Securing partner-enabled web service

US 9,071,616 B2
Filed: 11/18/2010
Issued: 06/30/2015
Est. Priority Date: 11/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method for securing a partner-enabled web service, comprising:

receiving a request, wherein the request comprises a canary value, to access the partner-enabled web service, wherein the request is received from a browser client for a partner application;

determining that a user is authorized to access the partner application;

the partner application generating a token that associates the user with the partner application;

generating a signature for the token, the signature to enable the partner-enabled web service to independently regenerate the signature, the token comprising an identifier for the partner application enabling the partner-enabled web service to detect which partner application generates the token; and

sending the token with the signature to the browser client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The claimed subject matter provides a method for securing a partner-enabled web service. The method includes receiving a request to access the partner-enabled web service. The request is received from a browser client for a partner application. The browser client is associated with a user. Additionally, the method includes determining that the user is authorized to access the partner application. The method further includes generating a token that associates the user with the partner application. Also, the method includes sending the token to the browser client.

53 Citations

View as Search Results

20 Claims

1. A method for securing a partner-enabled web service, comprising:
- receiving a request, wherein the request comprises a canary value, to access the partner-enabled web service, wherein the request is received from a browser client for a partner application;
  
  determining that a user is authorized to access the partner application;
  
  the partner application generating a token that associates the user with the partner application;
  
  generating a signature for the token, the signature to enable the partner-enabled web service to independently regenerate the signature, the token comprising an identifier for the partner application enabling the partner-enabled web service to detect which partner application generates the token; and
  
  sending the token with the signature to the browser client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method recited in claim 1, wherein the token further comprises:
    - a shared secret of the partner application and the partner-enabled web service;
      
      a user id; and
      
      an issue time that the token is generated.
  - 3. The method recited in claim 1, comprising encoding the token using a one-way hashing algorithm.
  - 4. The method recited in claim 1, comprising:
    - storing the token in a memory associated with the browser client;
      
      generating a representational state transfer (REST) request comprising a header comprising the token; and
      
      sending the REST request to the partner-enabled web service.
  - 5. The method recited in claim 4, comprising determining an expiration time of the token based on the issue time.
  - 6. The method recited in claim 5, comprising:
    - determining that a current time is after the expiration time; and
      
      rejecting the REST request.
  - 7. The method recited in claim 5, comprising:
    - determining that a current time is before the expiration time;
      
      generating a second token based on the user, the application id, and the issue time;
      
      comparing the second token to the token; and
      
      processing the request based on the comparison.
  - 8. The method recited in claim 7, wherein generating the second token comprises:
    - retrieving a user id for the user from the session;
      
      retrieving the identifier of the partner application from the REST request;
      
      retrieving the time from the REST request; and
      
      encoding the second token using the one-way hashing algorithm, wherein the second token comprises;
      
      a shared secret of the partner application and the partner-enabled web service;
      
      the user id;
      
      the identifier of the partner application; and
      
      an issue time that the token is generated.

9. A system for securing a partner-enabled web service, comprising:
- a processing unit; and
  
  a system memory, wherein the system memory comprises code configured to direct the processing unit to;
  
  receive a request, wherein the request comprises a canary value to access the partner-enabled web service, wherein the request is received from a browser client for a partner application, wherein the browser client is associated with a user;
  
  determine that the user is authorized to access the partner application;
  
  generate a token, using the partner application, the token associating the user with the partner application, and the token comprising an identifier for the partner application enabling the partner-enabled web service to identify the partner application as generating the token;
  
  generate a signature for the token, the signature to enable the partner-enabled web service to independently regenerate the signature; and
  
  send the token with the signature to the browser client.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system recited in claim 9, wherein the token comprises:
    - a shared secret of the partner application and the partner-enabled web service;
      
      a user id for the user; and
      
      an issue time that the token is generated.
  - 11. The system recited in claim 9, comprising code configured to direct the processing unit to encode the token using a one-way hashing algorithm.
  - 12. The system recited in claim 9, comprising code configured to direct the processing unit to:
    - store the token in a memory associated with the browser client;
      
      generate a representational state transfer (REST) request comprising a header comprising the token; and
      
      send the REST request to the partner-enabled web service.
  - 13. The system recited in claim 12, comprising code configured to direct the processing unit to determine a pre-determined expiration time of the token.
  - 14. The system recited in claim 13, comprising code configured to direct the processing unit to:
    - determine that a current time is before the expiration time;
      
      generate a second token based on the user, the application id, and the issue time;
      
      compare the second token to the token; and
      
      process the request based on the comparison.
  - 15. The system recited in claim 14, wherein the code configured to direct the processing unit to generate the second token comprises code configured to direct the processing unit to:
    - retrieve a user id for the user from the session;
      
      retrieve the identifier of the partner application from the REST request;
      
      retrieve the time from the REST request; and
      
      encode the second token using the one-way hashing algorithm, wherein the second token comprises;
      
      the user id;
      
      the identifier of the partner application;
      
      a shared secret of the partner application and the partner-enabled web service; and
      
      an issue time that the token is generated.

16. One or more computer-readable storage memory, comprising code configured to direct a processing unit to:
- receive a request to access a partner-enabled web service, wherein the request comprises a canary value and the request is received from a browser client for a partner application, wherein the browser client is associated with a user;
  
  determine that the user is authorized to access the partner application;
  
  generate a token that associates the user with the partner application, wherein the token comprises;
  
  a shared secret of the partner application and the partner-enabled web service;
  
  a user id of the user;
  
  an identifier of the partner application enabling the partner-enabled web service to identify the partner application as generating the token; and
  
  an issue time that the token is generated;
  
  generate a signature for the token, the signature to enable the partner-enabled web service to independently regenerate the signature;
  
  send the token with the signature to the browser client; and
  
  encode the token using a one-way hashing algorithm.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more computer-readable storage media recited in claim 16, comprising code configured to direct the processing unit to:
    - store the token in a memory associated with the browser client;
      
      generate a representational state transfer (REST) request comprising a header comprising the token; and
      
      send the REST request to the partner-enabled web service.
  - 18. The one or more computer-readable storage media recited in claim 17, comprising code configured to direct the processing unit to:
    - determine that a current time is before an expiration time;
      
      generate a second token based on the user, the application id, and the issue time;
      
      compare the second token to the token; and
      
      process the request based on the comparison.
  - 19. The one or more computer-readable storage media recited in claim 18, wherein the code configured to direct the processing unit to generate the second token comprises code configured to direct the processing unit to:
    - retrieve the user id for the user from the session;
      
      retrieve the identifier of the partner application from the REST request;
      
      retrieve the time from the REST request; and
      
      encode the second token using the one-way hashing algorithm, wherein the second token comprises;
      
      the user id;
      
      the identifier of the partner application;
      
      the shared secret of the partner application and the partner-enabled web service; and
      
      an issue time that the token is generated.
  - 20. The one or more computer-readable storage media recited in claim 19, wherein the session is represented by a cookie.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Lau, Eric Wai Ho, Jiang, Zhaowei Charlie, Jones, Ronald H. Jr., Isaacson, Derrick, Lemke, Ralph E., Wu, Peter
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
Johnson, Carlton

Application Number

US12/948,770
Publication Number

US 20120131326A1
Time in Patent Office

1,685 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/34   involving the use of extern...

H04L 63/06   for supporting key manageme...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 67/02   based on web technology, e....

H04L 67/568   Storing data temporarily at...

Securing partner-enabled web service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securing partner-enabled web service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links