Controlled access

US 9,473,480 B2
Filed: 09/25/2012
Issued: 10/18/2016
Est. Priority Date: 09/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method for controlling user access to a protected resource, in which the method comprises:

receiving, from an untrusted application, an access request for a user to a protected resource at a resource server;

determining whether the access request lacks an indicating that the user is authorized to access the protected resource;

sending, upon determination that the access request lacks the indication that the user is authorized to access the protected resource, a command, from the resource server to the application, for opening a client browser;

intercepting a request from the client browser directed to an authorization server;

requesting user credentials from the client browser;

processing user credentials received from the client browser to authenticate the user;

redirecting the client browser to the authorization server configured to issue a token credential for indicating authorization of the user to obtain a token for indicating to the resource server authorization of the user to access the protected resource;

intercepting an authorization request from the browser to the authorization server configured to issue a token credential, andinserting into the authorization request an HTTP header variable indicating the authentication status of the user;

wherein the token credential allows access, by the application, to the token from the authorization server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User access to a protected resource is controlled by: intercepting a request from a client browser (80) directed to a server (50); requesting user credentials from the client browser (80); processing user credentials received from the client browser (80) to authenticate the user (20); redirecting the client browser (80) to an authorization server (70) configured to issue a token credential; intercepting an authorization request from the browser (80) to the authorization server (70), and inserting into the authorization request an HTTP header variable indicating the authentication status of the user (20). The authorization server (70) is arranged to issue a token credential, which may be used by the user (20) to obtain a token for indicating to a server (50) hosting the protected resource authorization of the user (20) to access the protected resource.

16 Citations

View as Search Results

12 Claims

1. A method for controlling user access to a protected resource, in which the method comprises:
- receiving, from an untrusted application, an access request for a user to a protected resource at a resource server;
  
  determining whether the access request lacks an indicating that the user is authorized to access the protected resource;
  
  sending, upon determination that the access request lacks the indication that the user is authorized to access the protected resource, a command, from the resource server to the application, for opening a client browser;
  
  intercepting a request from the client browser directed to an authorization server;
  
  requesting user credentials from the client browser;
  
  processing user credentials received from the client browser to authenticate the user;
  
  redirecting the client browser to the authorization server configured to issue a token credential for indicating authorization of the user to obtain a token for indicating to the resource server authorization of the user to access the protected resource;
  
  intercepting an authorization request from the browser to the authorization server configured to issue a token credential, andinserting into the authorization request an HTTP header variable indicating the authentication status of the user;
  
  wherein the token credential allows access, by the application, to the token from the authorization server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - in response to the authorization request, sending the token credential to the browser.
  - 3. The method of claim 1 further comprising:
    - sending to the authorization server authorization of the user to access the protected resource, a HTTP request comprising at least one HTTP header variable indicating authentication of the user;
      
      in which the user credentials are not present in the HTTP request.
  - 4. The method of claim 3 further comprising:
    - in response to the HTTP request, sending a token to the application.
  - 5. The method of claim 1, in which the at least one HTTP header variable is generated as part of a session between the browser running on a client and a web agent.
  - 6. The method of claim 1 further comprisingreceiving, at the authorization server, a request message comprising a URI that is not recognized by the authorization server as indicating a request for authorization to access a protected resource;
    - in which the path name is replaced on the authorization server with a path name of a type that is recognized by the authorization server as indicating a request for authorization to access a protected resource.
  - 7. The method of claim 1 further comprising:
    - sending the token credential to the browser running on a client for sharing the token credential with the application running on the client.
  - 8. The method of claim 7 further comprising:
    - receiving, from the application running on the client, the token credential to obtain the token for indicating to the resource server hosting the protected resource, authorization of the user to access the protected resource.

9. A non-transitory tangible computer readable medium having stored thereon, computer executable instructions that, if executed by a computing device, cause the computing device to perform a method comprising:
- receiving, from an untrusted application, an access request for a user to a protected resource at a resource server;
  
  determining whether the access request lacks an indication that the user is authorized to access the protected resource;
  
  sending, upon determination that the access request lacks the indication that the user is authorized to access the protected resource, a command, from the resource server to the application, for opening a client browser;
  
  intercepting a request from the client browser directed to an authorization server;
  
  requesting user credentials from the client browser;
  
  processing user credentials received from the client browser to authenticate the user;
  
  redirecting the client browser to the authorization server configured to issue a token credential for indicating authorization of the user to obtain a token for indicating to the resource;
  
  intercepting an authorization request from the browser to the authorization server configured to issue a token credential, andinserting into the authorization request an HTTP header variable indicating the authentication status of the user;
  
  wherein the token credential allows access, by the application, to the token from the authorization server.
- View Dependent Claims (10)
- - 10. The non-transitory tangible computer readable medium of claim 9, the method further comprising sending the token credential to the browser in response to the authorization request.

11. A computer server system for controlling user access to a protected resource, the computer server system comprising a resource server and an authorization server, and the computer server system being at least configured to:
- receive, from an untrusted application, an access request for a user to a protected resource at the resource server;
  
  determine whether the access request lacks an indication that the user is authorized to access the protected resource;
  
  send, upon determination that the access request lacks the indication that the user is authorized to access the protected resource, a command, from the resource server to the application, to open a client browser;
  
  intercept a request from the client browser directed to the authorization server;
  
  request user credentials from the client browser;
  
  process user credentials received from the client browser to authenticate the user;
  
  redirect the client browser to the authorization server configured to issue a token credential for indicating authorization of the user to obtain a token for indicating to the resource server authorization of the user to access the protected resource;
  
  intercept an authorization request from the browser to the authorization server configured to issue a token credential; and
  
  insert into the authorization request an HTTP header variable indicating the authentication status of the user;
  
  wherein the token credential allows access, by the application, to the token from the authorization server.
- View Dependent Claims (12)
- - 12. The computer server system of claim 11, wherein the computer server system is further configured to send the token credential to the browser in response to the authorization request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
British Telecommunications PLC (BT Group PLC)
Original Assignee
British Telecommunications PLC (BT Group PLC)
Inventors
Mason, Jeremy Roger
Primary Examiner(s)
Smithers, Matthew

Application Number

US14/347,809
Publication Number

US 20140282919A1
Time in Patent Office

1,484 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

Controlled access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Controlled access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links