Authorization messaging with integral delegation data

US 9,130,926 B2
Filed: 12/27/2012
Issued: 09/08/2015
Est. Priority Date: 12/27/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authorizing access by a client application to a resource of a user maintained on a first server computing system, the client application being implemented on a second server computing system, the method comprising:

receiving a delegation message from the first server computer system to initiate authorization of the access by the client application;

issuing, in response to the delegation message, an authorization message to the first server computer system, the authorization message comprising an authorization data package for redemption by the client application, the authorization data package comprising first through fourth integral delegation data specifying the user, the client application, the resource, and a timestamp, respectively;

receiving a redemption message from the second server computing system comprising the authorization data package;

conducting, with a processor, an analysis of the authorization data package; and

sending an access token to the second server computing system based on the analysis.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for authorizing access by a client application to a resource of a user maintained on a first server computing system, the client application being implemented on a second server computing system, includes receiving a delegation message from the first server computer system to initiate authorization of the access by the client application, issuing an authorization message to the first server computer system, the authorization message comprising an authorization data package for redemption by the client application, the authorization data package comprising first through fourth integral delegation data indicative of the user, the client application, the resource, and a timestamp, respectively, receiving a redemption message from the second server computing system comprising the authorization data package, conducting an analysis of the authorization data package, and sending an access token to the second server computing system based on the analysis.

25 Citations

View as Search Results

20 Claims

1. A computer-implemented method for authorizing access by a client application to a resource of a user maintained on a first server computing system, the client application being implemented on a second server computing system, the method comprising:
- receiving a delegation message from the first server computer system to initiate authorization of the access by the client application;
  
  issuing, in response to the delegation message, an authorization message to the first server computer system, the authorization message comprising an authorization data package for redemption by the client application, the authorization data package comprising first through fourth integral delegation data specifying the user, the client application, the resource, and a timestamp, respectively;
  
  receiving a redemption message from the second server computing system comprising the authorization data package;
  
  conducting, with a processor, an analysis of the authorization data package; and
  
  sending an access token to the second server computing system based on the analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, wherein the authorization is registered via an entry in a database, and wherein the access token is sent based on the analysis rather than whether the database entry is available to the processor.
  - 3. The computer-implemented method of claim 1, wherein a record of a previous authorization for the client application is present in a data store in communication with the processor when the delegation message is received, and wherein the access token is sent based on the analysis rather than the record in the data store.
  - 4. The computer-implemented method of claim 1, wherein the authorization data package further comprises further integral delegation data indicative of a consent type of the authorization, the consent type identifying whether an administrator set up the authorization on behalf of a plurality of enterprise users, the plurality of enterprise users comprising the user.
  - 5. The computer-implemented method of claim 1, wherein conducting the analysis comprises determining whether a delegation entry in a delegation database exists for the user based on the first integral delegation data.
  - 6. The computer-implemented method of claim 1, wherein conducting the analysis comprises verifying an account status for the user based on the first integral delegation data.
  - 7. The computer-implemented method of claim 1, wherein the authorization data package is encrypted.
  - 8. The computer-implemented method of claim 1, wherein the authorization data package is configured as a binary large object (blob) within the authorization message.
  - 9. The computer-implemented method of claim 1, wherein issuing the authorization message comprises serializing the first through fourth integral delegation data in a parameter string.
  - 10. The computer-implemented method of claim 9, wherein issuing the authorization message further comprises compressing, encrypting, and signing the parameter string.
  - 11. The computer-implemented method of claim 9, wherein the parameter string has a Javascript Object Notation (JSON) format.
  - 12. The computer-implemented method of claim 1, wherein the authorization data package is configured as a refresh token and further comprises further integral delegation data indicative of a duration of the refresh token.
  - 13. The computer-implemented method of claim 1, wherein the authorization data package further comprises further integral delegation data indicative of a scope of rights granted to the client application.

14. A system for authorizing access by a client application to a resource of a user maintained on a first server computing system, the client application being implemented on a second server computing system, the system comprising:
- a memory in which authorization instructions and redemption analysis instructions are stored; and
  
  a processor coupled to the memory and configured to execute the authorization instructions to issue, in response to a delegation message from the first server computing system to initiate authorization of the access, an authorization message comprising an authorization data package, the authorization data package comprising first through fourth integral delegation data specifying the user, the client application, the resource, and a timestamp, respectively;
  
  wherein the processor is further configured to execute the redemption analysis instructions to;
  
  conduct an analysis of the authorization data package in response to a redemption message from the second server computing system comprising the authorization data package, the analysis comprising an evaluation of the first integral delegation data to verify an account status of the user; and
  
  send an access token to the second server computing system based on the analysis.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, further comprising a data store in communication with the processor and configured to register the authorization via storage of a record in the data store, and wherein the processor is configured to execute the redemption analysis instructions to send the access token based on the analysis rather than whether the record is available to the processor.
  - 16. The system of claim 14, further comprising a data store in communication with the processor and configured to store a record of a previous authorization for the client application, wherein the processor is configured to execute the redemption analysis instructions to send the access token based on the analysis rather than the record in the data store.
  - 17. The system of claim 14, further comprising a data store in communication with the processor and configured to store a record of a previous authorization for the client application based on administrator consent to future authorizations for a plurality of enterprise users, the plurality of enterprise users comprising the user, wherein the processor is configured to execute the redemption analysis instructions to send the access token based on the analysis and the record of the previous authorization.
  - 18. The system of claim 17, wherein the authorization data package further comprises further integral delegation data indicative of a consent type of the authorization, the consent type identifying whether the administrator set up the authorization on behalf of the plurality of enterprise users.
  - 19. The system of claim 14, wherein the processor comprises first and second server computers in networked communication with one another and configured to execute the authorization and redemption analysis instructions, respectively.

20. A computer program product for implementing a method of authorizing access by a client application to a resource of a user maintained on a first server computing system, the client application being implemented on a second server computing system, the computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by one or more processors of a computing system, cause the computing system to perform the method, the method comprising:
- receiving a delegation message from the first server computer system to initiate authorization of the access by the client application;
  
  issuing, in response to the delegation message, an authorization message to the first server computer system for redemption by the second server computer system, the authorization message comprising an authorization data package, the authorization data package comprising integral delegation data specifying the user, the client application, the resource, a timestamp, and a consent type, the integral delegation data being serially arranged, compressed, encrypted, and signed in a parameter string, the consent type being indicative of whether an administrator authorized the access on behalf of the user;
  
  receiving a redemption message from the second server computing system comprising the authorization data package;
  
  conducting an analysis of the authorization data package, the analysis comprising an evaluation of the integral delegation data to verify an account status of the user; and
  
  sending an access token to the second server computing system based on the analysis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Nori, Vijayavani, Wilson, Hervey O., Baker, Caleb G., Johnson, Gregory C., Satagopan, Murli Dharan, Sakhnov, Igor, Kwok, Samantha
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US13/727,690
Publication Number

US 20140189797A1
Time in Patent Office

985 Days
Field of Search

726/1, 726/2, 726/6, 726/9, 726/20, 726/27, 726/29, 726/4, 709/203, 709/204, 709/223
US Class Current

1/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

Authorization messaging with integral delegation data

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization messaging with integral delegation data

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links