User impersonation/delegation in a token-based authentication system
First Claim
1. A method, operating within a service, of enabling access by the service to an application executing in a computing entity, comprising:
- establishing, by the service, a trust relationship between the service and an identity provider by which the service becomes a trusted service;
requesting, by the trusted service, a token from the identity provider;
receiving, by the trusted service, the token from the identity provider, the token having been generated by the identity provider without requiring presentation by the trusted service of user credential information;
the trusted service, on behalf of a user, using the token and a user credential to establish the trusted service as an authenticated user to the application; and
upon establishing the trusted service as an authenticated user, the trusted service accessing the application.
1 Assignment
0 Petitions
Accused Products
Abstract
A “trusted service” establishes a trust relationship with an identity provider and interacts with the identity provider over a trusted connection. The trusted service acquires a token from the identity provider for a given user (or set of users) without having to present the user'"'"'s credentials. The trusted service then uses this token (e.g., directly, by invoking an API, by acquiring another token, or the like) to access and obtain a cloud service on a user'"'"'s behalf even in the user'"'"'s absence. This approach enables background services to perform operations within a hosted session (e.g., via OAuth-based APIs) without presenting user credentials or even having the user present.
34 Citations
24 Claims
-
1. A method, operating within a service, of enabling access by the service to an application executing in a computing entity, comprising:
-
establishing, by the service, a trust relationship between the service and an identity provider by which the service becomes a trusted service; requesting, by the trusted service, a token from the identity provider; receiving, by the trusted service, the token from the identity provider, the token having been generated by the identity provider without requiring presentation by the trusted service of user credential information; the trusted service, on behalf of a user, using the token and a user credential to establish the trusted service as an authenticated user to the application; and upon establishing the trusted service as an authenticated user, the trusted service accessing the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. Apparatus, comprising:
-
a processor; computer memory holding computer program instructions that when executed by the processor perform a method, operating within a service, of enabling access by the service to an application executing in a computing entity, the method comprising; establishing, by the service, a trust relationship between the service and an identity provider by which the service becomes a trusted service; requesting, by the trusted service, a token from the identity provider; receiving, by the trusted service, the token from the identity provider, the token having been generated by the identity provider without requiring presentation by the trusted service of user credential information; the trusted service, on behalf of a user, using the token and a user credential to obtain an authenticated user identity for the trusted service and by which the user can be impersonated to the application; and upon receiving the authenticated user identity establishing the trusted service as an authenticated user, the trusted service accessing the application. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method, operating within a service, of enabling access by the service to an application executing in a computing entity, the method comprising:
-
establishing, by the service, a trust relationship with an identity provider by which the service becomes a trusted service; requesting, by the trusted service, a token from the identity provider; receiving, by the trusted service, the token from the identity provider, the token having been generated by the identity provider; receiving, by the trusted service, the token from the identity provider, the token having been generated by the identity provider without presentation by the trusted service of user credential information; the trusted service, on behalf of a user, using the token and a user credential to obtain an authenticated user identity for the trusted service and by which the user can be impersonated to the application; and upon receiving the authenticated user identity establishing the trusted service as an authenticated user, the trusted service accessing the application. - View Dependent Claims (20, 21, 22)
-
- 23. The computer program product as described in 20 wherein the token received by the trusted service is a specific token for an authorized user.
Specification