Use of metadata for computing resource access
First Claim
1. A computer-implemented method for controlling access to one or more computing resources, comprising:
- receiving, by a computer system of one or more computer systems, the computer system having one or more computing devices, a request for a session credential subsequent to successful completion of an authentication process by a user, the session credential including information enabling the user to delegate access to a specified delegatee, the information having data identifying the specified delegatee;
generating, with the one or more computer systems, a session credential that encodes information identifying a type of the authentication process successfully completed by the user and one or more policies applicable to the specified delegatee;
transmitting the session credential to the specified delegatee, the session credential being opaque to the specified delegatee and provided from the user to the specified delegatee;
receiving the generated session credential in connection with a request from the specified delegatee to access the one or more computing resources, the one or more computing resources being distinct from the one or more computer systems generating the session credential;
determining the type of authentication process successfully completed by the user, whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources based at least in part on the information encoded by the session credential; and
determining, based at least in part on the information identifying the type of authentication process and the one or more policies applicable to the specified delegatee encoded by the session credential, whether to fulfill the request; and
when determined to fulfill the request, providing to the specified delegatee the requested access to the one or more computing resources.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for controlling access to one or more computing resources relate to generating session credentials that can be used to access the one or more computing resources. Access to the computing resources may be governed by a set of policies and requests for access made using the session credentials may be fulfilled depending on whether they are allowed by the set of policies. The session credentials themselves may include metadata that may be used in determining whether to fulfill requests to access the one or more computing resources. The metadata may include permissions for a user of the session credential, claims related to one or more users, and other information.
-
Citations
34 Claims
-
1. A computer-implemented method for controlling access to one or more computing resources, comprising:
-
receiving, by a computer system of one or more computer systems, the computer system having one or more computing devices, a request for a session credential subsequent to successful completion of an authentication process by a user, the session credential including information enabling the user to delegate access to a specified delegatee, the information having data identifying the specified delegatee; generating, with the one or more computer systems, a session credential that encodes information identifying a type of the authentication process successfully completed by the user and one or more policies applicable to the specified delegatee; transmitting the session credential to the specified delegatee, the session credential being opaque to the specified delegatee and provided from the user to the specified delegatee; receiving the generated session credential in connection with a request from the specified delegatee to access the one or more computing resources, the one or more computing resources being distinct from the one or more computer systems generating the session credential; determining the type of authentication process successfully completed by the user, whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources based at least in part on the information encoded by the session credential; and determining, based at least in part on the information identifying the type of authentication process and the one or more policies applicable to the specified delegatee encoded by the session credential, whether to fulfill the request; and when determined to fulfill the request, providing to the specified delegatee the requested access to the one or more computing resources. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer-implemented method for controlling access to one or more computing resources, comprising:
-
receiving, by one or more computer devices, a session credential generated by one or more computer systems from a specified delegatee in connection with a request from the specified delegatee to access the one or more computing resources, the session credential being opaque to the specified delegatee and provided by the one or more computer systems to a user, the one or more computing resources being distinct from the one or more computer systems, the session credential encoding one or more claims identifying at least one type of at least one authenticating action the user has completed and one or more policies applicable to the specified delegatee, the session credential including information enabling the user to delegate access to the specified delegatee, the information having data identifying the specified delegatee; determining, with the one or more computer devices, the at least one type of authenticating action the user has completed, whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources based at least in part on the one or more encoded claims; determining, based at least in part on the one or more claims encoded by the session credential and one or more policies, whether to fulfill the request to access the one or more computing resources, the one or more policies encoded in the session credential; and when determined to fulfill the request, providing the requested access. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A computer-implemented method for controlling access to one or more computing resources, comprising:
-
receiving, by one or more computing devices, a request to initiate a session; in response to the request, generating, by the one or more computing devices, a session credential that encodes information that attests to one or more authenticating actions completed by a user that are required by a set of one or more policies for accessing the one or more computing resources and one or more types of the one or more authenticating actions completed by the user, the one or more policies applicable to a specified delegatee, the session credential including information enabling the user to delegate access to the specified delegatee, the information having data identifying the specified delegatee; and transmitting the generated session credential as opaque to the specified delegatee and provided by the one or more computing devices from the user to enable the specified delegatee to access the one or more computing resources, the one or more computing resources being distinct from the one or more computer systems, by determining the one or more types of the one or more authenticating actions completed by the user based at least in part on the information encoded by the generated session credential and verifying, using the generated session credential, that the one or more authenticating actions have been completed by the user, and whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. A computer system for managing credentials, comprising:
-
one or more processors; and memory, including executable instructions that, when executed by the one or more processors, cause the one or more processors to collectively at least; receive a session credential generated by the computer system from a specified delegatee in connection with a request from the specified delegatee to access one or more computing resources, the one or more computing resources being distinct from the computer system for managing credentials, the session credential encoding one or more claims identifying a user and one or more verifying actions the user has taken, one or more types of the one or more verifying actions taken by the user and one or more policies, the session credential being opaque to the specified delegatee and provided by the computer system to the user, the one or more verifying actions by which authentication of the user was completed; determine the one or more types of the one or more verifying actions taken by the user and the one or more policies based at least in part on the one or more claims encoded by the session credential; determine, based at least in part on the one or more claims encoded by the session credential, the one or more types of the one or more verifying actions taken by the user and one or more policies, whether to fulfill the request for the specified delegatee to access the one or more computing resources based on the session credential; and when determined to fulfill the request, provide the requested access to the specified delegatee. - View Dependent Claims (29, 30)
-
-
31. One or more non-transitory computer-readable storage media having collectively stored thereon instructions executable by one or more processors of a computer system that, when executed by the one or more processors, cause the computer system to at least:
-
receive a request to initiate a session; in response to the request, generate a session credential that encodes information that attests to one or more actions taken by a user and one or more types of the one or more actions taken by the user that are required by a set of one or more policies applicable to a specified delegatee for accessing one or more computing resources, the one or more computing resources being distinct from the computer system, the information having data identifying the user; transmit the generated session credential to the specified delegatee to enable the user to verify one or more facts so that the specified delegatee may access the one or more computing resources by determining the one or more types of the one or more actions taken by the user and the one or more policies based at least in part on the information encoded by the generated session credential and verifying, using the generated session credential, that the one or more actions have been completed by the user, and whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources, the generated session credential being opaque to the specified delegatee and provided by the computer system to the user, the one or more actions by which authentication of the user is completed. - View Dependent Claims (32, 33, 34)
-
Specification