Methods and systems of generating and using authentication credentials for decentralized authorization in the cloud
First Claim
1. A method of controlling the sharing of data between entities that are in electronic communication, comprising:
- generating, by a cloud-based server of a target service, an authentication credential comprising;
an identifier for the target service, anda unique signature representing a keyed-hash message authentication code generated using a key identifier and a secret key associated with the target service; and
by an intermediate service;
attenuating the authentication credential by placing one or more restrictions on a use of the authentication credential,generating an updated unique signature for the authentication credential wherein the updated unique signature represents a keyed-hash message authentication code that is generated using the unique signature and the one or more restrictions,replacing the unique signature of the authentication credential with the updated unique signature, andproviding the authentication credential to a client electronic device that is in electronic communication with the cloud-based server only when the client electronic device is authorized to access the target service;
by the cloud-based server of the target service;
receiving an access request from the client electronic device, wherein the request comprises the authentication credential and one or more parameters that relate to a requested service that is available from the target service,identifying that the authentication credential includes the updated unique signature and a third party caveat that is associated with a third party authentication service,in response to the identifying, determining whether the request also comprises a discharge credential for the third party caveat, andin response to determining that the request includes the discharge credential;
identifying a signature for the discharge credential, anddetermining whether the signature for the discharge credential corresponds to a signature for the third party authentication service, andproviding the client electronic device with the requested service only when the signature for the discharge credential corresponds to the signature for the third party authentication service, otherwise denying the request.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of controlling the sharing of data between entities that are in electronic communication with each other may include generating an authentication credential comprising an identifier for the target service and a unique signature, attenuating the authentication credential, and determining whether a client device is authorized to access the target service, and, only if so, providing the authentication credential to the client device. In an embodiment, the method may include receiving an access request from the client device, identifying that the authentication credential includes the unique signature and a third party caveat that is associated with a third party authentication service, in response to the identifying, determining whether the request also comprises a discharge credential for the third party caveat, and if the request includes the discharge credential, providing the client device with the requested service, otherwise denying the request.
127 Citations
27 Claims
-
1. A method of controlling the sharing of data between entities that are in electronic communication, comprising:
-
generating, by a cloud-based server of a target service, an authentication credential comprising; an identifier for the target service, and a unique signature representing a keyed-hash message authentication code generated using a key identifier and a secret key associated with the target service; and by an intermediate service; attenuating the authentication credential by placing one or more restrictions on a use of the authentication credential, generating an updated unique signature for the authentication credential wherein the updated unique signature represents a keyed-hash message authentication code that is generated using the unique signature and the one or more restrictions, replacing the unique signature of the authentication credential with the updated unique signature, and providing the authentication credential to a client electronic device that is in electronic communication with the cloud-based server only when the client electronic device is authorized to access the target service; by the cloud-based server of the target service; receiving an access request from the client electronic device, wherein the request comprises the authentication credential and one or more parameters that relate to a requested service that is available from the target service, identifying that the authentication credential includes the updated unique signature and a third party caveat that is associated with a third party authentication service, in response to the identifying, determining whether the request also comprises a discharge credential for the third party caveat, and in response to determining that the request includes the discharge credential; identifying a signature for the discharge credential, and determining whether the signature for the discharge credential corresponds to a signature for the third party authentication service, and providing the client electronic device with the requested service only when the signature for the discharge credential corresponds to the signature for the third party authentication service, otherwise denying the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of controlling the sharing of data between entities that are in electronic communication, comprising:
-
generating, by a cloud-based server of a target service, a first authentication credential comprising; an identifier for the target service, and a unique signature representing a keyed-hash message authentication code generated using a key identifier and a secret key associated with the target service; and by an intermediate service; attenuating the first authentication credential by placing one or more restrictions on a use of the first authentication credential, generating an updated unique signature for the first authentication credential wherein the updated unique signature represents a keyed-hash message authentication code that is generated using the unique signature and the one or more restrictions, replacing the unique signature of the first authentication credential with the updated unique signature, and providing the first authentication credential to a client electronic device in electronic communication with the cloud-based server only when the client electronic device is authorized to access the target service; by the cloud-based server; receiving an access request from the client electronic device, wherein the request includes the first authentication credential, one or more parameters that relate to a requested service that is available from the target service, and a plurality of disjunctive authentication credentials, identifying that one or more of the first authentication credential and one or more of the plurality of disjunctive authentication credentials includes the updated unique signature and one or more third party caveats that are associated with one or more third party authentication services, in response to the identifying, determining whether the request also comprises one or more discharge credentials for the one or more third party caveats, in response to determining that the request includes the one or more discharge credentials for the one or more third party caveats; identifying a signature for a discharge credential from the one or more discharge credentials, and determining whether the signature for the discharge credential corresponds to a signature for a third party authentication service, providing the client electronic device with the requested service only when the signature for the discharge credential corresponds to the signature for the third party authentication service, otherwise denying the request. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A method of controlling the sharing of data between entities that are in electronic communication, comprising:
-
by an intermediate service; generating an updated unique signature for an authentication credential, wherein the updated unique signature represents a keyed-hash message authentication code that is generated using a unique signature and one or more restrictions on the authentication credential, and replacing the unique signature with the updated signature; by a client electronic device; receiving the authentication credential from the intermediate service, wherein the authentication credential comprises; an identifier for a target service, and a caveat that is associated with a third party authentication service; storing the authentication credential in a non-transitory, computer-readable memory; identifying that the authentication credential includes the caveat; providing the authentication credential to the third party authentication service; receiving, from the third party authentication service, a discharge credential that confirms that the caveat has been satisfied; identifying that the third party authentication service has returned a second caveat with the discharge credential; sending, to an additional authentication service, evidence that a condition required by the second caveat has been satisfied; receiving, from the additional authentication service, a second discharge credential; providing the target service with a service request for a requested service, wherein the service request comprises the authentication credential, the discharge credential and the second discharge credential; and receiving the requested service from the target service. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. A system for controlling the sharing of data between entities that are in electronic communication, the system comprising:
-
a cloud-based server associated with a target service and target service programming instructions that, when executed, cause the cloud-based server to generate an authentication credential comprising an identifier for the target service, and a unique signature representing a keyed-hash message authentication code generated using a key identifier and a secret key associated with the target service; and an intermediate service computing device and intermediate service programming instructions in communication with the target service computing device, wherein the intermediate service programming instructions, when executed, cause the intermediate service computing device to; attenuate the authentication credential by placing one or more restrictions on a use of the authentication credential'"'"'s use, generate an updated unique signature for the authentication credential wherein the updated unique signature represents a keyed-hash message authentication code that is generated using the unique signature and the one or more restrictions, replace the unique signature of the authentication credential with the updated unique signature, and provide the authentication credential to a client electronic device that is in electronic communication with the cloud-based server only when the client device is authorized to access the target service; wherein the target service programming instructions, when executed, also cause the cloud-based server to; receive an access request from the client electronic device, wherein the request comprises the authentication credential and one or more parameters that relate to a requested service that is available from the target service, identify that the authentication credential includes the updated unique signature and a third party caveat that is associated with a third party authentication service, in response to the identifying, determine whether the request also comprises a discharge credential for the third party caveat, and in response to determining that the request includes the discharge credential; identify a signature for the discharge credential, and determine whether the signature for the discharge credential corresponds to a signature for the third party authentication service, and provide the client electronic device with the requested service only when the signature for the discharge credential corresponds to the signature for the third party authentication service, otherwise deny the request.
-
-
26. A system for controlling the sharing of data between entities that are in electronic communication, the system comprising:
-
a cloud-based server and target service programming instructions that, when executed, cause the cloud-based server to generate a first authentication credential comprising an identifier for the target service, and a unique signature representing a keyed-hash message authentication code generated using a key identifier and a secret key associated with the target service; and an intermediate service computing device and intermediate service programming instructions that, when executed, cause the intermediate service computing device to; attenuate the first authentication credential by placing one or more restrictions on a use of the first authentication credential, generate an updated unique signature for the first authentication credential wherein the updated unique signature represents a keyed-hash message authentication code that is generated using the unique signature and the one or more restrictions, replace the unique signature of the first authentication credential with the updated unique signature, and provide the first authentication credential to a client electronic device in electronic communication with the cloud-based server only when the client device is authorized to access the target service; wherein the target service programming instructions, when executed, also cause the cloud-based server to; receive an access request from the client electronic device, wherein the request includes the first authentication credential, one or more parameters that relate to a requested service that is available from the target service, and a plurality of disjunctive authentication credentials, identify that one or more of the received credentials includes the updated unique signature and a third party caveat that is associated with a third party authentication service, in response to the identifying, determine whether the request also comprises a discharge credential for at least one of the third party caveats, and in response to determining that the request includes [a] the discharge credential for at least one of the third party caveats; identify a signature for the discharge credential, and determine whether the signature for the discharge credential corresponds to a signature for the third party authentication service, and provide the client electronic device with the requested service only when the signature for the discharge credential corresponds to the signature for the third party authentication service, otherwise deny the request.
-
-
27. A system for controlling the sharing of data between entities that are in electronic communication, the system comprising:
-
a computing device in electronic communication with a cloud-based server of a target service and an intermediate service computing device; a first non-transitory computer readable storage medium in communication with the intermediate service computing device, wherein the first non-transitory computer readable storage medium comprises one or more programming instructions that, when executed, cause the intermediate service computing device to; generate an updated unique signature for an authentication credential, wherein the updated unique signature represents a keyed-hash message authentication code that is generated using a unique signature and one or more restrictions on the authentication credential, and replace the unique signature with the updated unique signature, a second non-transitory, computer-readable storage medium in communication with the computing device, wherein the second computer-readable storage medium comprises one or more programming instructions that, when executed, cause the computing device to; receive the authentication credential from the intermediate service computing device, wherein the authentication credential comprises; an identifier for the target service, and a caveat that is associated with a third party authentication service, store the authentication credential in the second non-transitory, computer-readable storage medium, identify that the authentication credential includes the caveat, provide the authentication credential to the third party authentication service, receive, from the third party authentication service, a discharge credential that confirms that the caveat has been satisfied, identify that the third party authentication service has returned a second caveat with the discharge credential, send, to an additional authentication service, evidence that a condition required by the second caveat has been satisfied, receive, from the additional authentication service, a second discharge credential, provide the cloud-based server with a service request for a requested service, wherein the service request comprises the authentication credential, the discharge credential, and the second discharge credential, and receive the requested service from the target service.
-
Specification