Delegating authorizations

US 9,648,003 B2
Filed: 01/23/2015
Issued: 05/09/2017
Est. Priority Date: 11/05/2013
Status: Active Grant

First Claim

Patent Images

1. A method for delegating access tokens relied upon to authenticate access to services, the method comprising:

receiving a plurality of access tokens from a plurality of service providers after the plurality of service providers associates each of the plurality of access tokens with at least one of a plurality of users;

receiving a first credential from a control device generated in response to the control device interacting with an sink device while the sink device is being engaged to access a first services associated with a first service provider of the plurality of service providers at a first instance in time;

identifying a first access token of the plurality of access tokens associated with a first user of the plurality of users as a function of information included within the first credential; and

transmitting the first access token to the first service provider at a second instance in time occurring after the first instance in time, the first service provider granting the sink device access to the first service at the second instance in time according to entitlements of the first user if the first access token is valid when received, thereby enabling the sink device to access the first service without providing the first access token to the service provider.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Delegating authorizations sufficient to access services is contemplate. The authorization may be delegated in the form of a token or other transmissible construct relied upon to authenticate access to services, such as but not necessarily limited to conferring a user identity established via authenticated device for the purposes of enabling an unauthenticated or unsecured device to access a service associated with the user identity.

7 Citations

View as Search Results

20 Claims

1. A method for delegating access tokens relied upon to authenticate access to services, the method comprising:
- receiving a plurality of access tokens from a plurality of service providers after the plurality of service providers associates each of the plurality of access tokens with at least one of a plurality of users;
  
  receiving a first credential from a control device generated in response to the control device interacting with an sink device while the sink device is being engaged to access a first services associated with a first service provider of the plurality of service providers at a first instance in time;
  
  identifying a first access token of the plurality of access tokens associated with a first user of the plurality of users as a function of information included within the first credential; and
  
  transmitting the first access token to the first service provider at a second instance in time occurring after the first instance in time, the first service provider granting the sink device access to the first service at the second instance in time according to entitlements of the first user if the first access token is valid when received, thereby enabling the sink device to access the first service without providing the first access token to the service provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising determining an address to be used in transmitting the first access token to the first service provider as a function of information included within the first credential.
  - 3. The method of claim 2 further comprising determining at least a portion of the information included in the first credential as a result of the sink device determining an indicator displayed on the control device having an indicia sufficient for identifying the first service provider.
  - 4. The method of claim 3 further comprising instructing an identifier application on the control device to determine the indicia by processing an image of the indicator captured with a camera of the control device.
  - 5. The method of claim 4 further comprising instructing the first user to capture the image by positioning the camera to take a picture of a webpage associated with the first service provider, the webpage displaying the indicator proximate to input fields operable to receive a username and a password sufficient to enable the first user to access the first service without use of the first access token.
  - 6. The method of claim 5 further comprising transmitting a redirect message to a browser operating on the sink device to display the webpage sufficient to automatically direct the browser to a service page used to engage the first service without having to input the username and the password.
  - 7. The method of claim 1 further comprising:
    - updating the first access token after being determined as invalid with a second access token received from the first service provider at a third instance in time occurring after the second instance in time;
      
      receiving a second credential from the control device generated in response to the control device interacting with the sink device while the sink device is being engaged to access the first service at a fourth instance in time occurring after the third instance in time; and
      
      transmitting the second access token to the first service provider at a fifth instance in time occurring after the fourth instance in time as a function of information included within the second credential, the first service provider granting the sink device access to the first service at the fifth instance in time if the second access token is valid when received, thereby enabling the sink device to access the first service without providing the second access token to the service provider.
  - 8. The method of claim 1 further comprising:
    - receiving a second credential from the control device generated in response to the control device interacting with the sink device while the sink device is being engaged to access the first service at a third instance in time occurring after the second instance in time;
      
      determining the second credential to be one of authenticated and unauthenticated at a fourth instance in time occurring after the third instance in time, including determining the second credential to be authenticated if the control device successful completed an authentication process at a fifth instance in time occurring prior to the third instance in time and to be unauthenticated if the control device unsuccessfully completed the authentication process at the fifth instance in time;
      
      transmitting the first access token to the first service provider at a sixth instance in time occurring after to the fourth instance in time if the second credential is determined to be authenticated, the first service provider granting the sink device access to the first service at the sixth instance in time if the first access token is valid when received; and
      
      instructing the control device to display a login message to the first user in the event the second credential is determined to be unauthenticated, the login message instructing the first user to input a username and a password or other sufficient authentication to a webpage displayed on the sink device to facilitate access to the first service at the sixth instance in time.

9. A non-transitory computer-readable medium having a plurality of non-transitory instructions operable with a processor associated with a service provider to facilitate access to services, the non-transitory instructions being sufficient for:
- associating a plurality of users with one or more of a plurality of access tokens, each access token authenticating the corresponding user for access to at least one of a plurality of services offered by the service provider;
  
  associating at least one of a plurality of indicators with each of the plurality of services, each indicator being sufficient to uniquely identify the service associated therewith;
  
  associating a first indicator of the plurality of indicators with a sink device attempting to access the first service, the first indicator uniquely identifying a first service of the plurality of services; and
  
  enabling the sink device access to the first service according to a first user of the plurality of users associated with a first access token of the plurality of access tokens, including determining the first access token in response to a control device generating a credential having information sufficient to identify the first user and the first service, the control device identifying the first service after interacting with the first indicator associated with the sink device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable medium of claim 9 further comprising non-transitory instructions sufficient for transmitting the plurality of access tokens to a server in communication with the control device.
  - 11. The non-transitory computer-readable medium of claim 10 further comprising non-transitory instructions sufficient for enabling the sink device access to the first service following receipt of an access message from the server, the access message being generated according to information included in the credential transmitted from the control device to include the first access token and an address of the sink device.
  - 12. The non-transitory computer-readable medium of claim 11 further comprising non-transitory instructions sufficient for transmitting access instructions to the sink device to access the first service therethrough, including identifying the sink device to receive the access instructions as a function of the address included with the access message.
  - 13. The non-transitory computer readable medium of claim 12 further comprising non-transitory instructions sufficient for transmitting the access instructions to the sink device as a redirect, the redirect automatically controlling a browser displaying a login page showing the first indicator to a service webpage used for engaging the first service.
  - 14. The non-transitory computer readable medium of claim 9 further comprising non-transitory instructions sufficient for associating the first indicator with the sink device via a login page displayed with a browser operating on the sink device, the login page showing the first indicator in a manner sufficient for a camera of the control device to capture an image of the first indicator, the control device identifying identify the first service in the credential according to indicia of the first indicator included in the image.
  - 15. The non-transitory computer readable medium of claim 14 further comprising non-transitory instructions sufficient for generating the first indicator in response a request form the browser to download the login page, including generating the indicia included as at least part of the first indicator to reference a token address, the token address being included in the credential to facilitate transmitting the first access token to the service provider.
  - 16. The non-transitory computer-readable medium of claim 9 further comprising non-transitory instruction sufficient for enabling the sink device access to the first service without requiring the sink device to receive the first access token from the control device and without requiring the sink device to transmit the first access token to the service provider.

17. A system for authenticating a sink device to access a service associated with a service provider, the system comprising:
- an control device configured to;
  
  i) capture an image of an indicator having visually recognizable indicia sufficient to represent service information associated with an attempt to instantiate the service at the sink device; and
  
  ii) transmit a credential sufficient to identify a user associated with the control device and at least a portion of the service information;
  
  a server configured to;
  
  i) receive a plurality of access tokens for a plurality of users authorized to access the service;
  
  ii) receive the credential from the control device;
  
  iii) determine an access token from the plurality of access tokens associated with the user identified with the credential;
  
  iv) transmit an access message to the service provider to authenticate the sink device to access the service, the access message including the access token and at least a portion of the server information included with the credential.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17 wherein the server is configured todetermine the credential to be one of authenticated and unauthenticated, including determining the credential to be authenticated if the control device successful completed an authentication process and to be unauthenticated if the control device unsuccessfully completed the authentication process;
    - transmit the access token to first service provider if the credential is determined to be authenticated, the service provider thereafter granting the sink device access to the service if the access token is valid when received; and
      
      instruct the control device to display a login message to the user in the event the credential is determined to be unauthenticated, the login message instructing the user to input a username and a password or other sufficient authentication to a webpage displaying the indicator on the sink device to facilitate access to the service.
  - 19. The system of claim 17 wherein the control device is configured to capture the image of the indicator from a login webpage displayed on the sink device.
  - 20. The system of claim 17 wherein the control device is configured to capture the image of the indicator from a quick response (QR) code associated with the sink device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cable Television Laboratories Incorporated
Original Assignee
Cable Television Laboratories Incorporated
Inventors
Lund, Robert M., Johnson, Steven E.
Primary Examiner(s)
Lee, Jason

Application Number

US14/604,509
Publication Number

US 20150150106A1
Time in Patent Office

837 Days
Field of Search

726 6, 726 25
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 67/02   based on web technology, e....

H04L 9/3213   using tickets or tokens, e....

Delegating authorizations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Delegating authorizations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links