the service; and
  
  based at least in part on the selected mode, providing, by the PNF server, subscription information to the service that permits the service to send push notifications to one or more client devices over a network,wherein;
  
  an authenticated service communicates with the PNF server via a secure data transmission protocol and its authorization is controlled by the PNF server, andan unauthenticated service communicates with the PNF server via an un-secured data transmission protocol and is regulated by the PNF server by throttling notification flow from the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the certificate for the service comprises a subject name, the method further comprising:
    - registering a service name for the service; and
      
      validating the service name with the certificate'"'"'s subject name as part of authentication that confirms registration with the push notification framework.
  - 3. The method of claim 1 wherein the identifying information provided by the service further comprises a service name, the method further comprising:
    - looking up the service name to determine whether the service is registered with the push notification framework.
  - 4. The method of claim 1 wherein the selecting comprises selecting the authenticated mode, and wherein the subscription information comprises an HTTPs endpoint.
  - 5. The method of claim 1 wherein the selecting comprises selecting the unauthenticated mode, and wherein the subscription information comprises a front-end HTTP endpoint.
  - 6. The method of claim 1 further comprising selecting between an authenticated third-party service sub-mode and an authenticated internal service sub-mode, wherein the subscription information depends at least in part on the selected sub-mode.
  - 7. The method of claim 6, wherein the subscription information is a front-end HTTPs endpoint if authenticated third-party service sub-mode is selected, or a back-end HTTP endpoint if authenticated internal service sub-mode is selected.

8. In a computer system configured to authenticate services on a push notification framework (PNF), a method comprising:
- receiving, by a PNF server, subscription request information from a client device, the subscription request information identifying a service operable to send push notifications over a network to the client device, the service being implemented on one or more servers;
  
  based at least in part on the subscription request information, selecting, by the PNF server, between an unauthenticated communication mode and one or more authenticated communication modes for the service on the PNF, the authenticated mode requiring registration of the service with the PNF and the unauthenticated mode allowing unregistered use of the PNF; and
  
  providing, by the PNF server, a subscription token to the client device, the subscription token comprising endpoint information corresponding to the selected communication mode;
  
  wherein the endpoint information facilitates sending of push notifications from the service to the client device via the PNF;
  
  wherein the one or more authenticated communication modes for the service are authenticated on the PNF based on identifying information provided by the service, the identifying information comprising a certificate for the service;
  
  wherein an authenticated service communicates with the PNF server via a secure data transmission protocol and its authorization is controlled by the PNF server, andwherein an unauthenticated service communicates with the PNF server via an un-secured data transmission protocol and is regulated by the PNF server by throttling notification flow from the service.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8 wherein the selected communication mode is the unauthenticated mode, the method further comprising:
    - monitoring volume of push notifications sent by the service;
      
      determining whether the volume of push notifications sent by the service exceeds a threshold; and
      
      if the threshold is exceeded, preventing subsequent push notifications from being sent to the client device.
  - 10. The method of claim 9 wherein the threshold is associated with a time period.
  - 11. The method of claim 9 wherein the preventing of subsequent notifications from being sent comprises invalidating the subscription token.
  - 12. The method of claim 9 wherein the endpoint information comprises an IP address for a front-end HTTP endpoint.
  - 13. The method of claim 8 wherein the service is a third-party authenticated service, wherein the selected communication mode is a third-party authenticated communication mode, and wherein the endpoint information comprises an IP address for a front-end HTTPS endpoint.
  - 14. The method of claim 8 wherein the service is a first-party authenticated service, wherein the selected communication mode is a first-party authenticated communication mode, and wherein the endpoint information comprises an IP address for a private HTTP endpoint that is not accessible by third-party services.
  - 15. The method of claim 8 wherein the providing the subscription token to the client device comprises sending the subscription token to a push notification client stack on the client device.

16. In a computer system configured to authenticate services on a push notification framework (PNF), a method comprising:
- receiving, by a PNF server, a request from a service operable to send push notifications to one or more mobile client devices via the PNF server to connect with the PNF server to authenticate the service, the service being implemented on one or more servers;
  
  receiving, by the PNF server, a push notification message from the service;
  
  determining, by the PNF server, whether the service is an authenticated service or an unauthenticated service based on identifying information provided by the service, wherein the identifying information comprises a certificate for the service;
  
  for an authenticated service, determining, by the PNF server, whether the service is a first-party service or a third-party service;
  
  selecting, by the PNF server, between an unauthenticated communication mode, an authenticated third-party communication mode, and an authenticated first-party communication mode based on the determining, the authenticated modes requiring registration of the service with the PNF and the unauthenticated mode allowing unregistered use of the PNF; and
  
  based at least in part on the selected communication mode, determining, by the PNF server, whether to throttle push notifications from the service,wherein;
  
  an authenticated service communicates with the PNF server via a secure data transmission protocol and its authorization is controlled by the PNF server, andan unauthenticated service communicates with the PNF server via an un-secured data transmission protocol and is regulated by the PNF server by throttling notification flow from the service.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16 wherein the push notification message comprises an HTTP POST request containing a push notification.
  - 18. The method of claim 16 wherein the push notification message comprises a subscription token, the method further comprising:
    - as part of an authorization process, validating that a service name in the token is associated with a subscription that the subscription token points to.
  - 19. The method of claim 18 wherein the subscription token comprises an IP address indicating an endpoint at the push notification framework server to which the push notification message can be sent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Qureshi, Rashid, Muthurajan, Anand, Raastroem, Jorge, Gbadegesin, Abolade, Veeramachaneni, Jithendra
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US12/686,304
Publication Number

US 20110173681A1
Time in Patent Office

1,624 Days
Field of Search

726/4, 709/206, 709/235, 709/236
US Class Current

726/4
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 4/06   Selective distribution of b...

H04W 4/10   Push-to-Talk [PTT] or Push-...

Flexible authentication and authorization mechanism

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Flexible authentication and authorization mechanism

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links