Systems and methods for authenticating an online user using a secure authorization server

US 9,800,580 B2
Filed: 11/16/2015
Issued: 10/24/2017
Est. Priority Date: 11/16/2015
Status: Active Grant

First Claim

Patent Images

1. A secure authorization server for verifying an identity of an end-user, said secure authorization server programmed to:

receive, from a computing client, an authentication request at an authorization component, wherein the authentication request includes a secure authentication request identifier and a first redirection uniform resource indicator (URI);

validate the authentication request at the authorization component by at least verifying that the secure authentication request identifier is valid;

generate an authorization code, wherein the authorization code includes at least the secure authentication request identifier;

transmit an authentication response from the authorization component to the computing client, wherein the authentication response includes the authorization code, wherein the authorization code represents a validation of the authentication request;

receive, from the computing client, a token request at a token component, wherein the token request includes the authorization code and a second redirection uniform resource indicator (URI);

validate the token request, at the token component, by matching the first redirection URI and the second redirection URI; and

transmit a token response from the token component to the computing client, wherein the token response includes an identification token associated with an authenticated session, an access token, and a lifetime in seconds of the access token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure authorization server computer system for verifying an identity of an end-user is provided. The computer system is programmed to receive, from a computing client, an authentication request at an authorization component. The authentication request includes a secure authentication request identifier. The computer system is also programmed to validate the authentication request at the authorization component by validating the secure authentication request identifier. The computer system is further programmed to transmit an authentication response from the authorization component to the computing client. The authentication response includes an authorization code. The authorization code represents a validation of the authentication request.

23 Citations

View as Search Results

21 Claims

1. A secure authorization server for verifying an identity of an end-user, said secure authorization server programmed to:
- receive, from a computing client, an authentication request at an authorization component, wherein the authentication request includes a secure authentication request identifier and a first redirection uniform resource indicator (URI);
  
  validate the authentication request at the authorization component by at least verifying that the secure authentication request identifier is valid;
  
  generate an authorization code, wherein the authorization code includes at least the secure authentication request identifier;
  
  transmit an authentication response from the authorization component to the computing client, wherein the authentication response includes the authorization code, wherein the authorization code represents a validation of the authentication request;
  
  receive, from the computing client, a token request at a token component, wherein the token request includes the authorization code and a second redirection uniform resource indicator (URI);
  
  validate the token request, at the token component, by matching the first redirection URI and the second redirection URI; and
  
  transmit a token response from the token component to the computing client, wherein the token response includes an identification token associated with an authenticated session, an access token, and a lifetime in seconds of the access token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A secure authorization server in accordance with claim 1, wherein said secure authorization server is further programmed to:
    - validate the token request, at the token component, by validating the authorization code.
  - 3. A secure authorization server in accordance with claim 1, wherein said secure authorization server is further programmed to:
    - receive, from the computing client, a user information request at a user information component, wherein the user information request includes the access token;
      
      validate the user information request, at the user information component, by validating the access token; and
      
      transmit end-user data from the user information component to the computing client in response to validating the user information request.
  - 4. A secure authorization server in accordance with claim 1, wherein said secure authorization server is further programmed to transmit the identification token including at least the secure authentication request identifier from the authentication request, algorithm header parameters identifying an algorithm, and a digital certificate with a certificate thumbprint.
  - 5. A secure authorization server in accordance with claim 1, wherein the identification token is encoded using Base64 encoding and formatted to enable the identification token to be parsed into three strings, wherein each string is configured to be decoded by the computing client during identification token validation.
  - 6. A secure authorization server in accordance with claim 1, wherein the secure authentication request identifier is based upon at least a scope value, a response type, a computing client identifier, a redirection uniform resource indicator (URI) to which the authentication response will be sent, an opaque value, and a string value that associates a computing client session with an identification token.
  - 7. A secure authorization server in accordance with claim 1, wherein said secure authorization server is further programmed to transmit the authentication response including at least the secure authentication request identifier from the authentication request, algorithm header parameters identifying an algorithm, and a digital certificate with a certificate thumbprint.
  - 8. A secure authorization server in accordance with claim 1, wherein the authorization code is encoded using Base64 encoding and formatted to enable the authorization code to be parsed into three strings, wherein each string is configured to be decoded by the computing client during authorization code validation.

9. A method for verifying an identity of an end-user, said method implemented using a secure authorization computing device including at least one processor in communication with a memory, the secure authorization computing device in communication with a computing client, said method comprising:
- receiving, from the computing client, an authentication request at an authorization component, wherein the authentication request includes a secure authentication request identifier and a first redirection uniform resource indicator (URI);
  
  validating the authentication request at the authorization component by at least verifying that the secure authentication request identifier is valid;
  
  generating an authorization code, wherein the authorization code includes at least the secure authentication request identifier;
  
  transmitting an authentication response from the authorization component to the computing client, wherein the authentication response includes the authorization code, wherein the authorization code represents a validation of the authentication request;
  
  receiving, from the computing client, a token request at a token component, wherein the token request includes the authorization code and a second redirection uniform resource indicator (URI);
  
  validating the token request, at the token component, by matching the first redirection URI and the second redirection URI; and
  
  transmitting a token response from the token component to the computing client, wherein the token response includes an identification token associated with an authenticated session, an access token, and a lifetime in seconds of the access token.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method in accordance with claim 9, wherein the secure authorization computing device further includes an authorization component and a token component, said method further comprising:
    - validating the token request, at the token component, by validating the authorization code.
  - 11. The method in accordance with claim 9, wherein transmitting a token response further comprises transmitting the token response with the identification token, the identification token including at least the secure authentication request identifier from the authentication request, algorithm header parameters identifying an algorithm, and a digital certificate with a certificate thumbprint.
  - 12. The method in accordance with claim 9 further comprising encoding the identification token using Base64 encoding, and formatting the identification token such that the identification token can be parsed into three strings, wherein each string can be decoded by the computing client during identification token validation.
  - 13. The method in accordance with Claim 9, wherein the secure authorization computing device further includes an authorization component, a token component, and a user information component, said method further comprising:
    - receiving, from the computing client, a user information request at the user information component, wherein the user information request includes the access token;
      
      validating the user information request, at the user information component, by validating the access token; and
      
      transmitting end-user data from the user information component to the computing client in response to validating the user information request.
  - 14. The method in accordance with claim 9, wherein the secure authentication request identifier is based upon at least a scope value, a response type, a computing client identifier, a redirection uniform resource indicator (URI) to which the authentication response will be sent, an opaque value, and a string value that associates a computing client session with an identification token.
  - 15. The method in accordance with claim 9, wherein transmitting an authentication response further comprises transmitting the authentication response with the authorization code, wherein the authorization code includes at least the secure authentication request identifier from the authentication request, algorithm header parameters identifying an algorithm, and a digital certificate with a certificate thumbprint.
  - 16. The method in accordance with claim 9 further comprising encoding the authorization code using Base64 encoding, and formatting the authorization code such that the authorization code can be parsed into three strings, wherein each string can be decoded by the computing client during authorization code validation.

17. A non-transitory computer-readable storage media having computer-executable instructions embodied thereon for verifying an identity of an end-user, wherein when executed by at least one processor, the computer-executable instructions cause the processor to:
- receive, from a computing client, an authentication request at an authorization component, wherein the authentication request includes a secure authentication request identifier and a first redirection uniform resource indicator (URI);
  
  validate the authentication request at the authorization component by at least verifying that the secure authentication request identifier is valid;
  
  generate an authorization code, wherein the authorization code includes at least the secure authentication request identifier;
  
  transmit an authentication response from the authorization component to the computing client, wherein the authentication response includes the authorization code, wherein the authorization code represents a validation of the authentication request;
  
  receive, from the computing client, a token request at a token component, wherein the token request includes the authorization code and a second redirection uniform resource indicator (URI);
  
  validate the token request, at the token component, by matching the first redirection URI and the second redirection URI; and
  
  transmit a token response from the token component to the computing client, wherein the token response includes an identification token associated with an authenticated session, an access token, and a lifetime in seconds of the access token.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The non-transitory computer-readable storage media of claim 17, wherein the computer-executable instructions further cause the processor to:
    - validate the token request, at the token component, by validating the authorization code.
  - 19. The non-transitory computer-readable storage media of claim 17, wherein the computer-executable instructions further cause the processor to:
    - receive, from the computing client, a user information request at a user information component, wherein the user information request includes the access token;
      
      validate the user information request, at the user information component, by validating the access token; and
      
      transmit end-user data from the user information component to the computing client in response to validating the user information request.
  - 20. The non-transitory computer-readable storage media of claim 17, wherein a secure authorization server is further programmed to transmit the identification token including at least the secure authentication request identifier from the authentication request, algorithm header parameters identifying an algorithm, and a digital certificate with a certificate thumbprint.
  - 21. The non-transitory computer-readable storage media of claim 17, wherein the secure authentication request identifier is based upon at least a scope value, a computing client identifier, a redirection uniform resource indicator (URI) to which the authentication response will be sent, an opaque value, and a string value that associates a computing client session with an identification token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Original Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Inventors
Zhang, Jenny Qian, Alger, Eric G., Bucher, Steven Patrick
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US14/942,575
Publication Number

US 20170142108A1
Time in Patent Office

708 Days
Field of Search

726 7
US Class Current
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/10   for controlling access to d...

Systems and methods for authenticating an online user using a secure authorization server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for authenticating an online user using a secure authorization server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links