Methods and apparatus for delegated authentication token retrieval

US 8,856,887 B2
Filed: 07/09/2012
Issued: 10/07/2014
Est. Priority Date: 07/09/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:

send, at a first time, from an authorization client on a device to a client authorization module, an indication of a plurality of applications installed on the device, subsequent to intercepting a request to launch at least one application from the plurality of applications such that the application is prevented from receiving the indication;

receive, at a second time after the first time, at the authorization client and in response to the indication, a plurality of application tokens from the client authorization module, each application token from the plurality of application tokens being uniquely associated with an application from the plurality of applications; and

provide, using the authorization client, each application from the plurality of applications its associated application token from the plurality of application tokens such that each application from the plurality of applications is authenticated to an application server associated with that application from the plurality of applications when its associated application token is received at the application server.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, a non-transitory processor-readable medium includes code to cause a processor to send, from an authorization client on a device to a client authorization module, an indication of multiple applications installed on the device, and receive, at the authorization client and in response to the indication, multiple application tokens from the client authorization module. Each individual application token from the multiple application tokens received by the authorization client is uniquely associated with an application from the multiple applications installed on the device. The authorization client provides each application its associated application token such that each application from the multiple applications can use that application token in order to be authenticated to an application server associated with the application.

59 Citations

View as Search Results

20 Claims

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- send, at a first time, from an authorization client on a device to a client authorization module, an indication of a plurality of applications installed on the device, subsequent to intercepting a request to launch at least one application from the plurality of applications such that the application is prevented from receiving the indication;
  
  receive, at a second time after the first time, at the authorization client and in response to the indication, a plurality of application tokens from the client authorization module, each application token from the plurality of application tokens being uniquely associated with an application from the plurality of applications; and
  
  provide, using the authorization client, each application from the plurality of applications its associated application token from the plurality of application tokens such that each application from the plurality of applications is authenticated to an application server associated with that application from the plurality of applications when its associated application token is received at the application server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The non-transitory processor-readable medium of claim 1, wherein the code to cause the processor to send includes code to cause the processor to:
    - send, from the authorization client to the client authorization module, an identifier associated with an access level of a user associated with the device, the plurality of applications being associated with the access level.
  - 3. The non-transitory processor-readable medium of claim 1, further comprising code to cause the processor to:
    - determine, prior to sending the indication, an identifier associated with each application from the plurality of applications installed on the device.
  - 4. The non-transitory processor-readable medium of claim 1, wherein the authorization client is a native application installed on the device.
  - 5. The non-transitory processor-readable medium of claim 1, wherein a first application from the plurality of applications is an enterprise application, a second application from the plurality of applications is a Software as a Service (SaaS) application.
  - 6. The non-transitory processor-readable medium of claim 1, wherein the plurality of applications is a first plurality of applications installed on the device, the indication being an indication of the first plurality of applications and a second plurality of applications installed on the device, the code further comprising code to cause the processor to:
    - receive an indication that a user associated with the device is unauthorized to use each application from the second plurality of applications.

7. An apparatus, comprising:
- an authorization client installed on a device associated with a user, the authorization client configured to send, at a first time, to a client authorization module, an application token request associated with a plurality of applications installed on the device, subsequent to intercepting a request to launch an application from the plurality of applications such that the application is prevented from receiving the indication, the authorization client configured to receive, at a second time after the first time, in response to the application token request, (1) a set of application tokens associated with a first set of applications from the plurality of applications, and (2) an indication that the user associated with the device is unauthorized to use each application from a second set of applications from the plurality of applications and mutually exclusive of the first set of applications, each application token from the set of application tokens being uniquely associated with an application from the first set of applications,the authorization client configured to provide each application from the first set of applications with its associated application token from the set of application tokens such that each application from the first set of applications is authenticated to an application server associated with that application when its associated application token is received at the application server.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus of claim 7, wherein the authorization client is configured to send an identifier associated with the user to the client authorization module, the authorization client configured to receive, in response to the identifier, a user authorization token, the authorization client configured to provide the user authorization token to the client authorization module with the client token request.
  - 9. The apparatus of claim 7, wherein the application server is at least one of a Software as a Service (SaaS) host or an enterprise host.
  - 10. The apparatus of claim 7, wherein the authorization client is configured to retrieve, prior to sending the application token request, a plurality of identifiers, each identifier from the plurality of identifiers being uniquely associated with an application from the plurality of applications installed on the device, the application token request being based at least in part on the plurality of identifiers.
  - 11. The apparatus of claim 7, wherein each token from the set of application tokens is an OAuth access token.

12. An apparatus, comprising:
- a client authorization module configured to receive, at a first time, from an authorization client at a client device, subsequent to the authorization client intercepting a request to launch at least one application from a plurality of applications installed on the client device such that the at least one application is prevented from receiving the indication, an application token request associated with the plurality of applications, the client authorization module configured to send, at a second time after the first time, in response to the application token request, a plurality of tokens to the authorization client such that the authorization client provides each application from the plurality of applications with a uniquely associated token from the plurality of tokens,the client authorization module configured to receive an authentication request from an application module associated with an application from the plurality of applications, the authentication request including a token from the plurality of tokens and uniquely associated with that application, the client authorization module configured to send an authentication signal to the application module in response to the client authorization module verifying the token as a valid token for the application.
- View Dependent Claims (13, 14, 15)
- - 13. The apparatus of claim 12, wherein the client authorization module is configured to receive an identifier associated with a user of the client device, the client authorization module configured to send, in response to the identifier, a user authorization token associated with an access right of the user.
  - 14. The apparatus of claim 12, wherein the client authorization module and the application module are included in an enterprise server.
  - 15. The apparatus of claim 12, wherein the client authorization module is hosted at a first host device, the application module is hosted at a second host device different from the first host device.

16. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- intercept, at an authorization client on a device and at a first time, an indication that a user associated with the device has requested to launch an application installed on the device such that the application is prevented from receiving the indication;
  
  send at a second time after the first time, from the authorization client to a client authorization module and in response to the indication, a request for an application token for the application;
  
  receive, at the authorization client and in response to the request, the application token from the client authorization module;
  
  associate, using the authorization client, the application token with the application at the device; and
  
  send, using the authorization client and after associating the application token with the application, the indication to the application such that the application launches with the application token and in response to the indication.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory processor-readable medium of claim 16, wherein the code to cause the processor to send the request includes code to cause the processor to:
    - send, from the authorization client to the client authorization module, an identifier associated with an access level of the user, the application being approved for the access level.
  - 18. The non-transitory processor-readable medium of claim 16, wherein the authorization client is a native application installed on the device.
  - 19. The non-transitory processor-readable medium of claim 16, wherein the code to cause the processor to associate includes code to cause the processor to associate the application token with the application such that the application is authenticated to at least one of a Software as a Service (SaaS) host associated with the application or an enterprise host associated with the application based on the application token after launching the application.

20. The non-transitory processor-readable medium of 16, wherein the indication is a first indication, the code to cause the processor to associate includes code to cause the processor to associate at a third time, the code further comprising code to cause the processor to:
- intercept, at the authorization client and at a fourth time after the third time, a second indication that the user associated with the device has requested to launch the application;
  
  determine that the application token is associated with the application at the device; and
  
  send the second indication to the application such that the application launches with the application token in response to the second indication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ping Identity Corporation
Original Assignee
Ping Identity Corporation
Inventors
Field-Eliot, Bryan, Narahari, Sateesh, Madsen, Paul
Primary Examiner(s)
Rashid, Harunur

Application Number

US13/544,565
Publication Number

US 20140013396A1
Time in Patent Office

820 Days
Field of Search

713/172, 713/182, 726/4, 726/6
US Class Current

726/4
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

G06F 21/44   Program or device authentic...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 9/3213   using tickets or tokens, e....

Methods and apparatus for delegated authentication token retrieval

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for delegated authentication token retrieval

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links