Resource access authorization

US 9,183,361 B2
Filed: 09/12/2011
Issued: 11/10/2015
Est. Priority Date: 09/12/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

one or more computer-readable storage media storing computer-executable instructions that are executable by the one or more processors to perform operations including;

receiving a request from an application for access to a user resource, the request being appended with a uniform resource identifier (URI) that includes a custom URI scheme that identifies a persisted authentication mode and that includes an application identifier for the application;

forwarding an authorization request to an authorization entity responsive to receiving the request, the authorization request including the application identifier for the application;

receiving a response from the authorization entity indicating that the application is permitted to access the user resource, the response including the application identifier for the application;

checking whether a user has selected a persisted authentication mode for the application;

caching an authentication state for the application in an event that an indication is received that the persisted authentication mode has been selected; and

providing a token to the application that enables access to the user resource if the application identifier matches a system application identifier obtained from a storage portion of a computing device on which the application is executing, the storage portion of the computing device being inaccessible to the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for resource access authorization are described. In one or more implementations, an application identifier is used to control access to user resources by an application. A determination is made whether to allow the application to access the user resources by comparing an application identifier received from an authorization service with a system application identifier for the application obtained from a computing device on which the application is executing.

Citations

20 Claims

1. A system comprising:
- one or more processors; and
  
  one or more computer-readable storage media storing computer-executable instructions that are executable by the one or more processors to perform operations including;
  
  receiving a request from an application for access to a user resource, the request being appended with a uniform resource identifier (URI) that includes a custom URI scheme that identifies a persisted authentication mode and that includes an application identifier for the application;
  
  forwarding an authorization request to an authorization entity responsive to receiving the request, the authorization request including the application identifier for the application;
  
  receiving a response from the authorization entity indicating that the application is permitted to access the user resource, the response including the application identifier for the application;
  
  checking whether a user has selected a persisted authentication mode for the application;
  
  caching an authentication state for the application in an event that an indication is received that the persisted authentication mode has been selected; and
  
  providing a token to the application that enables access to the user resource if the application identifier matches a system application identifier obtained from a storage portion of a computing device on which the application is executing, the storage portion of the computing device being inaccessible to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A system as described in claim 1, wherein said user resource comprises one or more of user content, user data, or user profile information.
  - 3. A system as described in claim 1, wherein said authorization request includes a redirect uniform resource identifier (URI) that identifies the application and that is forwarded to the authorization entity to be used to return the application identifier.
  - 4. A system as described in claim 1, wherein said authorization request occurs in the persisted authentication mode that enables the application to be authorized to access the user resource independent of user authentication with the authorization entity.
  - 5. A system as described in claim 1, wherein said authorization entity comprises a service that is implemented remotely from the computing device.
  - 6. A system as described in claim 1, wherein the operations further include obtaining said system application identifier by signing the system application identifier such that it cannot be modified by the application.
  - 7. A system as described in claim 1, wherein said token is usable to access the user resource as part of one or more subsequent requests to access the user resource.
  - 8. A system as described in claim 7, wherein the operations further include requesting a new token in response to an indication that the token has expired.

9. One or more computer-readable storage devices comprising instructions stored thereon that, responsive to execution by a computing device, cause the computing device to perform operations comprising:
- maintaining a cached authentication state for an application that can be used to enable the application to access a user resource;
  
  receiving a request from the application to allow the application to access the user resource;
  
  clearing user identification information from a portion of the computing device that is accessible to the application in response to detecting the request from the application to allow the application to access the user resource, said clearing performed prior to determining whether to allow the application to access the user resource;
  
  forwarding one or more portions of the cached authentication state to an authorization service in response to the request to allow the application to access the user resource;
  
  receiving an application identifier from the authorization service; and
  
  determining whether to provide a token to the application that enables access to the user resource by comparing the application identifier received from the authorization service with a system application identifier for the application obtained from a storage portion of the computing device that is inaccessible to the application.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. One or more computer-readable storage devices as recited in claim 9, wherein said token includes one or more of an authentication token or a user identification cookie.
  - 11. One or more computer-readable storage devices as recited in claim 9, wherein said application identifier is received from the authorization service in response to a user authenticating with the authorization service to indicate that the application is permitted to access the user resource.
  - 12. One or more computer-readable storage devices as recited in claim 9, wherein said comparing occurs at an application runtime for the application and independent of interaction with the authorization service.
  - 13. One or more computer-readable storage devices as recited in claim 9, wherein the portion of the computing device that is inaccessible to the application comprises an operating system kernel of the computing device.
  - 14. One or more computer-readable storage devices as recited in claim 9, wherein the operations comprise preventing the application from accessing the token if the application identifier does not match the system application identifier.
  - 15. One or more computer-readable storage devices as recited in claim 9, wherein the operations comprise:
    - in response to the request from the application, causing an authorization user interface associated with the authorization service to be presented, the authorization user interface being configured to receive user authentication information from a user; and
      
      receiving the application identifier from the authorization service based on the user authenticating with the authorization service via the authorization user interface.

16. A computer-implemented method, comprising:
- receiving a request from an application executing on a computing device for access to a user resource, the request being appended with a uniform resource identifier (URI) that includes a custom URI scheme that identifies a persisted authentication mode;
  
  detecting that the application is requesting access to the user resource via the persisted authentication mode by recognizing that the URI received with the request identifies the persisted authentication mode;
  
  clearing user identification information from a portion of the computing device that is accessible to the application in response to said detecting;
  
  communicating an authorization request to an authorization service to ascertain whether the application is permitted to access the user resource;
  
  receiving a response from the authorization service indicating whether the application is permitted to access the user resource, the response including an application identifier for the application;
  
  determining whether the application identifier received from the authorization service matches a system application identifier obtained from a storage portion of the computing device that is inaccessible to the application; and
  
  in an event that the application identifier matches the system application identifier, providing a token to the application that enables the application to access the user resource.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A computer-implemented method as described in claim 16, wherein said persisted authentication mode enables a determination as to whether the application is allowed to access the user resource to be made during multiple authorization transactions independent of a user authentication with the authorization service.
  - 18. A computer-implemented method as described in claim 16, wherein the request further includes a redirect URI that identifies the application to be used by the authorization service to return the application identifier.
  - 19. A computer-implemented method as described in claim 16, wherein said authorization service is included as part of a content service that manages access to the user resource.
  - 20. A computer-implemented method as described in claim 16, wherein the URI is configured with an identifier for the persisted authentication mode in response to receiving an indication of a user selection of the persisted authentication mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Obasanjo, Oludare V., Gordon, Stephen R., Radutskiy, Aleksandr, Hallin, Philip J., Oskov, Atanas D., Viegas, Jeremy D., Kitchener, Daniel C.
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
PHAM, QUY C

Application Number

US13/230,460
Publication Number

US 20130067568A1
Time in Patent Office

1,520 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/101   Access control lists [ACL]

Resource access authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Resource access authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links