Virtual endpoints for request authentication

US 9,231,930 B1
Filed: 11/20/2012
Issued: 01/05/2016
Est. Priority Date: 11/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a request from a caller to a first endpoint of a request management service, the request being associated with a service offered by a customer to the caller using one or more computing resources that are accessible through a provider of the one or more computing resources, the first endpoint and the service being under control of the customer, and wherein (1) the customer does not own the one or more computing resources and offers the service to the caller by paying the provider for use of the one or more computing resources and (2) the customer bills the caller for use of the service;

attempting, using at least one computing device, to authenticate the request using information from an identity pool provided by the provider of the one or more computing resources to yield an authentication of the request;

determining, using the at least one computing device, that the request is authorized to be processed by the service of the customer according to policies associated with the caller to yield a determination;

associating the request with an authenticated identity of the caller and, based at least in part on the policies, an authorization to perform at least one task with the service of the customer, to yield an associated authenticated identity of the caller and an associated authorization to perform the at least one task; and

forwarding, using the at least one computing device, based at least in part on the authentication of the request and the determination, the request to a second endpoint for the service of the customer, wherein the service of the customer is able to process the request that was received from the caller at the first endpoint based at least in part on (i) the associated authenticated identity of the caller and (ii) the associated authorization to perform the at least one task.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

40 Citations

View as Search Results

22 Claims

1. A computer-implemented method, comprising:
- receiving a request from a caller to a first endpoint of a request management service, the request being associated with a service offered by a customer to the caller using one or more computing resources that are accessible through a provider of the one or more computing resources, the first endpoint and the service being under control of the customer, and wherein (1) the customer does not own the one or more computing resources and offers the service to the caller by paying the provider for use of the one or more computing resources and (2) the customer bills the caller for use of the service;
  
  attempting, using at least one computing device, to authenticate the request using information from an identity pool provided by the provider of the one or more computing resources to yield an authentication of the request;
  
  determining, using the at least one computing device, that the request is authorized to be processed by the service of the customer according to policies associated with the caller to yield a determination;
  
  associating the request with an authenticated identity of the caller and, based at least in part on the policies, an authorization to perform at least one task with the service of the customer, to yield an associated authenticated identity of the caller and an associated authorization to perform the at least one task; and
  
  forwarding, using the at least one computing device, based at least in part on the authentication of the request and the determination, the request to a second endpoint for the service of the customer, wherein the service of the customer is able to process the request that was received from the caller at the first endpoint based at least in part on (i) the associated authenticated identity of the caller and (ii) the associated authorization to perform the at least one task.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein determining that the request is authorized includes determining identifying information for the caller.
  - 3. The computer-implemented method of claim 1, wherein the receiving, determining, and forwarding are performed by a request management service.
  - 4. The computer-implemented method of claim 1, wherein attempting to authenticate the request includes determining whether the request is at least one of:
    - signed using a valid credential, received over a secure channel, or received from a trusted source.
  - 5. The computer-implemented method of claim 1, wherein attempting to authenticate the request includes comparing information for the request to one or more credentials stored in a local cache or sending information for the request to an authentication service.
  - 6. The computer-implemented method of claim 1, further comprising:
    - writing information, about whether the request was forwarded or rejected, to an audit log.
  - 7. The computer-implemented method of claim 6, further comprising:
    - determining one or more trends for rejected requests using the audit log; and
      
      rejecting one or more subsequent requests based at least in part upon the one or more trends.
  - 8. The computer-implemented method of claim 1, further comprising:
    - charging the caller for a portion of resources consumed in processing requests allowed for the caller.
  - 9. The computer-implemented method of claim 8, wherein the resources consumed include at least one of bandwidth, processor time, I/O operations, database operations, or additional requests resulting from the requests allowed for the caller.
  - 10. The computer-implemented method of claim 1, further comprising:
    - receiving at least one policy for the service;
      
      removing information from the at least one policy that is non-applicable to the service; and
      
      converting the at least one policy to a language supported by a policy evaluation engine associated with the service.
  - 11. The computer-implemented method of claim 1, wherein the first endpoint has a format compatible with a provider of the one or more computing resources.

12. A system, comprising:
- at least one processor; and
  
  memory storing instructions that, when executed by the at least one processor, cause the system to;
  
  receive a request from a caller to a first endpoint of a request management service, the request being associated with a service offered by a customer to the caller using one or more computing resources that are accessible through a provider of the one or more computing resources, the first endpoint and the service being under control of the customer, and wherein (2) the customer does not own the one or more computing resources and offers the service to the caller by paying the provider for use of the one or more computing resources and (2) the customer bills the caller for use of the service;
  
  authenticate the request using information from an identity pool provided by the provider of the one or more computing resources to yield an authentication of the request;
  
  determine that the request is authorized to be processed by the service offered by the customer according to policies associated with the caller to yield a determination;
  
  associate the request with an authenticated identity of the caller and, based at least in part on the policies, an authorization to perform at least one task with the service offered by the customer to yield an associated authenticated identity of the caller and an associated authorization to perform the at least one task; and
  
  forward, based on the authentication of the request and the determination, the request to a second endpoint for the service, wherein the service is able to process the request that was received from the caller at the first endpoint based at least in part on (i) the associated authenticated identity of the caller and (ii) the associated authorization to perform the at least one task.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, wherein pricing for a caller of the first endpoint is set by an entity defining the first endpoint.
  - 14. The system of claim 12, wherein the request forwarded to the second endpoint includes one or more credentials enabling the service to perform one or more actions on behalf of the caller, the one or more credentials associated with the customer.
  - 15. The system of claim 12, wherein the request when forwarded to the second endpoint includes information usable to cause the provider to associate one or more subsequent requests, made by the second endpoint, with the request received from the caller.
  - 16. The system of claim 12, wherein the provider is able to detect potentially fraudulent requests received to the first endpoint at one or more levels of a network stack associated with the multi-tenant environment, and wherein the potentially fraudulent requests are denied.
  - 17. The system of claim 12, wherein the request is denied or re-routed if the caller has exceeded a specified request limit.
  - 18. The system of claim 12, wherein the request is a Web service request and the second endpoint is an application programming interface (API) associated with the one or more resources.

19. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing system, cause the computing system to:
- receive a communication from a caller to a first endpoint, the request being associated with a service offered by a customer to the caller using one or more computing resources, and wherein (1) the customer does not own the one or more computing resources and offers the service to the caller by paying the provider for use of the one or more computing resources and (2) the customer bills the caller for use of the service, the first endpoint and the service being under control of the customer and compatible with a provider of the one or more computing resources that are accessible through a provider of the one or more computing resources, the request further comprising a signature generated using at least one security credential;
  
  determine, by the provider, that the signature is a valid signature and has a format compatible with the provider;
  
  determine that the request is authorized to be processed by the service offered by the customer according to policies associated with the caller, to yield a determination;
  
  associate the request with an authenticated identity of the caller and, based at least in part on the policies, an authorization to perform at least one task with the service offered by the customer, to yield an associated authenticated identity of the caller and an associated authorization to perform the at least one task; and
  
  forward, based on the authentication of the request and the determination, the request to a second endpoint for the service, wherein the second endpoint is able to process the request that was received from the caller at the first endpoint based at least in part on (i) the associated authenticated identity of the caller and (ii) the associated authorization to perform the at least one task.
- View Dependent Claims (20, 21, 22)
- - 20. The non-transitory computer-readable storage medium of claim 19, wherein determining whether the request is authorized includes determining identifying information for the caller, and wherein the instructions when executed further cause the computing system to:
    - annotate the request with at least some of the identifying information before forwarding the request to the second endpoint for the service.
  - 21. The non-transitory computer-readable storage medium of claim 19, wherein the instructions when executed further cause the computing system to:
    - determine the second endpoint using at least one load balancing algorithm.
  - 22. The non-transitory computer-readable storage medium of claim 19, wherein the instructions when executed further cause the computing system to:
    - build an authorization context in order to determine whether the request is authorized for the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Baer, Graeme David, Brandwine, Eric Jason
Primary Examiner(s)
Williams, Jeffery

Application Number

US13/682,318
Time in Patent Office

1,141 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/126 the source of the received ...

Virtual endpoints for request authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Virtual endpoints for request authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links