Policy-based automated consent

US 9,264,436 B2
Filed: 05/08/2013
Issued: 02/16/2016
Est. Priority Date: 05/08/2013
Status: Active Grant

First Claim

Patent Images

1. A method of managing grant of consent to access a protected resource, the protected resource associated with a resource owner, comprising:

upon receipt of a request to access a protected resource, the request having a scope and being associated with a second web client, performing an analysis based on a universal resource identifier (URI) associated with the request to identify a characteristic of the second web client, the analysis being performed using a computing entity having a hardware element;

based on the characteristic of the second web client and the scope of the request, applying a policy to determine whether the second web client is entitled to receive an automated consent to access the protected resource as a result of a consent having been previously granted by the resource owner to a first web client; and

when, based on the policy the second web client is entitled to receive the automated consent, returning given information useful by the second web client to obtain access to the protected resource without requiring an explicit consent from the resource owner;

when the second web client is not entitled to receive the automated consent to access the protected resource issuing a prompt to the resource owner to obtain explicit consent.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for intelligent automated consent is described by which a client may be automatically authorized to access a resource owner'"'"'s protected information (e.g., a profile) based on the owner'"'"'s previous authorization decisions and/or other client classifications. Using this approach to granting consent, the resource owner is not required to intervene during the authorization step for each client that is requesting access. Clients may be categorized, and authorization given to individual clients based on the category to which they belong and/or the scope of the access request. The technique may be implemented with user-centric identity protocols, as well as with delegated authorization protocols. The technique provides for policy-based consent grants.

22 Citations

View as Search Results

14 Claims

1. A method of managing grant of consent to access a protected resource, the protected resource associated with a resource owner, comprising:
- upon receipt of a request to access a protected resource, the request having a scope and being associated with a second web client, performing an analysis based on a universal resource identifier (URI) associated with the request to identify a characteristic of the second web client, the analysis being performed using a computing entity having a hardware element;
  
  based on the characteristic of the second web client and the scope of the request, applying a policy to determine whether the second web client is entitled to receive an automated consent to access the protected resource as a result of a consent having been previously granted by the resource owner to a first web client; and
  
  when, based on the policy the second web client is entitled to receive the automated consent, returning given information useful by the second web client to obtain access to the protected resource without requiring an explicit consent from the resource owner;
  
  when the second web client is not entitled to receive the automated consent to access the protected resource issuing a prompt to the resource owner to obtain explicit consent.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as described in claim 1 wherein the characteristic of the second web client is one of:
    - a client category, a domain tag, an indication that the request has originated from a reputable source, and an indication that the second web client has a given privacy policy.
  - 3. The method as described in claim 1 further including:
    - obtaining a response to the prompt;
      
      upon receipt of a response to the prompt, updating the policy to include a category associated with the second web client.
  - 4. The method as described in claim 3 further including updating a consent list to include the second web client.
  - 5. The method as described in claim 1 wherein the given information is an OAuth token.

6. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to manage grant of consent to access a protected resource, the protected resource associated with a resource owner, the method comprising;
  
  upon receipt of a request to access a protected resource, the request having a scope and being associated with a second web client, performing an analysis based on a universal resource identifier (URI) associated with the request to identify a characteristic of the second web client;
  
  based on the characteristic of the second web client and the scope of the request, applying a policy to determine whether the second web client is entitled to receive an automated consent to access the protected as a result of a consent having been previously granted by the resource owner to a first web client; and
  
  when, based on the policy the second web client is entitled to receive the automated consent, returning given information useful by the second web client to obtain access to the protected resource without requiring an explicit consent from the resource owner;
  
  when the second web client is not entitled to receive the automated consent to access the protected resource, issuing a prompt to the resource owner to obtain explicit consent.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus as described in claim 6 wherein the characteristic of the client is one of:
    - a client category, a domain tag, an indication that the request has originated from a reputable source, and an indication that the second web client has a given privacy policy.
  - 8. The apparatus as described in claim 6 wherein the method further includes:
    - obtaining a response to the prompt;
      
      upon receipt of a response to the prompt, updating the policy to include a category associated with the second web client.
  - 9. The apparatus as described in claim 8 wherein the method further includes updating a consent list to include the second web client.
  - 10. The apparatus as described in claim 6 wherein the given information is an OAuth token.

11. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method of managing grant of consent to access a protected resource, the protected resource associated with a resource owner, the method comprising:
- upon receipt of a request to access a protected resource, the request having a scope and being associated with a second web client, performing an analysis based on a universal resource identifier (URI) associated with the request to identify a characteristic of the second web client;
  
  based on the characteristic of the second web client and the scope of the request, applying a policy to determine whether the second web client is entitled to receive an automated consent to access the protected resource as a result of a consent having been previously granted by the resource owner to a first web client; and
  
  when, based on the policy the client is entitled to receive the automated consent, returning given information useful by the second web client to obtain access to the protected resource without requiring an explicit consent from the resource owner;
  
  when the second web client is not entitled to receive the automated consent to access the protected resource, issuing a prompt to the resource owner to obtain explicit consent.
- View Dependent Claims (12, 13, 14)
- - 12. The computer program product as described in claim 11 wherein the characteristic of the client is one of:
    - a client category, a domain tag, an indication that the request has originated from a reputable source, and an indication that the second web client has a given privacy policy.
  - 13. The computer program product as described in claim 11 wherein the method further includes:
    - obtaining a response to the prompt;
      
      upon receipt of a response to the prompt, updating the policy to include a category associated with the second web client.
  - 14. The computer program product as described in claim 13 wherein the method further includes updating a consent list to include the second web client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HCL Technologies Limited
Original Assignee
International Business Machines Corporation
Inventors
Canning, Simon Gilbert, Weeden, Shane Bradley, Pranam, Codur Sreedhar
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US13/889,707
Publication Number

US 20140337914A1
Time in Patent Office

1,014 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Policy-based automated consent

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Policy-based automated consent

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others