Cookie optimization

US 9,769,159 B2
Filed: 12/14/2012
Issued: 09/19/2017
Est. Priority Date: 12/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

at least one memory and at least one processor, wherein the at least one memory and the at least one processor are respectively configured to store and execute instructions including instructions for causing the computing device to perform operations, the operations including;

receiving an identity token that is associated with a user;

determining a list of candidate computing accounts for the user on a given computing domain based on information contained within the identity token;

determining computing accounts, from the list of candidate computing accounts, that the user has access to and the user'"'"'s permission level on each of the computing accounts from the list of candidate computing accounts that the user has access to;

in response to determining the computing accounts, generating an intermediate token for the user, the intermediate token including an identity claim for the user and a list of computing accounts that the user was determined to have access to;

generating an account token for an account selected from the list of computing accounts that the user was determined to have access to;

providing the account token to another computing device; and

in response to a request, authorizing a holder of the account token to access the account selected from the list of computing accounts that the user was determined to have access to.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a system and method for optimizing a cookie or token in a web service or other claims based domain system. A user presents an identity token to the domain system which verifies the identity claim as authentic and then determines what accounts the user has access to on the domain. The user is issued an intermediate token by the system which includes the locations of the accounts the user has access to. The user then selects the account they wish to interact with and receives an account token back to the user for the specific account, including any of the privileges the user has on the account. The account token also includes information that the user has multiple accounts on the domain. The user is able to switch accounts on the domain system without having to revalidate their credentials to the domain system.

Citations

20 Claims

1. A computing device comprising:
- at least one memory and at least one processor, wherein the at least one memory and the at least one processor are respectively configured to store and execute instructions including instructions for causing the computing device to perform operations, the operations including;
  
  receiving an identity token that is associated with a user;
  
  determining a list of candidate computing accounts for the user on a given computing domain based on information contained within the identity token;
  
  determining computing accounts, from the list of candidate computing accounts, that the user has access to and the user'"'"'s permission level on each of the computing accounts from the list of candidate computing accounts that the user has access to;
  
  in response to determining the computing accounts, generating an intermediate token for the user, the intermediate token including an identity claim for the user and a list of computing accounts that the user was determined to have access to;
  
  generating an account token for an account selected from the list of computing accounts that the user was determined to have access to;
  
  providing the account token to another computing device; and
  
  in response to a request, authorizing a holder of the account token to access the account selected from the list of computing accounts that the user was determined to have access to.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computing device of claim 1, wherein the operations further include:
    - parsing the received identity claim for an identity of a computing domain.
  - 3. The computing device of claim 2, wherein the to operations further include:
    - parsing the received identity claim for a personally unique identifier for the user on the computing domain.
  - 4. The computing device of claim 1, wherein the operations further include:
    - determining a location of a service having information regarding a particular computing account to which the user may have access.
  - 5. The computing device of claim 4, wherein the operations further include:
    - querying the determined service with a personally unique identifier for the user; and
      
      receiving an indication of whether the user has access to a particular computing account.
  - 6. The computing device of claim 1, wherein the operations further include:
    - converting the account token for the user into the intermediate token for the user.
  - 7. The computing device of claim 1, wherein the operations further include:
    - receiving the intermediate token from the user; and
      
      converting the intermediate token into the account token.
  - 8. The computing device of claim 1, wherein the account token includes a management claim 1, the management claim comprising identifying information uniquely identifying the user and an indication that the user has multiple accounts on the computing domain.
  - 9. The computing device of claim 1, wherein the operations further include:
    - receiving a user name and password from a user; and
      
      providing the identity token to a user in response to receiving the user name and the password.

10. A method comprising:
- receiving, by a computing device, an identity token for a user;
  
  extracting a domain identifier for at least one computing domain from the identity token, wherein the domain identifier is contained within a portion of the identity token;
  
  determining a list of locations of computing accounts that the user has permission to access based at least in part on the extracted domain identifier;
  
  generating an intermediate token for the user, the intermediate token indicating the determined list of locations of computing accounts;
  
  generating an account token for an account selected from the computing accounts that the user has permission to access;
  
  transmitting, by the computing device, the generated account token to another computing device, the generated account token including an indication that the user has multiple accounts; and
  
  authorizing a holder of the account token to access the account selected from the computing accounts that the user has permission to access.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, further comprising:
    - validating the received identity token; and
      
      extracting, by the computing device, a personally unique identifier for the user from the identity token.
  - 12. The method of claim 10, wherein determining the list of computing accounts comprises:
    - obtaining a list of candidate accounts for the user on the at least one computing domain;
      
      querying if the user is authorized to access a computing account from the list of candidate accounts; and
      
      if the user is authorized to access the computing account from the list of candidate accounts adding a location of that computing account to the determined list of locations of accounts.
  - 13. The method of claim 12, wherein the querying comprises:
    - comparing a personally unique identifier for the user against a list of authorized users on the computing account; and
      
      returning an indication that the user is authorized to access the computing account if the user is authorized.
  - 14. The method of claim 13, wherein returning the indication further includes returning an indication of a level of access the user has to the computing account if the user is authorized to access the computing account.
  - 15. The method of claim 10, further comprising:
    - receiving an indication of a selection of a computing account from the computing accounts that the user has permission to access.
  - 16. The method of claim 10, further comprising:
    - receiving an indication a request to change to a different one of the computing accounts from the computing accounts that the user has permission to access;
      
      converting the account token into the intermediate token;
      
      receiving an indication of a new computing account from the computing accounts that the user has permission to access; and
      
      generating a new account token for the user, the new account token for accessing the new computing account.
  - 17. The method of claim 10, wherein the computing account token includes a management claim for the selected computing account and an indication that the user has access to multiple computing accounts on the at least one computing domain.

18. A method, comprising:
- receiving, by a computing device, an identity token that is associated with a user;
  
  determining a list of candidate computing accounts for the user on a given computing domain based on information contained within the identity token;
  
  determining computing accounts, from the list of candidate computing accounts, that the user has access to and the user'"'"'s permission level on each of the computing accounts from the list of candidate computing accounts that the user has access to;
  
  in response to determining the computing accounts, generating an intermediate token for the user, the intermediate token including an identity claim for the user and a list of computing accounts that the user was determined to have access to;
  
  generating an account token for an account selected from the list of computing accounts that the user was determined to have access to;
  
  providing the account token to another computing device; and
  
  in response to a request, authorizing a holder of the account token to access the account selected from the list of computing accounts that the user was determined to have access to.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein further comprising:
    - determining a location of a service having information regarding a particular computing account to which the user may have access;
      
      querying the determined service with a personally unique identifier for the user; and
      
      receiving an indication of whether the user has access to a particular computing account.
  - 20. The method of claim 18, wherein the account token includes a management claim, the management claim comprising identifying information uniquely identifying the user and an indication that the user has multiple accounts on the computing domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Bikkula, Ravi, Beyer, Michael, Koneru, Karuna, Goldian, Jeffrey
Primary Examiner(s)
DOLLY, KENDALL LYNN

Application Number

US13/716,072
Publication Number

US 20140173693A1
Time in Patent Office

1,740 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 67/02   based on web technology, e....

Cookie optimization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cookie optimization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links