System and method for secure identity service
First Claim
1. A method for managing user identities on a network comprising:
- receiving, by an identity service executing on a processor in a server on the network, a request to register an identity for a first user, the request including a token containing a notification service account identifier for a mobile device of the first user that uniquely identifies the mobile device of the first user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, the request further including one or more authenticated identification (ID) codes uniquely identifying the first user;
storing, by the identity service, an entry for the first user within a registration database, the entry associating the token with the authenticated ID codes of the first user;
receiving, by the identity service, a query from a second user to communicate with the first user, the query including at least one of the authenticated ID codes of the first user, the query further including at least one authenticated ID code of the second user and a token containing a notification service account identifier for a mobile device of the second user that uniquely identifies the mobile device of the second user to the push notification service on the network;
generating, by the identity service, a first query signature over one or more of the authenticated ID codes and tokens of the first and second users, and a timestamp, the query signature usable by application-specific network services to authenticate communication between the first and second users on the network; and
transmitting, by the identity service, the first query signature and the first user'"'"'s token to the mobile device of second user, the mobile device of the second user subsequently sending a message to the push notification service for delivery to the first user upon verification by a first application-specific network service using the first query signature sent to the first application-specific network service by the push notification service.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for securely processing identity information. For example, in one embodiment of the invention, a first user is registered on an identity service with one or more identification (ID) codes and a token. In response to a query from a second user to connect with the first user, a query signature is generated using the one or more ID codes and token of the first and second users, and a timestamp. The query signature is usable by network services to authenticate communication between the first and second users on the network over a specified period of time. In another embodiment, user ID codes and tokens are cached on mobile devices and/or a system cache to improve performance. The validity of the cached data is determined by calculating a fingerprint which, in one embodiment, is a hash of the ID code, token and a timestamp.
-
Citations
31 Claims
-
1. A method for managing user identities on a network comprising:
-
receiving, by an identity service executing on a processor in a server on the network, a request to register an identity for a first user, the request including a token containing a notification service account identifier for a mobile device of the first user that uniquely identifies the mobile device of the first user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, the request further including one or more authenticated identification (ID) codes uniquely identifying the first user; storing, by the identity service, an entry for the first user within a registration database, the entry associating the token with the authenticated ID codes of the first user; receiving, by the identity service, a query from a second user to communicate with the first user, the query including at least one of the authenticated ID codes of the first user, the query further including at least one authenticated ID code of the second user and a token containing a notification service account identifier for a mobile device of the second user that uniquely identifies the mobile device of the second user to the push notification service on the network; generating, by the identity service, a first query signature over one or more of the authenticated ID codes and tokens of the first and second users, and a timestamp, the query signature usable by application-specific network services to authenticate communication between the first and second users on the network; and transmitting, by the identity service, the first query signature and the first user'"'"'s token to the mobile device of second user, the mobile device of the second user subsequently sending a message to the push notification service for delivery to the first user upon verification by a first application-specific network service using the first query signature sent to the first application-specific network service by the push notification service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving, by an identity service executing on a processor in a server on a network, a first query from a mobile device of a first user to communicate with a mobile device of a second user; responsively providing, by the identity service, the mobile device of the first user with one or more authenticated identities of the second user, a token for a mobile device of the second user, and a fingerprint generated with one or more authenticated identities of the first user, the token, and a timestamp, the token containing a notification service account identifier for the mobile device of the second user that uniquely identifies each mobile device of the second user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, the mobile device of the first user subsequently sending a message to push notification service for delivery to the second user upon verification by a first application-specific network service using authentication identifiers and tokens for the first and second users sent to the first application-specific network service by the push notification service; subsequently checking, by the identity service, the fingerprint on the mobile device of the first user to determine if the fingerprint is still valid in response to a second query generated from the first user to communicate with the second user, wherein if the fingerprint is still valid then re-using the one or more authenticated identities of the second user and the token of the second user provided in response to the first query. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A non-transitory machine-readable medium having program code stored thereon which, when executed by one or more machines, causes the machines to perform the operations of:
-
receiving, by an identity service executing on a processor in a server on a network, a request from a mobile device of a second user at a first application-specific network service to establish a communication channel with a mobile device of a first user; generating, by the identity service, a second query signature at the first application-specific network service using authenticated ID codes and tokens of the first and second users, and a current timestamp, the tokens containing a notification service account identifier for each of the mobile devices of the first and second users that uniquely identifies each of the mobile devices to a push notification service, the push notification service executing on a processor in the network to transmit data to mobile devices identified by tokens; if a first query signature and the second query signatures match, then allowing communication between the mobile devices of the first user and the second user using the first application-specific network service, the first query signature sent from the push notification service to the first application-specific network service to verify a message sent from the mobile device of the second user to the push notification service for delivery to the first user. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A non-transitory machine-readable medium having program code stored thereon which, when executed by one or more machines, causes the machines to perform the operations of:
-
receiving, by an identity service executing on a processor in a server on a network, a first query from a mobile device of a first user to communicate with a mobile device of a second user; responsively providing, by the identity service, the mobile device of the first user with one or more authenticated identities of the second user, a token containing a notification service account identifier for a mobile device of the second user, the token uniquely identifying the mobile device of the second user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, and a fingerprint generated with one or more authenticated identities of the first user, the token, and a timestamp, the mobile device of the first user subsequently sending a message to push notification service for delivery to the second user upon verification by a first application-specific network service using authentication identifiers and tokens for the first and second users sent to the first application-specific network service by the push notification service; subsequently checking, by the identity service, the fingerprint on the mobile device of the first user to determine if the fingerprint is still valid in response to a second query generated from the first user to communicate with the second user, wherein if the fingerprint is still valid then re-using the one or more authenticated identities of the second user and the token of the second user provided in response to the first query. - View Dependent Claims (27, 28, 29, 30, 31)
-
Specification