Request-specific authentication for accessing web service resources
First Claim
Patent Images
1. A computing system for controlling access to a protected Web service resource, the computing system comprising:
- a communication device for communicating across a communication network;
a processor communicatively connected to the communication device; and
memory storing program instructions, which when executed by the processor cause the computing system to;
receive a first request from a client to access the protected Web service resource from the communication network;
determine that the client has been authenticated according to a first factor;
grant the first request to access the protected Web service resource based on authentication according to the first factor;
receive a second request from the client to access the protected Web service resource from the communication network;
deny the second request to access the protected Web service resource based on the authentication according to the first factor being insufficient to grant the second request, including to send a message to the client directing the client to an authentication service to be authenticated according to a second factor;
determine that the client has been authenticated according to the second factor, andgrant the second request to access the protected Web service resource based on authentication according to the second factor including an evaluation of an authentication token.
0 Assignments
0 Petitions
Accused Products
Abstract
Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.
52 Citations
22 Claims
-
1. A computing system for controlling access to a protected Web service resource, the computing system comprising:
-
a communication device for communicating across a communication network; a processor communicatively connected to the communication device; and memory storing program instructions, which when executed by the processor cause the computing system to; receive a first request from a client to access the protected Web service resource from the communication network; determine that the client has been authenticated according to a first factor; grant the first request to access the protected Web service resource based on authentication according to the first factor; receive a second request from the client to access the protected Web service resource from the communication network; deny the second request to access the protected Web service resource based on the authentication according to the first factor being insufficient to grant the second request, including to send a message to the client directing the client to an authentication service to be authenticated according to a second factor; determine that the client has been authenticated according to the second factor, and grant the second request to access the protected Web service resource based on authentication according to the second factor including an evaluation of an authentication token. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of controlling access to a protected Web service resource, the method comprising:
-
receiving at a processing device a first request from a client to access the protected Web service resource from the communication network; determining, using the processing device, that the client has been authenticated according to a first factor; granting the first request to access the protected Web service resource, using the processing device, based on authentication according to the first factor; receiving a second request from the client to access the protected Web service resource from the communication network; denying the second request to access the protected Web service resource, using the processing device, based on the authentication according to the first factor being insufficient to grant the second request, wherein denying the second request further comprises sending a message to the client directing the client to an authentication service to be authenticated according to a second factor; determining that the client has been authenticated according to the second factor; and granting the second request to access the protected Web service resource based on authentication according to the second factor including an evaluation of an authentication token. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computing system for controlling access to a protected Web service resource, the computing system comprising:
-
a communication device for communicating across a communication network; a processor communicatively connected to the communication device; and memory storing program instructions, which when executed by the processor cause the computing system to; receive a first request from a client to access the protected Web service resource from the communication network; receive a first authentication token from the client after the client has been authenticated by an authentication service according to the first factor; determine that the client has been authenticated according to a first factor using the first authentication token, wherein the program instructions that determine that the client has been authenticated according to the first factor further causes the computing system to;
decrypt the first authentication token with a public key of the authentication service; and
determine that a claim made by the authentication service in the first authentication token satisfies a condition for access;grant the first request to access the protected Web service resource based on authentication according to the first factor; receive a second request from the client to access the protected Web service resource from the communication network; deny the second request to access the protected Web service resource based on the authentication according to the first factor being insufficient to grant the second request; determine that the client has been authenticated according to the second factor; and grant the second request to access the protected Web service resource based on authentication according to the second factor. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method of controlling access to a protected Web service resource, the method comprising:
-
receiving at a processing device a first request from a client to access the protected Web service resource from the communication network; receiving at the processing device a first authentication token from the client after the client has been authenticated by an authentication service according to the first factor; determining, using the processing device, that the client has been authenticated according to a first factor using the first authentication token, by;
decrypting the first authentication token with a public key of the authentication service; and
determining that a claim made by the authentication service in the first authentication token satisfies a condition for access;granting the first request to access the protected Web service resource, using the processing device, based on authentication according to the first factor; receiving a second request from the client to access the protected Web service resource from the communication network; denying the second request to access the protected Web service resource, using the processing device, based on the authentication according to the first factor being insufficient to grant the second request; determining that the client has been authenticated according to a second factor; and granting the second request to access the protected Web service resource based on authentication according to the second factor. - View Dependent Claims (20, 21, 22)
-
Specification