Resource access authorization
First Claim
Patent Images
1. A system comprising:
- one or more processors; and
one or more computer-readable storage media storing computer-executable instructions that are executable by the one or more processors to perform operations including;
receiving a request from an application for access to a user resource, the request being appended with a uniform resource identifier (URI) that includes a custom URI scheme that identifies a persisted authentication mode and that includes an application identifier for the application;
forwarding an authorization request to an authorization entity responsive to receiving the request, the authorization request including the application identifier for the application;
receiving a response from the authorization entity indicating that the application is permitted to access the user resource, the response including the application identifier for the application;
checking whether a user has selected a persisted authentication mode for the application;
caching an authentication state for the application in an event that an indication is received that the persisted authentication mode has been selected; and
providing a token to the application that enables access to the user resource if the application identifier matches a system application identifier obtained from a storage portion of a computing device on which the application is executing, the storage portion of the computing device being inaccessible to the application.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for resource access authorization are described. In one or more implementations, an application identifier is used to control access to user resources by an application. A determination is made whether to allow the application to access the user resources by comparing an application identifier received from an authorization service with a system application identifier for the application obtained from a computing device on which the application is executing.
-
Citations
20 Claims
-
1. A system comprising:
-
one or more processors; and one or more computer-readable storage media storing computer-executable instructions that are executable by the one or more processors to perform operations including; receiving a request from an application for access to a user resource, the request being appended with a uniform resource identifier (URI) that includes a custom URI scheme that identifies a persisted authentication mode and that includes an application identifier for the application; forwarding an authorization request to an authorization entity responsive to receiving the request, the authorization request including the application identifier for the application; receiving a response from the authorization entity indicating that the application is permitted to access the user resource, the response including the application identifier for the application; checking whether a user has selected a persisted authentication mode for the application; caching an authentication state for the application in an event that an indication is received that the persisted authentication mode has been selected; and providing a token to the application that enables access to the user resource if the application identifier matches a system application identifier obtained from a storage portion of a computing device on which the application is executing, the storage portion of the computing device being inaccessible to the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more computer-readable storage devices comprising instructions stored thereon that, responsive to execution by a computing device, cause the computing device to perform operations comprising:
-
maintaining a cached authentication state for an application that can be used to enable the application to access a user resource; receiving a request from the application to allow the application to access the user resource; clearing user identification information from a portion of the computing device that is accessible to the application in response to detecting the request from the application to allow the application to access the user resource, said clearing performed prior to determining whether to allow the application to access the user resource; forwarding one or more portions of the cached authentication state to an authorization service in response to the request to allow the application to access the user resource; receiving an application identifier from the authorization service; and determining whether to provide a token to the application that enables access to the user resource by comparing the application identifier received from the authorization service with a system application identifier for the application obtained from a storage portion of the computing device that is inaccessible to the application. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented method, comprising:
-
receiving a request from an application executing on a computing device for access to a user resource, the request being appended with a uniform resource identifier (URI) that includes a custom URI scheme that identifies a persisted authentication mode; detecting that the application is requesting access to the user resource via the persisted authentication mode by recognizing that the URI received with the request identifies the persisted authentication mode; clearing user identification information from a portion of the computing device that is accessible to the application in response to said detecting; communicating an authorization request to an authorization service to ascertain whether the application is permitted to access the user resource; receiving a response from the authorization service indicating whether the application is permitted to access the user resource, the response including an application identifier for the application; determining whether the application identifier received from the authorization service matches a system application identifier obtained from a storage portion of the computing device that is inaccessible to the application; and in an event that the application identifier matches the system application identifier, providing a token to the application that enables the application to access the user resource. - View Dependent Claims (17, 18, 19, 20)
-
Specification