Authored injections of context that are resolved at authentication time
First Claim
1. A computer-implemented method, the method comprising:
- receiving context information from a first principal, the context information relating to access rights for a second principal to perform at least one action;
scoping the context information to a namespace associated with the first principal;
inserting the context information in a credential, the credential having been issued to the second principal prior to the receiving of the context information;
receiving, by a server, an authentication request from the second principal;
determining a trusted status of the first principal based at least in part on a determination that the first principal was authorized to insert the context information into the credential; and
sending, from the server to a client associated with the second principal, an authentication response that includes the credential having the context information inserted therein, the context information evaluated for the second principal to perform the at least one action based at least on the trusted status of the first principal.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for enabling principals to inject context information into a credential (e.g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential.
25 Citations
19 Claims
-
1. A computer-implemented method, the method comprising:
-
receiving context information from a first principal, the context information relating to access rights for a second principal to perform at least one action; scoping the context information to a namespace associated with the first principal; inserting the context information in a credential, the credential having been issued to the second principal prior to the receiving of the context information; receiving, by a server, an authentication request from the second principal; determining a trusted status of the first principal based at least in part on a determination that the first principal was authorized to insert the context information into the credential; and sending, from the server to a client associated with the second principal, an authentication response that includes the credential having the context information inserted therein, the context information evaluated for the second principal to perform the at least one action based at least on the trusted status of the first principal. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method, the method comprising:
-
receiving, by a server from a client associated with a first principal, context information to be included in a credential, the context information relating to access rights for a second principal to perform at least one action, the credential having been issued to the second principal prior to the receiving of the context information; scoping the context information to be included in the credential to the first principal; inserting the context information in the credential; receiving an authentication request from the second principal; and sending, from the server to a client associated with the second principal, an authentication response that includes the credential having the context information inserted therein, the context information evaluated for the second principal to perform the at least one action based at least on a trusted status of the first principal, the trusted status of the first principal based at least in part on a determination that the first principal was authorized to insert the context information into the credential. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer-implemented method, the method comprising:
-
receiving, by a server, an authentication request from a first principal; determining a trusted status of a second principal based at least in part on a determination that the second principal is authorized to enrich a credential with context information, the context information relating to access rights for the first principal to perform at least one action, the credential having been issued to the first principal prior to the second principal receiving the context information to enrich the credential; generating, by the server, an authentication response, the authentication response including the credential that has been enriched with the context information, the context information having been scoped to a namespace associated with the second principal; and sending, from the server to a client associated with the second principal, the authentication response that includes the credential having been enriched with the context information, the context information evaluated for the first principal to perform the at least one action based at least in part on the trusted status of the second principal, the trusted status of the second principal based at least in part on a determination that the second principal was authorized to enrich the credential with the context information. - View Dependent Claims (16, 17, 18, 19)
-
Specification