Single sign-on (SSO) for mobile applications

US 9,237,145 B2
Filed: 04/30/2014
Issued: 01/12/2016
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

upon determining, at an authorization server that includes one or more hardware processors and that is separate from a first mobile device storing a plurality of applications, that a user of the first mobile device is successfully authenticated to access a first application of the plurality of applications stored on the first mobile device;

storing, at the authorization server, first session information corresponding to a first user session for the user of the first mobile device, wherein the first user session is generated by the authorization server, and wherein the first session information includes a hardware identifier of the first mobile device;

sending, by the authorization server, a first client registration token to the first mobile device, the first client registration token including the hardware identifier of the first mobile device;

receiving, at the authorization server, a request for the user to access a second application of the plurality of applications stored on the first mobile device, the request including the first client registration token;

determining, at the authorization server, whether the hardware identifier of the first mobile device included in the first client registration token matches any hardware identifier indicated in session information stored for any user session at the authorization server; and

in response to determining that the hardware identifier of the first mobile device included in the first client registration token matches the hardware identifier of the first mobile device included in the first session information stored at the authorization server;

instructing, by the authorization server, the second application to allow the user to access functionality of the second application without requiring the user to re-engage in an authentication process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Citations

18 Claims

1. A computer-implemented method comprising:
- upon determining, at an authorization server that includes one or more hardware processors and that is separate from a first mobile device storing a plurality of applications, that a user of the first mobile device is successfully authenticated to access a first application of the plurality of applications stored on the first mobile device;
  
  storing, at the authorization server, first session information corresponding to a first user session for the user of the first mobile device, wherein the first user session is generated by the authorization server, and wherein the first session information includes a hardware identifier of the first mobile device;
  
  sending, by the authorization server, a first client registration token to the first mobile device, the first client registration token including the hardware identifier of the first mobile device;
  
  receiving, at the authorization server, a request for the user to access a second application of the plurality of applications stored on the first mobile device, the request including the first client registration token;
  
  determining, at the authorization server, whether the hardware identifier of the first mobile device included in the first client registration token matches any hardware identifier indicated in session information stored for any user session at the authorization server; and
  
  in response to determining that the hardware identifier of the first mobile device included in the first client registration token matches the hardware identifier of the first mobile device included in the first session information stored at the authorization server;
  
  instructing, by the authorization server, the second application to allow the user to access functionality of the second application without requiring the user to re-engage in an authentication process.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving, at the authorization server, a request for the user to access a third application stored on a second mobile device, the request including a second client registration token, wherein the second client registration token includes a hardware identifier of the second mobile device, and wherein the second mobile device is separate from the authorization server and is separate from the first mobile device;
      
      determining, at the authorization server, whether the hardware identifier of the second mobile device included in the second client registration token matches any hardware identifier indicated in the session information stored for any user session at the authorization server;
      
      in response to determining that the hardware identifier of the second mobile device included in the second client registration token does not match any hardware identifier included in the session information stored for any user session at the authorization server;
      
      instructing, by the authorization server, the second application to request the user of the third application to engage in the authentication process prior to allowing the user of the third application to access functionality of the third application.
  - 3. The computer-implemented method of claim 2, further comprising:
    - upon determining that the user of the third application is successfully engaged in the authentication process, performing steps comprising;
      
      generating, at the authorization server, a second user session that specifies the hardware identifier of the second mobile device;
      
      storing second session information corresponding to the second user session at the authorization server, wherein the second session information includes the hardware identifier of the second mobile device; and
      
      instructing the third application to allow the user to access functionality of the third application;
      
      wherein the second user session differs from the first user session.
  - 4. The computer-implemented method of claim 3, further comprising:
    - receiving, at the authorization server, a request for the user to access a fourth application stored on the second mobile device, the request including a third client registration token, wherein the third client registration token includes the hardware identifier of the second mobile device;
      
      determining, at the authorization server, whether the hardware identifier of the second mobile device included in the third client registration token matches any hardware identifier indicated in the session information stored for any user session at the authorization server;
      
      in response to determining that the hardware identifier of the second mobile device included in the third client registration token matches the hardware identifier of the second mobile device included in the second session information stored for the second user session at the authorization server;
      
      instructing the fourth application to allow the user to access functionality of the fourth application without requiring the user to re-engage in the authentication process.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving, at the authorization server, from the first mobile device, a first registration request from the first application;
      
      in response to receiving the first registration request, performing the authentication process relative to the first application; and
      
      generating the first user session that specifies the hardware identifier of the first mobile device upon determining that the user of the first mobile device is successfully authenticated to access the first application stored on the first mobile device;
      
      wherein the first registration request specifies the hardware identifier of the first mobile device.
  - 6. The computer-implemented method of claim 5, further comprising:
    - receiving, at the authorization server, from the second mobile device, a second registration request from a third application stored on the second mobile device that is separate from the first mobile device;
      
      in response to receiving the second registration request, performing the authentication process relative to the third application; and
      
      upon determining that the user of the second mobile device is successfully authenticated to access the third application stored on the second mobile device, generating the second client registration token at the authorization server and sending the second client registration token to the third application;
      
      wherein the second registration request specifies the hardware identifier of the second mobile device;
      
      wherein the second client registration token specifies the hardware identifier of the second mobile device;
      
      wherein the hardware identifier of the first mobile device is a Media Access Control (MAC) address of the first mobile device; and
      
      wherein the hardware identifier of the second mobile device is a Media Access Control (MAC) address of the second mobile device.

7. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform a method comprising:
- upon determining, at an authorization server that includes one or more hardware processors and that is separate from a first mobile device storing a plurality of applications, that a user of the first mobile device is successfully authenticated to access a first application of the plurality of applications stored on the first mobile device;
  
  storing, at the authorization server, first session information corresponding to a first user session for the user of the first mobile device, wherein the first user session is generated by the authorization server, and wherein the first session information includes a hardware identifier of the first mobile device;
  
  sending, by the authorization server, a first client registration token to the first mobile device, the first client registration token including the hardware identifier of the first mobile device;
  
  receiving, at the authorization server, a request for the user to access a second application of the plurality of applications stored on the first mobile device, the request including the first client registration token;
  
  determining, at the authorization server, whether the hardware identifier of the first mobile device included in the first client registration token matches any hardware identifier indicated in session information stored for any user session at the authorization server; and
  
  in response to determining that the hardware identifier of the first mobile device included in the first client registration token matches the hardware identifier of the first mobile device included in the first session information stored at the authorization server;
  
  instructing, by the authorization server, the second application to allow the user to access functionality of the second application without requiring the user to re-engage in an authentication process.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable memory of claim 7, wherein the method further comprises:
    - receiving, at the authorization server, a request for the user to access a third application stored on a second mobile device, the request including a second client registration token, wherein the second client registration token includes a hardware identifier of the second mobile device, and wherein the second mobile device is separate from the authorization server and is separate from the first mobile device;
      
      determining, at the authorization server, whether the hardware identifier of the second mobile device included in the second client registration token matches any hardware identifier indicated in the session information stored for any user session at the authorization server;
      
      in response to determining that the hardware identifier of the second mobile device included in the second client registration token does not match any hardware identifier included in the session information stored for any user session at the authorization server;
      
      instructing, by the authorization server, the second application to request the user of the third application to engage in an authentication process prior to allowing the user of the third application to access functionality of the third application.
  - 9. The computer-readable memory of claim 8, wherein the method further comprises:
    - upon determining that the user of the third application is successfully engaged in the authentication process, performing steps comprising;
      
      generating, at the authorization server, a second user session that specifies the hardware identifier of the second mobile device;
      
      storing second session information corresponding to the second user session at the authorization server, wherein the second session information includes the hardware identifier of the second mobile device; and
      
      instructing the third application to allow the user to access functionality of the third application;
      
      wherein the second user session differs from the first user session.
  - 10. The computer-readable memory of claim 9, wherein the method further comprises:
    - receiving, at the authorization server, a request for the user to access a fourth application stored on the second mobile device, the request including a third client registration token, wherein the third client registration token includes the hardware identifier of the second mobile device;
      
      determining, at the authorization server, whether the hardware identifier of the second mobile device included in the third client registration token matches any hardware identifier indicated in the session information stored for any user session at the authorization server;
      
      in response to determining that the hardware identifier of the second mobile device included in the third client registration token matches the hardware identifier of the second mobile device included in the second session information stored for the second user session at the authorization server;
      
      instructing the fourth application to allow the user to access functionality of the fourth application without requiring the user to re-engage in the authentication process.
  - 11. The computer-readable memory of claim 7, wherein the method further comprises:
    - receiving, at the authorization server, from the first mobile device, a first registration request from the first application;
      
      in response to receiving the first registration request, performing the authentication process relative to the first application; and
      
      generating the first user session that specifies the hardware identifier of the first mobile device upon determining that the user of the first mobile device is successfully authenticated to access the first application stored on the first mobile device;
      
      wherein the first registration request specifies the hardware identifier of the first mobile device.
  - 12. The computer-readable memory of claim 11, wherein the method further comprises:
    - receiving, at the authorization server, from the second mobile device, a second registration request from a third application stored on the second mobile device that is separate from the first mobile device;
      
      in response to receiving the second registration request, performing the authentication process relative to the third application; and
      
      upon determining that the user of the second mobile device is successfully authenticated to access the third application stored on the second mobile device, generating the second client registration token at the authorization server and sending the second client registration token to the third application;
      
      wherein the second registration request specifies the hardware identifier of the second mobile device;
      
      wherein the second client registration token specifies the hardware identifier of the second mobile device;
      
      wherein the hardware identifier of the first mobile device is a Media Access Control (MAC) address of the first mobile device; and
      
      wherein the hardware identifier of the second mobile device is a Media Access Control (MAC) address of the second mobile device.

13. A system comprising:
- a first mobile device that stores a plurality of applications; and
  
  a machine that is separate from the first mobile device and that stores an authorization server that is configured to;
  
  upon determining that a user of the first mobile device is successfully authenticated to access a first application of the plurality of applications stored on the first mobile device, store first session information corresponding to a first user session for the user of the first mobile device, wherein the first user session is generated by the authorization server, and wherein the first session information includes a hardware identifier of the first mobile device;
  
  send a first client registration token to the first mobile device, the first client registration token including the hardware identifier of the first mobile device;
  
  receive a request for the user to access a second application of the plurality of applications stored on the first mobile device, the request including the first client registration token;
  
  determine whether the hardware identifier of the first mobile device included in the first client registration token matches any hardware identifier indicated in session information stored for any user session at the authorization server; and
  
  in response to determining that the hardware identifier of the first mobile device included in the first client registration token matches the hardware identifier of the first mobile device included in the first session information stored at the authorization server, instruct the second application to allow the user to access functionality of the second application without requiring the user to re-engage in an authentication process.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, further comprising:
    - a second mobile device that stores a second application; and
      
      wherein the authorization server is further configured to;
      
      receive a request for the user to access a third application stored on a second mobile device, the request including a second client registration token, wherein the second client registration token includes a hardware identifier of the second mobile device;
      
      determine whether the hardware identifier of the second mobile device included in the second client registration token matches any hardware identifier indicated in the session information stored for any user session at the authorization server;
      
      in response to determining that the hardware identifier of the second mobile device included in the second client registration token does not match any hardware identifier included in the session information stored for any user session at the authorization server, instruct the second application to request the user of the third application to engage in the authentication process prior to allowing the user of the third application to access functionality of the third application.
  - 15. The system of claim 14, wherein the authorization server is further configured to:
    - generate a second user session that specifies the hardware identifier of the second mobile device upon determining that the user of the second application is successfully engaged in the authentication process;
      
      store second session information corresponding to the second user session, wherein the second session information includes the hardware identifier of the second mobile device at the authorization server upon determining that the user of the second application is successfully engaged in the authentication process; and
      
      instruct the third application to allow the user to access functionality of the third application upon determining that the user of the second application is successfully engaged in the authentication process;
      
      wherein the second user session differs from the first user session.
  - 16. The system of claim 15, wherein the authorization server is further configured to:
    - receive a request for the user to access a fourth application stored on the second mobile device, the request including a third client registration token, wherein the third client registration token includes the hardware identifier of the second mobile device;
      
      determine whether the hardware identifier of the second mobile device included in the third client registration token matches any hardware identifier indicated in the session information stored for any user session at the authorization server;
      
      instruct the fourth application to allow the user to access functionality of the fourth application without requiring the user to re-engage in the authentication process in response to determining that the hardware identifier of the second mobile device included in the third client registration token matches the hardware identifier of the second mobile device included in the second session information stored for the second user session at the authorization server.
  - 17. The system of claim 13, wherein the authorization server is further configured to:
    - receive, from the first mobile device, a first registration request from the first application;
      
      perform the authentication process relative to the first application in response to receiving the first registration request; and
      
      generating the first user session that specifies the hardware identifier of the first mobile device upon determining that the user of the first mobile device is successfully authenticated to access the first application from the first mobile device;
      
      wherein the first registration request specifies the hardware identifier of the first mobile device.
  - 18. The system of claim 17, wherein the authorization server is further configured to:
    - receive, from the second mobile device, a second registration request from a third application stored on the second mobile device that is separate from the first mobile device;
      
      perform the authentication process relative to the third application in response to receiving the second registration request; and
      
      upon determining that the user of the second mobile device is successfully authenticated to access the third application stored on the second mobile device;
      
      generate the second client registration token at the authorization server; and
      
      send the second client registration token to the third application;
      
      wherein the second registration request specifies the hardware identifier of the second mobile device;
      
      wherein the second client registration token specifies the hardware identifier of the second mobile device;
      
      wherein the hardware identifier of the first mobile device is a Media Access Control (MAC) address of the first mobile device; and
      
      wherein the hardware identifier of the second mobile device is a Media Access Control (MAC) address of the second mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sondhi, Ajay, Hingarajiya, Ravi, Bhat, Shivaram, Wong, Wai Leung William
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/266,478
Publication Number

US 20150089617A1
Time in Patent Office

622 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2221/2103   Challenge-response

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

Single sign-on (SSO) for mobile applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on (SSO) for mobile applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links