Method and apparatus for converting authentication-tokens to facilitate interactions between applications

US 8,799,639 B2
Filed: 07/25/2006
Issued: 08/05/2014
Est. Priority Date: 07/25/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for converting authentication-tokens, comprising:

receiving, at a computer, a command-execution request from a first application, wherein the command-execution request specifies a command to be executed by a second application and includes a first authentication-token that is created by the first application based on a user authenticating to the first application;

verifying the first authentication-token at the computer;

translating the first authentication-token to a form associated with the second application to produce a second authentication-token, wherein the second authentication-token is in a form different than the first authentication-token;

modifying the command-execution request by replacing the first authentication-token with the second authentication-token to create a modified command-execution request; and

sending the modified command-execution request to the second application,wherein the command-execution request includes a target Uniform Resource Locator (URL) which specifies a location of the second application, a second authentication-token type which specifies a form of the second authentication-token, a user identifier for a user who is associated with the first authentication-token, and payload data for the second application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that converts authentication-tokens to facilitate interactions between applications. During operation, the system receives a command-execution request from a first application, wherein the command-execution request specifies a command to execute on a second application. Subsequently, the system verifies a first authentication-token included with the command-execution request. Next, the system translates the first authentication-token into a form associated with the second application to produce a second authentication-token. The system then modifies the command-execution request by replacing the first authentication-token with the second-authentication-token to create a modified command-execution request. Then, the system sends the modified command-execution request to the second application.

17 Citations

View as Search Results

26 Claims

1. A computer-implemented method for converting authentication-tokens, comprising:
- receiving, at a computer, a command-execution request from a first application, wherein the command-execution request specifies a command to be executed by a second application and includes a first authentication-token that is created by the first application based on a user authenticating to the first application;
  
  verifying the first authentication-token at the computer;
  
  translating the first authentication-token to a form associated with the second application to produce a second authentication-token, wherein the second authentication-token is in a form different than the first authentication-token;
  
  modifying the command-execution request by replacing the first authentication-token with the second authentication-token to create a modified command-execution request; and
  
  sending the modified command-execution request to the second application,wherein the command-execution request includes a target Uniform Resource Locator (URL) which specifies a location of the second application, a second authentication-token type which specifies a form of the second authentication-token, a user identifier for a user who is associated with the first authentication-token, and payload data for the second application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the first application is located on the same computer system as the second application.
  - 3. The method of claim 1, wherein the command-execution request comprises a first authentication-token type which specifies a form of the first authentication-token.
  - 4. The method of claim 1, wherein verifying the first authentication-token further comprises:
    - identifying a first authentication-token type for the first authentication-token;
      
      using decryption rules associated with the first authentication-token type to decrypt the first authentication-token to produce a decrypted first authentication-token; and
      
      verifying the validity of the decrypted first authentication-token.
  - 5. The method of claim 4, wherein verifying the validity of the decrypted first authentication-token can involve:
    - verifying that the decrypted first authentication-token has not expired; and
      
      verifying that the decrypted first authentication-token is associated with a user identifier.
  - 6. The method of claim 1, wherein translating the first authentication-token further comprises:
    - identifying the second authentication-token type;
      
      identifying a second user identifier which is mapped from the user identifier; and
      
      creating the second authentication-token associated with the second user identifier, wherein the second authentication-token is of the form specified by the second-authentication-token type.
  - 7. The method of claim 6, wherein creating the second authentication-token can involve:
    - requesting the second authentication-token from a third-party authentication-token provider; and
      
      receiving the second authentication-token from the third-party authentication-token provider.
  - 8. The method of claim 6, wherein the second user identifier comprises the user identifier.
  - 9. The method of claim 1, wherein the first authentication-token and the second authentication-token include one or more of:
    - a cookie;
      
      a digital certificate;
      
      a user-name/password pair;
      
      a cryptographic key; and
      
      a biometric identifier.
  - 10. The method of claim 1, wherein modifying the command-execution request further comprises:
    - modifying a format of the command to a format associated with the second application; and
      
      including the modified command with the modified command-execution request.

11. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for converting authentication-tokens, the method comprising:
- receiving, at a bridge, a command-execution request from a first application, wherein the command-execution request specifies a command to be executed by a second application and includes a first authentication-token that is created by the first application based on a user authenticating to the first application;
  
  verifying the first authentication-token at the bridge;
  
  translating the first authentication-token to a form associated with the second application to produce a second authentication-token, wherein the second authentication-token is in a form different than the first authentication-token;
  
  modifying the command-execution request by replacing the first authentication-token with the second authentication-token to create a modified command-execution request; and
  
  sending the modified command-execution request to the second application,wherein the command-execution request includes a target Uniform Resource Locator (URL) which specifies a location of the second application, a second authentication-token type which specifies a form of the second authentication-token, a user identifier for a user who is associated with the first authentication-token, and payload data for the second application.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer-readable storage medium of claim 11, wherein the first application is located on the same computer system as the second application.
  - 13. The computer-readable storage medium of claim 11, wherein the command-execution request comprises a first authentication-token type which specifies a form of the first authentication-token.
  - 14. The computer-readable storage medium of claim 11, wherein verifying the first authentication-token further comprises:
    - identifying a first authentication-token type for the first authentication-token;
      
      using decryption rules associated with the first authentication-token type to decrypt the first authentication-token to produce authentication-token; and
      
      verifying the validity of the decrypted first authentication-token.
  - 15. The computer-readable storage medium of claim 14, wherein verifying the validity of the decrypted first authentication-token can involve:
    - verifying that the decrypted first authentication-token has not expired; and
      
      verifying that the decrypted first authentication-token is associated with a user identifier.
  - 16. The computer-readable storage medium of claim 11, wherein translating the first authentication-token further comprises:
    - identifying the second authentication-token type;
      
      identifying a second user identifier which is mapped from and the user identifier; and
      
      creating the second authentication-token associated with the second user identifier, wherein the second authentication-token is of the form specified by the second-authentication-token type.
  - 17. The computer-readable storage medium of claim 16, wherein creating the second authentication-token can involve:
    - requesting the second authentication-token from a third-party authentication-token provider; and
      
      receiving the second authentication-token from the third-party authentication-token provider.
  - 18. The computer-readable storage medium of claim 16, wherein the second user identifier comprises the user identifier.
  - 19. The computer-readable storage medium of claim 11, wherein the first authentication-token and the second authentication-token include one or more of:
    - a cookie;
      
      a digital certificate;
      
      a user-name/password pair;
      
      a cryptographic key; and
      
      a biometric identifier.
  - 20. The computer-readable storage medium of claim 11, wherein modifying the command-execution request further comprises:
    - modifying a format of the command to a format associated with the second application; and
      
      including the modified command with the modified command-execution request.

21. An apparatus that converts authentication-tokens, comprising:
- a receiving mechanism configured to receive, at a bridge, a command-execution request from a first application, wherein the command-execution request specifies a command to be executed by a second application and includes a first authentication-token that is created by the first application based on a user authenticating to the first application;
  
  a verification mechanism configured to verify the first authentication token at the bridge;
  
  a translation mechanism configured to translate the first authentication-token to a form associated with the second application to produce a second authentication-token, wherein the second authentication-token is in a form different than the first authentication-token;
  
  a modification mechanism configured to modify the command-execution request by replacing the first authentication-token with the second authentication-token to create a modified command-execution request; and
  
  a sending mechanism configured to send the modified command-execution request to the second application,wherein the command-execution request includes a target Uniform Resource Locator (URL) which specifies a location of the second application, a second authentication-token type which specifies a form of the second authentication-token, a user identifier for a user who is associated with the first authentication-token, and payload data for the second application.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The apparatus of claim 21, wherein the verification mechanism further comprises:
    - an identification mechanism configured to identify a first authentication-token type for the first authentication-token;
      
      a decryption mechanism configured to use decryption rules associated with the first authentication-token type to decrypt the first authentication-token to produce a decrypted first authentication-token; and
      
      a second verification mechanism configured to verify the validity of the decrypted first authentication-token.
  - 23. The apparatus of claim 21, wherein the translation mechanism further comprises:
    - an identification mechanism configured to identify the second authentication-token type;
      
      a second identification mechanism configured to identify a second user identifier which is mapped from and the user identifier; and
      
      a creation mechanism configured to create the second authentication-token associated with the second user identifier, wherein the second authentication-token is of the form specified by the second-authentication-token type.
  - 24. The apparatus of claim 22, wherein the second verification mechanism is further configured to:
    - verify that the decrypted first authentication-token has not expired; and
      
      toverify that the decrypted first authentication-token is associated with a user identifier.
  - 25. The apparatus of claim 23, wherein the creation mechanism further comprises:
    - a requesting mechanism configured to request the second authentication-token from a third-party authentication-token provider; and
      
      a receiving mechanism configured to receive the second authentication-token from the third-party authentication-token provider.
  - 26. The apparatus of claim 21, wherein the modification mechanism is further configured to:
    - modify a format of the command to a format associated with the second application; and
      
      toinclude the modified command with the modified command-execution request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Balazs, Alex G., Pan, Zane Z. Y.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US11/493,693
Publication Number

US 20080046715A1
Time in Patent Office

2,933 Days
Field of Search

713/150, 713/152, 713/182, 711/100, 711/104, 711/112, 711/145, 711/150, 709/211, 709/212, 709/216, 709/217, 709/219, 726/2, 726/27, 726/34, 380/229, 380/232, 380/247, 380/258
US Class Current

713/152
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

Method and apparatus for converting authentication-tokens to facilitate interactions between applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for converting authentication-tokens to facilitate interactions between applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links