Controlling access by web applications to resources on servers

US 9,148,429 B2
Filed: 04/23/2012
Issued: 09/29/2015
Est. Priority Date: 04/23/2012
Status: Active Grant

First Claim

Patent Images

1. A system that facilitates granting a third-party application access to a user resource located on a network system, the system comprising:

a user-based access control list (ACL) checking utility implemented on a hardware processor configured to determine whether a first user has permission to access the user resource;

a token-grant server checking utility implemented on the hardware processor configured to determine whether a token grant server has authenticated the third-party application with the network system by determining whether the token-grant server has sent an authorization code to a third-party application along with a document ID when the first user installs the third-party application for use with a resource identified by the document ID, whether the token-grant server has received the authorization code back from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code, and whether the token-grant server has sent an authorization access token to the third-party application after receiving the authorization code and client secret from the third-party application;

a resource-based ACL checking utility implemented on the hardware processor configured to determine whether the third-party application has permission to access the user resource on behalf of the first user, based on metadata associated with the user resource, and information indicating whether a second user has used the third-party application to access the user resource, wherein the first user is not the second user; and

an authentication-fulfillment utility implemented on the hardware processor configured to fulfill the third-party application access request upon receiving affirmative determinations in all of the determinations made by the system, the fulfillment including enabling an authentication of the third-party application and granting the third-party application permission to access the user resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are shown for providing third-party applications access to user resources based on user actions and processes that provide the third-party applications with the correct security tokens. The scope of access granted in various implementations of the disclosure is all documents which the user has already opened with the third-party application.

Citations

15 Claims

1. A system that facilitates granting a third-party application access to a user resource located on a network system, the system comprising:
- a user-based access control list (ACL) checking utility implemented on a hardware processor configured to determine whether a first user has permission to access the user resource;
  
  a token-grant server checking utility implemented on the hardware processor configured to determine whether a token grant server has authenticated the third-party application with the network system by determining whether the token-grant server has sent an authorization code to a third-party application along with a document ID when the first user installs the third-party application for use with a resource identified by the document ID, whether the token-grant server has received the authorization code back from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code, and whether the token-grant server has sent an authorization access token to the third-party application after receiving the authorization code and client secret from the third-party application;
  
  a resource-based ACL checking utility implemented on the hardware processor configured to determine whether the third-party application has permission to access the user resource on behalf of the first user, based on metadata associated with the user resource, and information indicating whether a second user has used the third-party application to access the user resource, wherein the first user is not the second user; and
  
  an authentication-fulfillment utility implemented on the hardware processor configured to fulfill the third-party application access request upon receiving affirmative determinations in all of the determinations made by the system, the fulfillment including enabling an authentication of the third-party application and granting the third-party application permission to access the user resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system according to claim 1, further including:
    - an installation registry confirmation utility configured to determine whether the third-party application has been installed by the first user.
  - 3. The system according to claim 1, further including:
    - an application programming interface (API) configured to receive an application ID from the third-party application and the authorization access token granted to the third-party application by the token-grant server.
  - 4. The system according to claim 1, wherein:
    - the resource-based ACL checking utility is further configured to write metadata to the user resource, the metadata containing an identification (ID) for the third-party application used by the first user to access the user resource and a user ID.
  - 5. The system according to claim 4, wherein:
    - the resource-based ACL checking utility is further configured to write to a file record data specifying that the third-party application has been used to access the user resource.
  - 6. The system according to claim 4, wherein:
    - the resource-based ACL checking utility is further configured to limit how many different third-party applications that the first user can use simultaneously to access a particular user resource.
  - 7. The system according to claim 6, wherein:
    - the resource-based ACL checking utility is configured to remove the first of a series of third-party applications that the first user is using to simultaneously access the particular user resource when the series reaches a limit and the first user attempts to access the particular user resource using an additional third-party application.

8. A computer implemented method that facilitates granting a third-party application access to one or more user resources located on a web-based storage system, the method comprising:
- determining, using a processor, whether a first user is on a user-based access control list (ACL) granting the first user access to the one or more user resources;
  
  determining, using the processor, whether an authorization access token has been granted by a token-grant server granting the third-party application limited access to the one or more resources by determining whether the token-grant server has sent an authorization code to a third-party application when the first user installs the third-party application, whether the token-grant server has received the authorization code from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code, and whether the token-grant server has sent an authorization access token to the third-party application after receiving the authorization code and client secret at the token-grant server from the third-party application;
  
  determining, using the processor, whether the third-party application is on a resource-specific ACL, indicating that a second user has used the third-party application to access the one or more resources, wherein the first user is not the second user;
  
  determining, using the processor, whether the third-party application has been installed by the first user; and
  
  in response to an affirmative determination for each of the determinings, fulfilling, using the processor, the third-party application access request, the fulfilling including enabling an authentication of the third-party application and granting the third-party application permission to access the one or more user resources.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method according to claim 8, further including:
    - calling, using the processor, an application programming interface (API) configured to receive an application ID from the third-party application and the authorization access token granted to the third-party application by the token-grant server.
  - 10. The method according to claim 8, further including:
    - writing, using the processor, metadata to the one or more user resources, the metadata containing an ID for the third-party application used by the first user to access the one or more user resources and a first user ID corresponding to the first user.
  - 11. The method according to claim 10, further including:
    - writing, using the processor, data to a file record on the web-based storage system specifying that the third-party application has been used to access the one or more user resources.
  - 12. The method according to claim 10, further including:
    - limiting, using the processor, how many different third-party applications that the first user can use simultaneously to access a particular user resource to a known number.
  - 13. The method according to claim 12, further including:
    - ending, using the processor, access to the resource for the first of a series of third-party applications that the first user is using to simultaneously access the particular user resource when the series reaches a limit equal to the known number and the first user attempts to access the particular user resource using an additional third-party application.

14. A tangible, machine-readable, non-transitory storage medium having stored thereon program instructions that facilitate granting a third-party application access to one or more user resources located on a web-based storage system, the instructions when executed by a machine cause the machine to perform operations comprising:
- determining whether a first user is on a user-based access control list (ACL) granting the first user access to the one or more user resources;
  
  determining whether an authorization access token has been granted by a token-grant server granting the third-party application limited access to the one or more resources by determining whether an authorization code has been sent from the token-grant server to a third-party application when the first user installs the third-party application, whether the authorization code has been received at the token-grant server from the third-party application along with a client secret that identifies the third-party application as the intended recipient of the authorization code, and whether an authorization access token has been sent to the third-party application after receiving the authorization code and client secret from the third-party application;
  
  determining whether the third-party application is on a resource-specific ACL, indicating that a second user has used the third-party application to access the one or more resources, wherein the first user is not the second user;
  
  determining whether the third-party application has been installed by the first user; and
  
  in response to an affirmative determination for each of the determinings, fulfilling the third-party application access request, the fulfilling including enabling an authentication of the third-party application and granting the third-party application permission to access the one or more user resources.
- View Dependent Claims (15)
- - 15. The non-transitory storage medium according to claim 14, the operations further comprising:
    - writing metadata to the one or more user resources, the metadata containing an ID for the third-party application used by the first user to access the one or more user resources and a first user ID corresponding to the first user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Cairns, Brian Lewis, Schoeffler, Eric Benson, Richter, John Day, Procopio, Michael Jeffrey, Eaton, Brian Edgar, Besen, Adam Wayne, Wyrick, Robert Eugene
Primary Examiner(s)
TURCHEN, JAMES R

Application Number

US13/453,191
Publication Number

US 20150200948A1
Time in Patent Office

1,254 Days
Field of Search

726/4
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/44   Program or device authentic...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 9/3213   using tickets or tokens, e....

Controlling access by web applications to resources on servers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access by web applications to resources on servers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links