Scalable fine-grained multi-service authorization

US 8,925,043 B2
Filed: 07/10/2012
Issued: 12/30/2014
Est. Priority Date: 07/10/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at an authorization server, storing data representing operations that can be performed on a plurality of resources of a service provider at the request of users of a user population;

generating a set of {resource,operations} tuples, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on the endpoint;

de-duplicating the set of {resource,operations} tuples to eliminate duplicate tuples;

partitioning the de-duplicated set of {resource,operations} tuples into one or more subsets to minimize the number of subsets needed to describe authorizations across the user population and maximize a number of hash collisions in hash results to be computed across the one or more subsets;

combining a subset of the set of {resource,operations} tuples into a string according to a predetermined rule;

computing a hash of the string according to a hash function to generate hash results; and

in response to a request from a client, generating from the request a token that includes a list of one or more hash results each associated with a prefix to indicate a service provider on which the subset of {resource,operations} tuples corresponding to the hash result may be used, wherein the generating includes selecting a subset of {resource,operations} tuples that minimizes redundancy of data in the token and minimizes token size.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scalable cross-protocol mechanism is provided for describing, transmitting and checking large lists of authorizations for operations on network resources. At an authorization server, data is stored that represents operations that can be performed on a plurality of resources of a service provider at the request of one or more users. A set of {resource,operations} tuples is generated, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on an endpoint. The set of {resource,operations} tuples is partitioned into one or more subsets. A subset of the set of {resource,operations} tuples is combined into a string according to a predetermined rule. A hash is then computed, according to a hash function, to generate hash results. Hashes are passed instead of the lists themselves to minimize data transfer and latency.

21 Citations

View as Search Results

26 Claims

1. A method comprising:
- at an authorization server, storing data representing operations that can be performed on a plurality of resources of a service provider at the request of users of a user population;
  
  generating a set of {resource,operations} tuples, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on the endpoint;
  
  de-duplicating the set of {resource,operations} tuples to eliminate duplicate tuples;
  
  partitioning the de-duplicated set of {resource,operations} tuples into one or more subsets to minimize the number of subsets needed to describe authorizations across the user population and maximize a number of hash collisions in hash results to be computed across the one or more subsets;
  
  combining a subset of the set of {resource,operations} tuples into a string according to a predetermined rule;
  
  computing a hash of the string according to a hash function to generate hash results; and
  
  in response to a request from a client, generating from the request a token that includes a list of one or more hash results each associated with a prefix to indicate a service provider on which the subset of {resource,operations} tuples corresponding to the hash result may be used, wherein the generating includes selecting a subset of {resource,operations} tuples that minimizes redundancy of data in the token and minimizes token size.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 24)
- - 2. The method of claim 1, further comprising storing the subset in a distributed hash table of {resource,operations} tuples based on the hash results that is accessible to the service provider so that the service provider is able to retrieve the subset using the hash results.
  - 3. The method of claim 1, further comprising generating a cacheable universal resource indicator that points to the subset and is described by the hash results for the string for storage and use by the service provider and clients.
  - 4. The method of claim 3, wherein the universal resource indicator is cacheable via a network protocol.
  - 5. The method of claim 1, further comprising retrieving subset using the hash results from an entity in the system that is known to have the subset.
  - 6. The method of claim 1, further comprising generating a signature for content of the token by the authorization server.
  - 7. The method of claim 6, further comprising sending the token with the signature to the client.
  - 8. The method of claim 7, further comprising the service provider receiving the token sent by the client, and checking the validity of the token to determine whether to grant access to one or more resources and operations.
  - 9. The method of claim 7, wherein the token is usable by a plurality of service providers.
  - 10. The method of claim 9, further comprising the client determining on which one or more service providers the token may be used based on prefix fields in the token.
  - 11. The method of claim 1, further comprising receiving the token and storing the one or more hash results contained in the token.
  - 12. The method of claim 11, further comprising:
    - at the client, parsing the received token;
      
      for each hash results in the list, retrieving the corresponding subset; and
      
      searching for a resource and operation that are associated with a user interface element.
  - 13. The method of claim 1, further comprising generating a notification via a notification mechanism such as publish/subscribe mechanism when it is determined that an existing token is no longer valid.
  - 24. The method of claim 1, wherein the generating further includes generating multiple prefixes each to indicate a corresponding service provider and separating hash results according to associated prefixes such that a service provider with a same prefix is included in a same list of hash results.

14. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- store data representing operations that can be performed on a plurality of resources of a service provider at the request of users in a user population;
  
  generate a set of {resource,operations} tuples, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on the endpoint;
  
  de-duplicate the set of {resource,operations} tuples do eliminate duplicate tuples;
  
  partition the de-duplicated set of {resource,operations} tuples into one or more subsets to minimize the number of subsets needed to describe authorizations across the user population and maximize a number of hash collisions in hash results to be computed across the one or more subsets;
  
  combine a subset of the set of {resource,operations} tuples into a string according to a predetermined rule;
  
  compute a hash of the string according to a hash function to generate hash results; and
  
  in response to a request from a client, generate from the request a token that includes a list of one or more hash results each associated with a prefix to indicate a service provider on which the subset of {resource,operations} tuples corresponding to the hash result may be used, wherein the generation of the set of {resource,operations} tuples includes selecting a subset of {resource,operations} tuples that minimizes redundancy of data in the token and minimizes token size.
- View Dependent Claims (15, 16, 25)
- - 15. The computer readable storage media of claim 14, further comprising instructions operable to generate a notification via a publish/subscribe mechanism when it is determined that an existing token is no longer valid.
  - 16. The computer readable storage media of claim 14, further comprising instructions operable to generate a cacheable universal resource indicator that points to the subset and is described by the hash results for the string for storage and use by the service provider and clients.
  - 25. The computer readable storage media of claim 14, further comprising instructions operable to generate multiple prefixes each to indicate a corresponding service provider and to separate hash results according to associated prefixes such that a service provider with a same prefix is included in a same list of hash results.

17. An apparatus comprising:
- a network interface unit configured to enable network communications;
  
  a memory;
  
  a processor coupled to the network interface unit and the memory, wherein the processor is configured to;
  
  store in the memory data representing operations that can be performed on a plurality of resources of a service provider at the request of users in a user population;
  
  generate a set of {resource,operations} tuples, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on the endpoint;
  
  de-duplicate the set of {resource,operations} tuples to eliminate duplicate tuples;
  
  partition the de-duplicated set of {resource,operations} tuples into one or more subsets to minimize the number of subsets needed to describe authorizations across the user population and maximize a number of hash collisions in hash results to be computed across the one or more subsets;
  
  combine a subset of the set of {resource,operations} tuples into a string according to a predetermined rule;
  
  compute a hash of the string according to a hash function to generate hash results; and
  
  in response to a request from a client, generate from the request a token that includes a list of one or more hash results each associated with a prefix to indicate a service provider on which the subset of {resource,operations} tuples corresponding to the hash result may be used, wherein generating the set of {resource,operations} tuples includes selecting a subset of {resource,operations} tuples that minimizes redundancy of data in the token and minimizes token size.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 26)
- - 18. The apparatus of claim 17, wherein the processor is configured to store the subset in a distributed hash table of {resource,operations} tuples based on the hash results that is accessible to the service provider so that the service provider is able to retrieve the subset using the hash results.
  - 19. The apparatus of claim 17, wherein the processor is configured to generate a cacheable universal resource indicator that points to the subset and is described by the hash results for the string for storage and use by the service provider and clients.
  - 20. The apparatus of claim 17, wherein the processor is further configured to generate a signature for content of the token, and to send the token with the signature to the client.
  - 21. A system comprising the apparatus of claim 17, and the client, and wherein the client is configured to:
    - parse the received token;
      
      for each hash results in the list, retrieve the corresponding subset; and
      
      search for a resource and operation that are associated with a user interface element.
  - 22. The apparatus of claim 17, wherein the processor is configured to generate a notification via a publish/subscribe mechanism when it is determined that an existing token is no longer valid.
  - 23. The computer readable storage media of claim 17, further comprising instructions operable to store the subset in a distributed hash table of {resource,operations} tuples based on the hash results that is accessible to the service provider so that the service provider is able to retrieve the subset using the hash results.
  - 26. The apparatus of claim 17, wherein the processor is further configured to generate multiple prefixes each to indicate a corresponding service provider and to separate hash results according to associated prefixes such that a service provider with a same prefix is included in a same list of hash results.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Hildebrand, Joseph J.
Primary Examiner(s)
Okeke, Izunna

Application Number

US13/545,081
Publication Number

US 20140020064A1
Time in Patent Office

903 Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/335 for accessing specific reso...

G06F 21/41 where a single sign-on prov...

Scalable fine-grained multi-service authorization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Scalable fine-grained multi-service authorization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links