Methods and systems of data security in browser storage

US 9,473,468 B2
Filed: 09/16/2015
Issued: 10/18/2016
Est. Priority Date: 08/29/2011
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, are configurable to cause the one or more processors to:

authenticate a client browser via an identity provider;

grant permission for a service to access data and/or services of the identity provider;

redirect, with the identity provider, the client browser to an endpoint provided by service provider, wherein the service provider provides an on-demand service environment comprising at least a multitenant database system;

send an authorization code, with the identity provider, during the redirect, the authorization code to be exchanged, by the service provider, for one or more refresh tokens and access to the data and/or services;

wherein the client browser establishes communications with the service provider, the service provider prompts the user to set-up a passcode before obtaining the tokens and once the passcode is provided, and after the service provider obtains the tokens from the identity provider, the service provider encrypts the refresh token(s) by using the passcode and/or by a private key generated by the service provider; and

wherein the encrypted token is returned to the client browser to be saved locally in local storage of the client browser.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms and methods are provided for managing OAuth access in a database network system, and extending the OAuth flow of authentication to securely store the OAuth encrypted refresh token in the storage available with current browsers or any other non-secure storage on user system.

303 Citations

9 Claims

1. A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, are configurable to cause the one or more processors to:
- authenticate a client browser via an identity provider;
  
  grant permission for a service to access data and/or services of the identity provider;
  
  redirect, with the identity provider, the client browser to an endpoint provided by service provider, wherein the service provider provides an on-demand service environment comprising at least a multitenant database system;
  
  send an authorization code, with the identity provider, during the redirect, the authorization code to be exchanged, by the service provider, for one or more refresh tokens and access to the data and/or services;
  
  wherein the client browser establishes communications with the service provider, the service provider prompts the user to set-up a passcode before obtaining the tokens and once the passcode is provided, and after the service provider obtains the tokens from the identity provider, the service provider encrypts the refresh token(s) by using the passcode and/or by a private key generated by the service provider; and
  
  wherein the encrypted token is returned to the client browser to be saved locally in local storage of the client browser.
- View Dependent Claims (2, 3)
- - 2. The non-transitory computer-readable medium of claim 1 wherein the encrypted result further comprises a unique identifier to track future authentication requests.
  - 3. The non transitory computer-readable medium of claim 1 further comprising instructions that, when executed by the one or more processors, cause the one or more processors to, during future access attempts, cause the client browser to send the encrypted token along with the passcode to the service provider to access the data and/or services of the identity provider.

4. A method comprising:
- authenticating a client browser via an identity provider;
  
  granting permission for an service to access data and/or services of the identity provider;
  
  redirecting, with the identity provider, the client browser to an endpoint provided by a service provider, wherein the service provider provides an on-demand service environment comprising at least a multitenant database system;
  
  sending an authorization code, with the identity provider, during the redirect, the authorization code to be exchanged, by the service provider, for one or more refresh tokens and access to the data and/or services;
  
  wherein the client browser establishes communications with the service provider, the service provider prompts the user to set-up a passcode before obtaining the tokens and once the passcode is provided, and after the service provider obtains the tokens from the identity provider, the service provider encrypts the refresh token(s) by using the passcode and/or by a private key generated by the service provider; and
  
  wherein the encrypted token is returned to the client browser to be saved locally in local storage of the client browser.
- View Dependent Claims (5, 6)
- - 5. The method of claim 4 wherein the encrypted result further comprises a unique identifier to track future authentication requests.
  - 6. The method of claim 4 further comprising during future access attempts, causing the client browser to send the encrypted token along with the passcode to the service provider to access the data and/or services of the identity provider.

7. A computer system comprising:
- one or more processors communicatively coupled to each other to authenticate a client browser via an identity provider, to grant permission for an service to access data and/or services of the identity provider, to redirect, with the identity provider, the client browser to an endpoint provided by a service provider, wherein the service provider provides an on-demand service environment comprising at leas a multitenant database system, and to send an authorization code, with the identity provider, during the redirect, the authorization code to be exchanged, by the service provider, for one or more refresh tokens and access to the data and/or services, wherein the client browser establishes communications with the service provider, the service provider prompts the user to set-up a passcode before obtaining the tokens and once the passcode is provided, and after the service provider obtains the tokens from the identity provider, the service provider encrypts the refresh token(s) by using the passcode and/or by a private key generated by the service provider, wherein the encrypted token is returned to the client browser to be saved locally in local storage of the client browser.
- View Dependent Claims (8, 9)
- - 8. The system of claim 7 wherein the encrypted result further comprises a unique identifier to track future authentication requests.
  - 9. The system of claim 7, wherein the one or more processors are further configured to cause the one or more processors to, during future access attempts, cause the client browser to send the encrypted token along with the passcode to the service provider to access the data and/or services of the identity provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Gupta, Akhilesh
Primary Examiner(s)
Okeke, Izunna

Application Number

US14/856,371
Publication Number

US 20160006705A1
Time in Patent Office

398 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 2221/2107   File encryption

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 67/563   Data redirection of data ne...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/3213   using tickets or tokens, e....

Methods and systems of data security in browser storage

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

303 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems of data security in browser storage

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

303 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links