Single sign-on (SSO) for mobile applications
First Claim
1. A computer-implemented method comprising:
- upon determining, at an authorization server that includes one or more hardware processors and that is separate from a first mobile device storing a plurality of applications, that a user of the first mobile device is successfully authenticated to access a first application of the plurality of applications stored on the first mobile device;
storing, at the authorization server, first session information corresponding to a first user session for the user of the first mobile device, wherein the first user session is generated by the authorization server, and wherein the first session information includes a hardware identifier of the first mobile device;
sending, by the authorization server, a first client registration token to the first mobile device, the first client registration token including the hardware identifier of the first mobile device;
receiving, at the authorization server, a request for the user to access a second application of the plurality of applications stored on the first mobile device, the request including the first client registration token;
determining, at the authorization server, whether the hardware identifier of the first mobile device included in the first client registration token matches any hardware identifier indicated in session information stored for any user session at the authorization server; and
in response to determining that the hardware identifier of the first mobile device included in the first client registration token matches the hardware identifier of the first mobile device included in the first session information stored at the authorization server;
instructing, by the authorization server, the second application to allow the user to access functionality of the second application without requiring the user to re-engage in an authentication process.
1 Assignment
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
-
Citations
18 Claims
-
1. A computer-implemented method comprising:
-
upon determining, at an authorization server that includes one or more hardware processors and that is separate from a first mobile device storing a plurality of applications, that a user of the first mobile device is successfully authenticated to access a first application of the plurality of applications stored on the first mobile device; storing, at the authorization server, first session information corresponding to a first user session for the user of the first mobile device, wherein the first user session is generated by the authorization server, and wherein the first session information includes a hardware identifier of the first mobile device; sending, by the authorization server, a first client registration token to the first mobile device, the first client registration token including the hardware identifier of the first mobile device; receiving, at the authorization server, a request for the user to access a second application of the plurality of applications stored on the first mobile device, the request including the first client registration token; determining, at the authorization server, whether the hardware identifier of the first mobile device included in the first client registration token matches any hardware identifier indicated in session information stored for any user session at the authorization server; and in response to determining that the hardware identifier of the first mobile device included in the first client registration token matches the hardware identifier of the first mobile device included in the first session information stored at the authorization server; instructing, by the authorization server, the second application to allow the user to access functionality of the second application without requiring the user to re-engage in an authentication process. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform a method comprising:
-
upon determining, at an authorization server that includes one or more hardware processors and that is separate from a first mobile device storing a plurality of applications, that a user of the first mobile device is successfully authenticated to access a first application of the plurality of applications stored on the first mobile device; storing, at the authorization server, first session information corresponding to a first user session for the user of the first mobile device, wherein the first user session is generated by the authorization server, and wherein the first session information includes a hardware identifier of the first mobile device; sending, by the authorization server, a first client registration token to the first mobile device, the first client registration token including the hardware identifier of the first mobile device; receiving, at the authorization server, a request for the user to access a second application of the plurality of applications stored on the first mobile device, the request including the first client registration token; determining, at the authorization server, whether the hardware identifier of the first mobile device included in the first client registration token matches any hardware identifier indicated in session information stored for any user session at the authorization server; and in response to determining that the hardware identifier of the first mobile device included in the first client registration token matches the hardware identifier of the first mobile device included in the first session information stored at the authorization server; instructing, by the authorization server, the second application to allow the user to access functionality of the second application without requiring the user to re-engage in an authentication process. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a first mobile device that stores a plurality of applications; and a machine that is separate from the first mobile device and that stores an authorization server that is configured to; upon determining that a user of the first mobile device is successfully authenticated to access a first application of the plurality of applications stored on the first mobile device, store first session information corresponding to a first user session for the user of the first mobile device, wherein the first user session is generated by the authorization server, and wherein the first session information includes a hardware identifier of the first mobile device; send a first client registration token to the first mobile device, the first client registration token including the hardware identifier of the first mobile device; receive a request for the user to access a second application of the plurality of applications stored on the first mobile device, the request including the first client registration token; determine whether the hardware identifier of the first mobile device included in the first client registration token matches any hardware identifier indicated in session information stored for any user session at the authorization server; and in response to determining that the hardware identifier of the first mobile device included in the first client registration token matches the hardware identifier of the first mobile device included in the first session information stored at the authorization server, instruct the second application to allow the user to access functionality of the second application without requiring the user to re-engage in an authentication process. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification