Single sign-on (SSO) for mobile applications
First Claim
1. A method comprising:
- based on determining that a user is authenticated to access a first application of a plurality of applications stored on a mobile device;
storing, at an authorization computing system that is separate from the mobile device, a hardware identifier of the mobile device in association with session information of a session for the user;
receiving, from the mobile device, a request by the user to access a second application of the plurality of applications, wherein the request includes a client token, the client token indicating the hardware identifier of the mobile device;
determining that the hardware identifier indicated by the client token is stored at the authorization computing system for the session; and
based on determining that the hardware identifier is stored at the authorization computing system in association with the session information of the session, enabling the user to access the plurality of applications at the mobile device without determining authentication of the user to access any of the plurality of applications.
1 Assignment
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
89 Citations
20 Claims
-
1. A method comprising:
-
based on determining that a user is authenticated to access a first application of a plurality of applications stored on a mobile device; storing, at an authorization computing system that is separate from the mobile device, a hardware identifier of the mobile device in association with session information of a session for the user; receiving, from the mobile device, a request by the user to access a second application of the plurality of applications, wherein the request includes a client token, the client token indicating the hardware identifier of the mobile device; determining that the hardware identifier indicated by the client token is stored at the authorization computing system for the session; and based on determining that the hardware identifier is stored at the authorization computing system in association with the session information of the session, enabling the user to access the plurality of applications at the mobile device without determining authentication of the user to access any of the plurality of applications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An authorization system comprising:
-
one or more processors; and a memory coupled with and readable by the one or more processors, wherein the memory stores instructions that, when executed by the one or more processors, cause the one or more processors to; based on determining that a user is authenticated to access a first application of a plurality of applications stored on a mobile device; store a hardware identifier of the mobile device in association with session information of a session for the user; receive, from the mobile device, a request by the user to access a second application of the plurality of applications, wherein the request includes a client token, the client token indicating the hardware identifier of the mobile device; determine that the hardware identifier indicated by the client token is stored at the authorization system for the session; and based on determining that the hardware identifier is stored at the authorization system in association with the session information of the session, enable the user to access the plurality of applications at the mobile device without determining authentication of the user to access any of the plurality of applications. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
sending, from a mobile device, to an authorization computing system that is separate from the mobile device, credential information for authentication of a user to access a first application of a plurality of applications stored on the mobile device, wherein the user is enabled with access to the plurality of applications at the mobile device upon successful authentication of the user by the authorization computing system; receiving, at the mobile device, from the authorization computing system, one or more client tokens for the plurality of applications stored on the mobile device, wherein each of the one or more client tokens includes a hardware identifier of the mobile device; sending, from the mobile device, to the authorization computing system, a request to access a second application of the plurality of applications, wherein the request includes one of the one or more client one or more tokens including the hardware identifier; and enabling, at the mobile device, access to the second application by the user, wherein access to the second application is enabled based on notification from the authorization computing system that access to the second application at the mobile device is permitted by authentication of the user to access the first application at the mobile device. - View Dependent Claims (17, 18, 19, 20)
-
Specification