Authentication and authorization of a privilege-constrained application

US 9,819,673 B1
Filed: 06/24/2015
Issued: 11/14/2017
Est. Priority Date: 06/24/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors, cause the one or more processors to:

assign an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account;

receive a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key;

determine that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier;

provide a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination;

receive a candidate authorization code and user identifier;

validate the candidate authorization code based on the SUA code provided; and

provide a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for managing access to a client account related (CAR) resource. When a privilege-constrained (PC) application requests access to an individual client account, a single use authorization (SUA) code is created that is associated with the individual client account. The SUA code is routed to, and returned from, the privilege-constrained (PC) application to authenticate the PC application. The PC application, once authenticated, receives a permitted action token that identifies a limited set of privileges that the PC application is authorized to perform in connection with the CAR resource. The PC application provides the permitted action token to an access service. The access service limits access, by the PC application, to the CAR resource based on the permitted action token.

44 Citations

View as Search Results

15 Claims

1. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors, cause the one or more processors to:
- assign an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account;
  
  receive a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key;
  
  determine that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier;
  
  provide a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination;
  
  receive a candidate authorization code and user identifier;
  
  validate the candidate authorization code based on the SUA code provided; and
  
  provide a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource.
- View Dependent Claims (2, 3)
- - 2. The non-transitory computer-readable storage medium of claim 1, further comprising receiving a request from an application developer to develop the privilege-constrained application, assigning an application key to the privilege-constrained application, along with the at least one permitted action and the at least one blocked action.
  - 3. The non-transitory computer readable storage medium of claim 1, wherein the authorization code is provided from an authorization service to a client computing device over a first channel the candidate authorization code is received by the authorization service over a second channel.

4. A computer implemented method for managing access to a client account utilizing a remote resource, comprising:
- assigning an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account;
  
  receiving a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key;
  
  determining that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier;
  
  providing a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination;
  
  receiving a candidate authorization code and user identifier;
  
  validating the candidate authorization code based on the SUA code provided; and
  
  providing a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The method of claim 4, wherein the authorization code is provided to a client computing device over a first channel and the candidate authorization code is received over a different second channel.
  - 6. The method of claim 5, wherein the second channel represents one of a short messaging service (SMS) messaging channel, an email channel, or a telecommunications channel.
  - 7. The method of claim 5, wherein the remote resource represents an online resource.
  - 8. The method of claim 4, further comprising:
    - receiving the permitted action token and a client request from the privilege-constrained application, andmanaging client requests based on the permitted action token.
  - 9. The method of claim 8, wherein the client request directs remote resource to perform an action of interest, the method further comprising passing the client request to the remote resource when the action of interest falling within the limited set of privileges identified by the permitted action token.
  - 10. The method of claim 8, further comprising denying the client request, access to the remote resource when the action of interest falls outside the limited set of privileges.

11. A system for managing access to a client account utilizing a remote resource, comprising:
- at least one processor; and
  
  a memory, coupled to the at least one processor, storing program instructions when executed configures the at least one processor to;
  
  assign an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account;
  
  receive a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key;
  
  determine that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier;
  
  provide a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination;
  
  receive a candidate authorization code and user identifier;
  
  validate the candidate authorization code based on the SUA code provided; and
  
  provide a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the memory includes a data store that stores client account records that include a listing of accounts and remote resources to which the accounts correspond, the client account records including information identifying clients that have registered for a corresponding remote resource.
  - 13. The system of claim 11, wherein the program instructions are further executable by the at least one processor to generate a second permitted action token that at least one of adds, removes or changes a limited set of privileges associated with the privilege-constrained application.
  - 14. The system of claim 11, wherein the permitted action token identifies a limited set of privileges that the privilege-constrained application is authorized to perform in connection with an online resource that represents the remote resource.
  - 15. The system of claim 11, wherein the authorization code is provided to a first application over a first channel and the candidate authorization code is received from a second application over a different, second channel, the first and second applications collectively defining the privilege-constrained application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Johansson, Jesper Mikael, McClintock, Jon Arron
Primary Examiner(s)
Kabir, Jahangir

Application Number

US14/748,312
Time in Patent Office

874 Days
Field of Search

726 7, 726 26, 726 27, 726 29
US Class Current
CPC Class Codes

H04L 47/70   Admission control; Resource...

H04L 63/045   wherein the sending and rec...

H04L 63/0838   using one-time-passwords

H04L 63/102   Entity profiles

H04L 63/18   using different networks or...

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 12/082   using revocation of authori...

H04W 12/084   using delegated authorisati...

Authentication and authorization of a privilege-constrained application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication and authorization of a privilege-constrained application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links