Authored injections of context that are resolved at authentication time

US 9,479,492 B1
Filed: 12/31/2013
Issued: 10/25/2016
Est. Priority Date: 03/23/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, the method comprising:

receiving context information from a first principal, the context information relating to access rights for a second principal to perform at least one action;

scoping the context information to a namespace associated with the first principal;

inserting the context information in a credential, the credential having been issued to the second principal prior to the receiving of the context information;

receiving, by a server, an authentication request from the second principal;

determining a trusted status of the first principal based at least in part on a determination that the first principal was authorized to insert the context information into the credential; and

sending, from the server to a client associated with the second principal, an authentication response that includes the credential having the context information inserted therein, the context information evaluated for the second principal to perform the at least one action based at least on the trusted status of the first principal.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for enabling principals to inject context information into a credential (e.g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential.

25 Citations

View as Search Results

19 Claims

1. A computer-implemented method, the method comprising:
- receiving context information from a first principal, the context information relating to access rights for a second principal to perform at least one action;
  
  scoping the context information to a namespace associated with the first principal;
  
  inserting the context information in a credential, the credential having been issued to the second principal prior to the receiving of the context information;
  
  receiving, by a server, an authentication request from the second principal;
  
  determining a trusted status of the first principal based at least in part on a determination that the first principal was authorized to insert the context information into the credential; and
  
  sending, from the server to a client associated with the second principal, an authentication response that includes the credential having the context information inserted therein, the context information evaluated for the second principal to perform the at least one action based at least on the trusted status of the first principal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, the computer-implemented method further comprising:
    - determining that the first principal is trusted; and
      
      mapping the context information scoped to the first principal to a different scope associated with the second principal.
  - 3. The computer-implemented method of claim 2, wherein mapping the context information scoped to the first principal to the different scope further comprises:
    - mapping, based on a mapping policy, the context information scoped to the first principal to a general context that is scoped to a security authority.
  - 4. The computer-implemented method of claim 2, wherein determining that the first principal is trusted further comprises:
    - determining, based on a whitelist, that the first principal is authorized to provide the context information to be inserted in the credential.
  - 5. The computer-implemented method of claim 2, wherein inserting the context information in the credential further comprises:
    - modifying the credential to include the mapping.
  - 6. The computer-implemented method of claim 2, wherein inserting the context information in the credential further comprises:
    - generating, based in part on the credential, a new credential that includes the context information.
  - 7. The computer-implemented method of claim 1, wherein the context information specifies a network address of a user that has initiated a session with the second principal.
  - 8. The computer-implemented method of claim 1, the computer-implemented method further comprising:
    - receiving, from a third principal, at least one deny statement to be included the credential;
      
      determining that the at least one deny statement restricts a scope of access granted by the credential; and
      
      inserting the at least one deny statement in the credential.
  - 9. The computer-implemented method of claim 8, the computer-implemented method further comprising:
    - providing the credential having the at least one deny statement to the second principal, wherein the access granted by the credential is restricted based on the at least one deny statement.

10. A computer-implemented method, the method comprising:
- receiving, by a server from a client associated with a first principal, context information to be included in a credential, the context information relating to access rights for a second principal to perform at least one action, the credential having been issued to the second principal prior to the receiving of the context information;
  
  scoping the context information to be included in the credential to the first principal;
  
  inserting the context information in the credential;
  
  receiving an authentication request from the second principal; and
  
  sending, from the server to a client associated with the second principal, an authentication response that includes the credential having the context information inserted therein, the context information evaluated for the second principal to perform the at least one action based at least on a trusted status of the first principal, the trusted status of the first principal based at least in part on a determination that the first principal was authorized to insert the context information into the credential.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer-implemented method of claim 10, the computer-implemented method further comprising:
    - receiving, from a third principal, at least one deny statement to be included the credential;
      
      determining that the at least one deny statement restricts a scope of access granted by the credential; and
      
      inserting the at least one deny statement in the credential.
  - 12. The computer-implemented method of claim 10, wherein inserting the context information in the credential further comprises:
    - generating, based in part on the credential, a new credential that includes the context information.
  - 13. The computer-implemented method of claim 10, wherein inserting the context information in the credential further comprises:
    - injecting the context information into the credential, wherein the injection is performed through an Application Programming Interface (API).
  - 14. The computer-implemented method of claim 10, wherein the context information specifies a network address the client associated with the second principal that has initiated a session with the second principal.

15. A computer-implemented method, the method comprising:
- receiving, by a server, an authentication request from a first principal;
  
  determining a trusted status of a second principal based at least in part on a determination that the second principal is authorized to enrich a credential with context information, the context information relating to access rights for the first principal to perform at least one action, the credential having been issued to the first principal prior to the second principal receiving the context information to enrich the credential;
  
  generating, by the server, an authentication response, the authentication response including the credential that has been enriched with the context information, the context information having been scoped to a namespace associated with the second principal; and
  
  sending, from the server to a client associated with the second principal, the authentication response that includes the credential having been enriched with the context information, the context information evaluated for the first principal to perform the at least one action based at least in part on the trusted status of the second principal, the trusted status of the second principal based at least in part on a determination that the second principal was authorized to enrich the credential with the context information.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-implemented method of claim 15, wherein the context information specifies a network address of a user that has initiated a session with the first principal.
  - 17. The computer-implemented method of claim 15, the computer-implemented method further comprising:
    - receiving, from a third principal, at least one deny statement to be included the credential;
      
      determining that the at least one deny statement restricts a scope of access granted by the credential; and
      
      inserting the at least one deny statement in the credential.
  - 18. The computer-implemented method of claim 17, the computer-implemented method further comprising:
    - providing the credential having the at least one deny statement to the first principal, wherein the access granted by the credential is restricted based on the at least one deny statement.
  - 19. The computer-implemented method of claim 15, the computer-implemented method further comprising:
    - determining that the second principal is trusted; and
      
      mapping, based on a mapping policy, the context information scoped to the second principal to a general context that is scoped to a security authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, O'Neill, Kevin Ross
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GUNDRY, STEPHEN T

Application Number

US14/145,654
Time in Patent Office

1,029 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/31   User authentication

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Authored injections of context that are resolved at authentication time

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Authored injections of context that are resolved at authentication time

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others