Unified system for authentication and authorization

US 9,479,509 B2
Filed: 11/06/2009
Issued: 10/25/2016
Est. Priority Date: 11/06/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a processing device, a request from a trusted application to authorize a client application that requests a service offered by the trusted application other than authorization and authentication, wherein the trusted application is a software application to offer the service to the client application, wherein the request comprises a user identifier (ID) identifying a user of the client application, a process ID identifying the client application, and an action ID identifying an action to be carried out by the trusted application;

determining, in view of the request, whether the client application is authorized to access the trusted application in view of an authorization policy;

causing an authentication of the user of the client application in response to determining the client application is authorized to access the trusted application; and

returning to the trusted application, by the processing device, an authorization result in view of the determining and the authentication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request is received at an authorization framework via an authorization application programming interface (API) from a trusted application for authorizing a client application, where the client application requests a service provided by the trusted application. In response to the request, the client application is authorized in view of one or more authorization policies associated with the client application to determine whether the client application is authorized to access the requested service. A user associated with the client application is authenticated to determine whether the user is allowed to access the requested service. Thereafter, a value is returned from the authorization framework via the authorization API to the trusted application indicating whether the client application can access the requested service provided by the trusted application, based on results of the authorization and authentication.

Citations

18 Claims

1. A method comprising:
- receiving, by a processing device, a request from a trusted application to authorize a client application that requests a service offered by the trusted application other than authorization and authentication, wherein the trusted application is a software application to offer the service to the client application, wherein the request comprises a user identifier (ID) identifying a user of the client application, a process ID identifying the client application, and an action ID identifying an action to be carried out by the trusted application;
  
  determining, in view of the request, whether the client application is authorized to access the trusted application in view of an authorization policy;
  
  causing an authentication of the user of the client application in response to determining the client application is authorized to access the trusted application; and
  
  returning to the trusted application, by the processing device, an authorization result in view of the determining and the authentication.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising determining whether the client application and the user are authorized to access the service.
  - 3. The method of claim 1, wherein authenticating the user comprises invoking an authentication agent, and wherein the user accesses the client application within a session, and wherein the authentication agent runs in the session, and wherein the authentication agent is to collect one or more credentials from the user that are required to access the service.
  - 4. The method of claim 3, wherein the authentication agent is to display a graphical user interface to obtain the one or more credentials from the user, and wherein the one or more credentials comprise a credential associated with a super user that is required to access the service.
  - 5. The method of claim 3, wherein the authentication agent is to display a graphical user interface that enables the user to select a predetermined authorized user and a credential associated with the predetermined authorized user that is required to access the service.
  - 6. The method of claim 1, further comprising accessing a different authority to perform at least one of additional authorization of the client application or additional authentication of the user.

7. A non-transitory computer readable storage medium including instructions that, when executed by a processing device, cause the processing device to:
- receive, by the processing device, a request from a trusted application to authorize a client application that requests a service offered by the trusted application other than authorization and authentication, wherein the trusted application is a software application to offer the service to the client application, wherein the request comprises a user identifier (ID) identifying a user of the client application, a process ID identifying the client application, and an action ID identifying an action to be carried out by the trusted application;
  
  determine, in view of the request, whether the client application is authorized to access the trusted application in view of an authorization policy;
  
  cause an authentication of the user of the client application in response to determining the client application is authorized to access the trusted application; and
  
  return to the trusted application, by the processing device, an authorization result in view of the determining and the authentication.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer readable storage medium of claim 7, wherein the processing device is further to determine whether the client application and the user are authorized to access the service.
  - 9. The non-transitory computer readable storage medium of claim 7, wherein to cause the authentication of the user, the processing device is further to invoke an authentication agent, wherein the user accesses the client application within a session, wherein the authentication agent runs in the session, and wherein the authentication agent is to collect one or more credentials from the user that are required to access the service.
  - 10. The non-transitory computer readable storage medium of claim 9, wherein the authentication agent is to display a graphical user interface to obtain the one or more credentials from the user, and wherein the one or more credentials comprise a credential associated with a super user that is required to access the service.
  - 11. The non-transitory computer readable storage medium of claim 9, wherein the authentication agent is to display a graphical user interface that enables the user to select a predetermined authorized user and a credential associated with the predetermined authorized user that is required to access the service.
  - 12. The non-transitory computer readable storage medium of claim 7, wherein the processing device is further to access a different authority to perform at least one of additional authorization of the client application or additional authentication of the user.

13. A system comprising:
- a memory to store instructions; and
  
  a processing device, operatively coupled to the memory, to;
  
  receive a request from a trusted application to authorize a client application that requests a service offered by the trusted application other than authorization and authentication, wherein the trusted application is a software application to offer the service to the client application, wherein the request comprises a user identifier (ID) identifying a user of the client application, a process ID identifying the client application, and an action ID identifying an action to be carried out by the trusted application;
  
  determine, in view of the request, whether the client application is authorized to access the trusted application in view of an authorization policy;
  
  cause an authentication of the user of the client application in response to determining the client application is authorized to access the trusted application; and
  
  return to the trusted application, by the processing device, an authorization result in view of the determining and the authentication.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the processing device is also to determine whether the client application and the user are authorized to access the service.
  - 15. The system of claim 13, wherein authenticating the user comprises invoking an authentication agent, and wherein the user accesses the client application within a session, and wherein the authentication agent runs in the session, and wherein the authentication agent is to collect one or more credentials from the user that are required to access the service.
  - 16. The system of claim 14, wherein the authentication agent is to display a graphical user interface to obtain the one or more credentials from the user, and wherein the one or more credentials comprise a credential associated with a super user that is required to access the service.
  - 17. The system of claim 14, wherein the authentication agent is to display a graphical user interface that enables the user to select a predetermined authorized user and a credential associated with the predetermined authorized user that is required to access the service.
  - 18. The system of claim 13, wherein the processing device is also to access a different authority to perform at least one of additional authorization of the client application or additional authentication of the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Zeuthen, David
Primary Examiner(s)
JHAVERI, JAYESH M

Application Number

US12/613,980
Publication Number

US 20110113484A1
Time in Patent Office

2,545 Days
Field of Search

726/4, 726/5, 726 17- 19, 726/21, 726 27- 29
US Class Current

1/1
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/32   using biometric data, e.g. ...

G06F 21/44   Program or device authentic...

G06F 21/445   by mutual authentication, e...

G06F 21/62   Protecting access to data v...

G06F 21/6281   at program execution time, ...

G06F 21/629   to features or functions of...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 9/3228   One-time or temporary data,...

Unified system for authentication and authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Unified system for authentication and authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links