Inter-application delegated authentication

US 9,654,461 B2
Filed: 04/29/2015
Issued: 05/16/2017
Est. Priority Date: 04/29/2014
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating an application executing on a client device, the method comprising:

receiving an authentication request from a first application executing on a client device;

identifying, at a server remote from the client device, a second application executing on the client device to which authentication of the first application is delegable, the second application being previously authenticated with credentials associated with the client device;

transmitting an instruction to the first application to continue authentication via the second application; and

authenticating the first application with the credentials associated with the client device based on the first application continuing authentication via the second application.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system for delegating authentication of an untrusted application executing on a client device. For delegated authentication, an untrusted application relies on a trusted application executing in the same environment for authentication purposes. The delegated authentication process avoids requiring the user of the untrusted application to provide authentication credentials. The disclosed system for delegating authentication enables any trusted application executing in the same computing environment to authenticate the untrusted application.

Citations

32 Claims

1. A method for authenticating an application executing on a client device, the method comprising:
- receiving an authentication request from a first application executing on a client device;
  
  identifying, at a server remote from the client device, a second application executing on the client device to which authentication of the first application is delegable, the second application being previously authenticated with credentials associated with the client device;
  
  transmitting an instruction to the first application to continue authentication via the second application; and
  
  authenticating the first application with the credentials associated with the client device based on the first application continuing authentication via the second application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein authenticating the first application comprises:
    - receiving a verification request from the second application for authenticating the first application; and
      
      in response to receiving the verification request, transmitting an authentication token to the first application indicating that the first application is authenticated with the credentials associated with the client device.
  - 3. The method of claim 1, wherein the authentication request includes a unique parameter associated with the client device.
  - 4. The method of claim 3, wherein the unique parameter is a combination of one or more attributes of the client device selected from a group consisting of a screen size, a screen resolution, a volume setting, a list of applications executing on the client device, and carrier information.
  - 5. The method of claim 3, wherein identifying the second application comprises:
    - accessing a device profile of the client device from a device profile store based on the unique parameter, the device profile including a list of applications that have previously been authenticated with the credentials associated with the client device; and
      
      selecting the second application from the list of applications.
  - 6. The method of claim 5, further comprising:
    - receiving one or more events from the second application after the second application is authenticated, each event indicates an action associated with the application and a timestamp indicating when the action was taken; and
      
      selecting the second application from the list of applications based on the one or more events.
  - 7. The method of claim 6, wherein selecting the second application from the list of applications comprises determining, based on the timestamps included in the one or more events, that the second application is currently available to continue the authentication of the first application.
  - 8. The method of claim 1, wherein the instruction transmitted to the first application includes a cryptographic nonce, and further comprising storing the cryptographic nonce as a most-recently transmitted nonce in association with the authentication request.
  - 9. The method of claim 2, wherein the verification request received from the second application includes a hashed value generated from the cryptographic nonce.
  - 10. The method of claim 9, further comprising determining, prior to transmitting the authentication token, that the verification request is timely by comparing a locally generated value using the most-recently transmitted nonce matches the hashed value included in the verification request.
  - 11. The method of claim 1, wherein the verification request received from the second application is signed using a cryptographic key associated with the second application.
  - 12. The method of claim 1, wherein the second application executes on a second client device that shares the credentials associated with the client device.

13. A non-transitory computer readable storage medium storing instructions for authenticating an application executing on a client device, the instructions when executed by a processor causes the processor to:
- receive an authentication request from a first application executing on a client device;
  
  identify, at a server remote to the client device, a second application executing on the client device to which authentication of the first application is delegable, the second application being previously authenticated with credentials associated with the client device;
  
  transmit an instruction to the first application to continue authentication via the second application; and
  
  authenticate the first application with the credentials associated with the client device based on the first application continuing authentication via the second application.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer readable storage medium of claim 13, further comprising instructions that when executed causes the processor to:
    - receive a verification request from the second application for authenticating the first application; and
      
      in response to receiving the verification request, transmit an authentication token to the first application indicating that the first application is authenticated with the credentials associated with the client device.
  - 15. The non-transitory computer readable storage medium of claim 13, wherein the instructions for the authentication request includes a unique parameter associated with the client device.
  - 16. The non-transitory computer readable storage medium of claim 15, wherein the unique parameter is a combination of one or more attributes of the client device selected from a group consisting of a screen size, a screen resolution, a volume setting, a list of applications executing on the client device, and carrier information.
  - 17. The non-transitory computer readable storage medium of claim 15, further comprising instructions that when executed causes the processor to:
    - access a device profile of the client device from a device profile store based on the unique parameter, the device profile including a list of applications that have previously been authenticated with the credentials associated with the client device; and
      
      select the second application from the list of applications.
  - 18. The non-transitory computer readable storage medium of claim 17, further comprising instructions that when executed causes the processor to:
    - receive one or more events from the second application after the second application is authenticated, each event indicates an action associated with the application and a timestamp indicating when the action was taken; and
      
      select the second application from the list of applications based on the one or more events.
  - 19. The non-transitory computer readable storage medium of claim 18, further comprising instructions that when executed causes the processor to determine, based on the timestamps included in the one or more events, that the second application is currently available to continue the authentication of the first application.
  - 20. The non-transitory computer readable storage medium of claim 13, wherein the instruction to transmit to the first application includes a cryptographic nonce, and further comprises instructions that when executed causes the processor to store the cryptographic nonce as a most-recently transmitted nonce in association with the authentication request.

21. A computer system, comprising:
- a computer processor; and
  
  an authentication module operating remotely from a client device and configured to execute on the computer processor to;
  
  receive an authentication request from a first application executing on the client device,identify a second application executing on the client device to which authentication of the first application is delegable, the second application being previously authenticated with credentials associated with the client device,transmit an instruction to the first application to continue authentication via the second application, andauthenticate the first application with the credentials associated with the client device based on the first application continuing authentication via the second application.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 22. The system of claim 21, wherein the authentication module is further configured to:
    - receive a verification request from the second application for authenticating the first application; and
      
      in response to receiving the verification request, transmit an authentication token to the first application indicating that the first application is authenticated with the credentials associated with the client device.
  - 23. The system of claim 21, wherein the authentication request includes a unique parameter associated with the client device.
  - 24. The system of claim 23, wherein the unique parameter is a combination of one or more attributes of the client device selected from a group consisting of a screen size, a screen resolution, a volume setting, a list of applications executing on the client device, and carrier information.
  - 25. The system of claim 23, wherein the authentication module is further configured to:
    - access a device profile of the client device from a device profile store based on the unique parameter, the device profile including a list of applications that have previously been authenticated with the credentials associated with the client device; and
      
      select the second application from the list of applications.
  - 26. The system of claim 25, wherein the authentication module is further configured to:
    - receive one or more events from the second application after the second application is authenticated, each event indicates an action associated with the application and a timestamp indicating when the action was taken; and
      
      select the second application from the list of applications based on the one or more events.
  - 27. The system of claim 26, wherein the application module is further configured to determine, based on the timestamps included in the one or more events, that the second application is currently available to continue the authentication of the first application.
  - 28. The system of claim 21, wherein the instruction transmitted to the first application includes a cryptographic nonce, and further comprising storing the cryptographic nonce as a most-recently transmitted nonce in association with the authentication request.
  - 29. The system of claim 22, wherein the verification request received from the second application includes a hashed value generated from the cryptographic nonce.
  - 30. The method of claim 29, wherein the application module is further configured to determine, prior to transmitting the authentication token, that the verification request is timely by comparing a locally generated value using the most-recently transmitted nonce matches the hashed value included in the verification request.
  - 31. The method of claim 21, wherein the verification request received from the second application is signed using a cryptographic key associated with the second application.
  - 32. The method of claim 21, wherein the second application executes on a second client device that shares the credentials associated with the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Twitter Inc (X Holdings Corp.)
Original Assignee
Twitter Inc (X Holdings Corp.)
Inventors
Seibert, Jr., Jeffrey, Ducker, Michael
Primary Examiner(s)
Powers, William

Application Number

US14/699,888
Publication Number

US 20150312256A1
Time in Patent Office

748 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 9/0819   Key transport or distributi...

H04L 9/3236   using cryptographic hash fu...

H04W 12/43   using shared identity modul...

Inter-application delegated authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Inter-application delegated authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links