Request-specific authentication for accessing web service resources
First Claim
Patent Images
1. A computing system for controlling access to a protected Web service resource, the computing system comprising:
- a communication device for communicating across a communication network;
an interface configured to receive a first request from a client to access the protected Web service resource from the communication network;
the interface configured to generate a fault on a condition that the first request fails to indicate that at least one message-specific authentication protocol process has been completed; and
a transmitter configured to transmit the fault to the client, the fault including;
an identifier of the first request;
an identifier of one or more authentication processes associated with the first request;
an address to an authentication service that can issue an encrypted token; and
an identifier of the client on behalf of whom the first request was made;
the interface further configured to receive a second request from the client to access the protected Web service resource from the communication network, the second request including the encrypted token obtained from the authentication service identified in the fault, wherein the encrypted token includes;
the identifier of the first request; and
an indication of successful completion of the one or more authentication processes associated with the first request;
the interface further configured to grant the second request to access the protected Web service resource based on validation of the encrypted token, the validation comprising decryption of the encrypted token with a public key of the authentication service by the processing unit.
0 Assignments
0 Petitions
Accused Products
Abstract
Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.
47 Citations
9 Claims
-
1. A computing system for controlling access to a protected Web service resource, the computing system comprising:
-
a communication device for communicating across a communication network; an interface configured to receive a first request from a client to access the protected Web service resource from the communication network; the interface configured to generate a fault on a condition that the first request fails to indicate that at least one message-specific authentication protocol process has been completed; and a transmitter configured to transmit the fault to the client, the fault including;
an identifier of the first request;
an identifier of one or more authentication processes associated with the first request;
an address to an authentication service that can issue an encrypted token; and
an identifier of the client on behalf of whom the first request was made;the interface further configured to receive a second request from the client to access the protected Web service resource from the communication network, the second request including the encrypted token obtained from the authentication service identified in the fault, wherein the encrypted token includes;
the identifier of the first request; and
an indication of successful completion of the one or more authentication processes associated with the first request;the interface further configured to grant the second request to access the protected Web service resource based on validation of the encrypted token, the validation comprising decryption of the encrypted token with a public key of the authentication service by the processing unit.
-
-
2. A method of authenticating a client for access to a Web service resource, the method comprising:
-
(i) receiving a first request from the client to be authenticated; (ii) sending a challenge message to the client; (iii) receiving a confirmation response to the challenge message from the client; (iv) determining that the confirmation response meets a first predetermined criterion; (v) determining that the confirmation response requires further authentication in that the confirmation response fails to indicate that at least one message-specific authentication protocol process has been completed; (vi) repeating (ii) through (iv) with; a second challenge message that includes;
an identifier of the first request, an identifier of one or more authentication processes associated with the first request, an address to an authentication service that can issue an encrypted token, and an identifier of the client on behalf of whom the first request was made;a second confirmation response that includes an encrypted token obtained from the authentication service, the encrypted token including an identifier of the first request and an indication of successful completion of one or more authentication processes associated with the first request; and a second predetermined criterion met by decrypting the encrypted token with a public key of the authentication service; and (vii) sending an authentication message to the client based on the decryption. - View Dependent Claims (3, 4)
-
-
5. A computer readable storage device containing computer executable instructions which when executed by a computer perform a method of controlling access to a protected resource, the method comprising:
-
receiving a request from a client identifying the protected resource of a Web service, determining that the request fails to indicate that at least one message-specific authentication protocol process has been completed sending a response to the client requesting authentication from an authentication service that can issue an encrypted token, wherein the response includes;
(a) an identifier of the request;
(b) an identifier of one or more authentication processes associated with the request; and
(c) an address to the authentication service; and
(d) an identifier of the client on behalf of whom the request was made;receiving an authentication from the client after being authenticated from the authentication service, the authentication comprising an encrypted token that includes the identifier of the request and an indication of successful completion of the one or more authentication processes associated with the request; determining whether the authentication is of at least a first level to grant the request, authentication of at least the first level including decryption of the encrypted token with a public key of the authentication service; and sending an authentication message to grant the request when the authentication is of at least the first level. - View Dependent Claims (6, 7, 8, 9)
-
Specification