System and method for identity management for mobile devices

US 9,363,272 B2
Filed: 12/16/2013
Issued: 06/07/2016
Est. Priority Date: 02/15/2011
Status: Active Grant

First Claim

Patent Images

1. A method performed by a mobile device for secure communication of data to a client service in communication with an untrusted client application on the mobile device for enabling a user to utilize the client service, the method comprising:

generating a request for user profile data stored externally at an identity provider;

sending the request to the identity provider;

obtaining, in response to the request, a token secret and an encrypted token provided to the untrusted client application and the client service, the encrypted token comprising the user profile data specified in the request and the token secret, the encrypted token being decryptable by the client service;

the untrusted client application, unable to decrypt the encrypted token to obtain the user profile data, communicating the encrypted token to the client service for authentication; and

the untrusted client application providing the token secret to the client service as proof of ownership of the encrypted token; and

wherein the client service verifies that the token secret from the untrusted client application matches the token secret of the encrypted token as proof that the token secret includes the requested user profile data.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing a user identity on a mobile device are provided. The system comprises the mobile device comprising a user agent and a client application, the user agent and the client application in communication with each other. The system further comprises an identity provider in communication with the mobile device, and a client service in communication with the mobile device. The user agent is configured to communicate with the identity provider and retrieve the user identity for the client application, and the client application is configured to transmit the user identity to the client service.

9 Citations

View as Search Results

19 Claims

1. A method performed by a mobile device for secure communication of data to a client service in communication with an untrusted client application on the mobile device for enabling a user to utilize the client service, the method comprising:
- generating a request for user profile data stored externally at an identity provider;
  
  sending the request to the identity provider;
  
  obtaining, in response to the request, a token secret and an encrypted token provided to the untrusted client application and the client service, the encrypted token comprising the user profile data specified in the request and the token secret, the encrypted token being decryptable by the client service;
  
  the untrusted client application, unable to decrypt the encrypted token to obtain the user profile data, communicating the encrypted token to the client service for authentication; and
  
  the untrusted client application providing the token secret to the client service as proof of ownership of the encrypted token; and
  
  wherein the client service verifies that the token secret from the untrusted client application matches the token secret of the encrypted token as proof that the token secret includes the requested user profile data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the encrypted token is only decryptable by the client service.
  - 3. The method of claim 1 wherein providing the request to the identity provider comprises:
    - the client application generating the request; and
      
      providing the request to a user agent on the mobile device for communicating the request to the identity provider.
  - 4. The method of claim 1 wherein a user agent on the mobile device obtains and stores the token secret and the encrypted token.
  - 5. The method of claim 4 wherein the user agent sends the token secret and the encrypted token to the client application, and the client application communicates the token secret and the encrypted token to the client service.
  - 6. The method of claim 4 wherein the user agent stores the token secret and the encrypted token for a threshold amount of time before the encrypted token is revoked.
  - 7. The method of claim 4 wherein multiple users are authenticated to the mobile device, and the user agent identifies which one of the multiple of users is presently authenticated to the mobile device.
  - 8. The method of claim 4 wherein the user agent issues a prompt to the user via a user interface of the mobile device requesting consent to provide the encrypted token and the token secret to the client application, and if the user agent does not receive consent, then the user agent does not provide at least the encrypted token to the client application.
  - 9. The method of claim 1 wherein the user profile data includes an ecoID for identifying the user, wherein the ecoID is a property of a token that does not change over time.

10. A mobile device configured for secure communication of user profile data to a client service in communication with an untrusted client application on the mobile device, for enabling a user to utilize the client service, the mobile device comprising:
- a processor,memory,a communication device,a user agent managing storage and retrieval of user identity information, wherein the user agent is able to communicate with an identity provider for establishing user credentials for the client application, andthe client application, andthe mobile device configured to at least;
  
  generate a request for the user profile data stored externally at an identity provider;
  
  provide the request to the identity provider;
  
  obtain, in response to the request, a token secret and an encrypted token provided to the untrusted client application and the client service, the encrypted token comprising the user profile data specified in the request and the token secret, the token being decryptable by the client service;
  
  communicate the encrypted token to the client service via the untrusted client application for authentication, and providing the token secret as proof of ownership of the encrypted token; and
  
  wherein the client service is operable to verify that the token secret from the untrusted client application matches the token secret of the encrypted token as proof that the token secret includes the requested user profile data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The mobile device of claim 10 wherein the encrypted token is only decryptable by the client service.
  - 12. The mobile device of claim 10 wherein the mobile device is further configured to at least:
    - send the request for the user profile data; and
      
      in response to the request, obtain the token secret and the encrypted token by receiving the token secret and the encrypted token from the identity provider.
  - 13. The mobile device of claim 12 wherein the mobile device further comprises a user agent in communication with the client application, and the client application is configured to at least generate the request and provide the request to the user agent, and the user agent is configured to receive the token secret and the encrypted token from the identity provider.
  - 14. The mobile device of claim 10 wherein the mobile device further comprises a user agent to obtain and store the token secret and the encrypted token.
  - 15. The mobile device of claim 14 wherein the user agent is further configured to at least send the token secret and the encrypted token to the client application, and the client application is further configured to at least communicate the token secret and the encrypted token to the client service.
  - 16. The mobile device of claim 14 wherein the user agent is further configured to at least store the token secret and the encrypted token for a threshold amount of time before the encrypted token is revoked.
  - 17. The mobile device of claim 14 wherein multiple users are authenticated to the mobile device, and the user agent is further configured to at least identify which one of the multiple of users is presently authenticated to the mobile device.
  - 18. The mobile device of claim 14 wherein the mobile device further comprises a user interface, and the user agent is further configured to at least issue a prompt to the user via the user interface requesting consent to provide the token and the token secret to the client application, and if the user agent does not receive consent, then the user agent is further configured to not provide at least the encrypted token to the client application.
  - 19. The mobile device of claim 10 wherein the user profile data includes an ecoID for identifying the user, wherein the ecoID is a property of a token that does not change over time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
McBride, Brian Everett, Lambert, Kenneth Jason William, Cornet, Jrme Bertrand Nicolas
Primary Examiner(s)
Nguyen, David Q

Application Number

US14/107,280
Publication Number

US 20140108801A1
Time in Patent Office

904 Days
Field of Search

455/411, 379/93.03, 713/168, 717/171
US Class Current

1/1
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

H04W 12/065   Continuous authentication

H04W 12/068   using credential vaults, e....

H04W 12/082   using revocation of authori...

System and method for identity management for mobile devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identity management for mobile devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links