Request-specific authentication for accessing Web service resources

US 9,183,366 B2
Filed: 01/27/2014
Issued: 11/10/2015
Est. Priority Date: 04/20/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A computing system for controlling access to a protected Web service resource, the computing system comprising:

a computer communication device for communicating across a communication network;

a processor communicatively connected to the communication device; and

memory storing program instructions, which when executed by the processor cause the computing system to;

receive a first request from a client to access the protected Web service resource from the communication network, the first request including an identification of the protected Web service resource and an identification of an operation to be performed on the protected Web service resource;

determine a level of the operation to be performed on the protected Web service resource identified in the first request;

determine that the client has been authenticated by an authentication service according to a first factor using a first authentication token offered by the client;

determine whether the first factor is of at least a first authentication level to grant the first request for the client to perform the operation, based on, at least in part, the level of the operation;

grant the first request to access the protected Web service resource after determining that the client has been authenticated according to the first factor, and that authentication according to the first factor is of at least the first authentication level;

receive a second request from the client to access the protected Web service resource from the communication network, the second request including the identification of the protected Web service resource and an identification of a second operation to be performed on the protected Web service resource;

determine a level of the second operation to be performed on the protected Web service resource identified in the second request;

send, to the client, a message to deny the second request to access the protected Web service resource based on, at least in part, the level of the second operation and on the authentication according to the first factor not being of at least a second authentication level to grant the second request, the message further comprising an address of the authentication service;

determine that the client has been authenticated by the authentication service according to a second factor using a second authentication token offered by the client;

determine whether the second factor is of at least the second authentication level to grant the second request for the client to perform the second operation, based on, at least in part, the level of the second operation; and

grant the second request to access the protected Web service resource after determining that the client has been authenticated according to the second factor and that the authentication according to the second factor is of at least the second authentication level.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

32 Citations

18 Claims

1. A computing system for controlling access to a protected Web service resource, the computing system comprising:
- a computer communication device for communicating across a communication network;
  
  a processor communicatively connected to the communication device; and
  
  memory storing program instructions, which when executed by the processor cause the computing system to;
  
  receive a first request from a client to access the protected Web service resource from the communication network, the first request including an identification of the protected Web service resource and an identification of an operation to be performed on the protected Web service resource;
  
  determine a level of the operation to be performed on the protected Web service resource identified in the first request;
  
  determine that the client has been authenticated by an authentication service according to a first factor using a first authentication token offered by the client;
  
  determine whether the first factor is of at least a first authentication level to grant the first request for the client to perform the operation, based on, at least in part, the level of the operation;
  
  grant the first request to access the protected Web service resource after determining that the client has been authenticated according to the first factor, and that authentication according to the first factor is of at least the first authentication level;
  
  receive a second request from the client to access the protected Web service resource from the communication network, the second request including the identification of the protected Web service resource and an identification of a second operation to be performed on the protected Web service resource;
  
  determine a level of the second operation to be performed on the protected Web service resource identified in the second request;
  
  send, to the client, a message to deny the second request to access the protected Web service resource based on, at least in part, the level of the second operation and on the authentication according to the first factor not being of at least a second authentication level to grant the second request, the message further comprising an address of the authentication service;
  
  determine that the client has been authenticated by the authentication service according to a second factor using a second authentication token offered by the client;
  
  determine whether the second factor is of at least the second authentication level to grant the second request for the client to perform the second operation, based on, at least in part, the level of the second operation; and
  
  grant the second request to access the protected Web service resource after determining that the client has been authenticated according to the second factor and that the authentication according to the second factor is of at least the second authentication level.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computing system of claim 1, wherein the first factor is at least one of:
    - a password, an answer to a security question, a biometric identifier, an object, and client specific information.
  - 3. The computing system of claim 1, wherein the second factor is different from the first factor.
  - 4. The computing system of claim 1, wherein determining that the client has been authenticated comprises causing the computing system to:
    - decrypt the first authentication token with a public key of the authentication service; and
      
      determine that a claim made by the authentication service in the first authentication token satisfies a condition for access.
  - 5. The computing system of claim 1, wherein the message directs the client to the authentication service to be authenticated according to the second factor.

6. A method of controlling access to a protected Web service resource, the method comprising:
- performing by a server;
  
  receiving a first request from a client to access the protected Web service resource from a communication network, the first request including an identification of the protected Web service resource and an identification of an operation to be performed on the protected Web service resource;
  
  determining a level of operation to be performed on the protected Web service resource identified in the first request;
  
  determining that the client has been authenticated by an authentication service according to a first factor using the first authentication token offered by the client;
  
  determining whether the first factor meets at least a first criterion to grant the first request for the client to perform the operation, based on, at least in part, the level of the operation;
  
  granting the first request to access the protected Web service resource after determining that the client has been authenticated according to the first factor, and that authentication according to the first factor meets at least the first criterion;
  
  receiving a second request from the client to access the protected Web service resource from the communication network, the second request including the identification of the protected Web service resource and an identification of a second operation to be performed on the protected Web service resource;
  
  determining a level of the second operation to be performed on the protected Web service resource identified in the second request;
  
  sending, to the client, a message to deny the second request to access the protected Web service resource based on, at least in part, the level of the second operation and on the authentication according to the first factor not meeting at least a second criterion to grant the second request, the message further comprising an address of the authentication service;
  
  determining that the client has been authenticated by the authentication service according to the second factor using a second authentication token offered by the client;
  
  determining whether the second factor meets at least the second criterion to grant the second request for the client to perform the second operation, based on, at least in part, the level of operation; and
  
  granting the second request to access the protected Web service resource after determining that the client has been authenticated according to the second factor and that authentication according to the second factor meets at least the second criterion.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The method of claim 6, wherein the first factor is at least one of:
    - a password, an answer to a security question, a biometric identifier, an object, and client specific information.
  - 8. The method of claim 6, wherein the second factor is different from the first factor.
  - 9. The method of claim 6, wherein determining that the client has been authenticated according to the first factor comprises:
    - decrypting the first authentication token with a public key of the authentication service; and
      
      determining that a claim made by the authentication service in the first authentication token satisfies a condition for access.
  - 10. The method of claim 6, wherein the message directs the client to an authentication service to be authenticated according to the second factor.
  - 11. The method of claim 6, further comprising granting the second request to access the protected Web service resource after determining that the client has been authenticated according to the second factor.
  - 12. The method of claim 6, further comprising:
    - receiving a first request from the client to be authenticated;
      
      sending a first challenge message to the client;
      
      receiving a first confirmation response to the first challenge message from the client;
      
      determining that the first confirmation response meets a first predetermined criterion; and
      
      sending a first authentication message to the client.
  - 13. The method of claim 12, wherein sending the first authentication message to the client comprises sending the first authentication token to the client.
  - 14. The method of claim 13, further comprising:
    - receiving a second request from the client to be authenticated;
      
      sending a second challenge message to the client, different than the first challenge message;
      
      receiving a second confirmation response to the second challenge message from the client;
      
      determining that the second confirmation response meets a second predetermined criterion; and
      
      sending a second authentication message to the client, the second authentication message including the second authentication token.
  - 15. The method of claim 6, further comprising determining that the second request requires further authentication by reading data from the second request and comparing the data from the second request with the level of the second operation.
  - 16. The method of claim 6, wherein the first authentication token includes a claim from the authentication service relating to a factor that was used to authenticate the client.

17. A computer readable storage medium, which is not a signal, containing computer executable instructions which when executed by a computer cause the computer to:
- receive a first request from a client to access a protected Web service resource from the communication network, the first request including an identification of the protected Web service resource and an identification of an operation to be performed on the protected Web service resource;
  
  determine a level of the operation to be performed on the protected Web service resource identified in the first request;
  
  determine that the client has been authenticated by an authentication according to the first factor using the first authentication token offered by a client;
  
  determine whether the first factor is of at least a first authentication level;
  
  grant the first request to access the protected Web service resource after determining that the client has been authenticated according to the first factor, and that authentication according to the first factor is of at least the first authentication level;
  
  receive a second request from the client to access the protected Web service resource from the communication network, the second request including the identification of the protected Web service resource and an identification of a second operation to be performed on the protected Web service resource;
  
  determine a level of the second operation to be performed on the protected Web service resource identified in the second request;
  
  send, to the client, a message to deny the second request to access the protected Web service resource based on, at least in part, the level of the second operation and on the authentication according to the first factor not being of at least a second authentication level to grant the second request, the message further including an address of the authentication service;
  
  determine that the client has been authenticated by the authentication service according to a second factor using a second authentication token offered by the client;
  
  determine whether the second factor is of at least the second authentication level; and
  
  grant the second request to access the protected Web service resource after determining that the client has been authenticated according to the second factor, and that authentication according to the second factor is of at least the second authentication level.
- View Dependent Claims (18)
- - 18. The computer readable storage medium of claim 17, wherein the first and second authentication tokens are encrypted using public key cryptography.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
McMurtry, Craig V., Weinert, Alexander T., Meleshuk, Vadim, Gabarra, Mark E.
Primary Examiner(s)
Holder, Bradley
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/165,133
Publication Number

US 20140143546A1
Time in Patent Office

652 Days
Field of Search

726/9, 713/168, 713/185, 713/186
US Class Current

1/1
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/335   for accessing specific reso...

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/602   Providing cryptographic fac...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/0869   for achieving mutual authen...

H04L 63/10   for controlling access to d...

Request-specific authentication for accessing Web service resources

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Request-specific authentication for accessing Web service resources

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links