Credential-free user login to remotely executed applications

US 9,866,545 B2
Filed: 08/11/2017
Issued: 01/09/2018
Est. Priority Date: 06/02/2015
Status: Active Grant

First Claim

Patent Images

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:

receiving, via a first network, with an intermediary server, a request to access web content at a web content server, wherein;

the request is received from a client web browser executing on a client computing device, the client computing device being a different computing device from the intermediary server;

at least some communications between the client web browser and at least some remote websites accessed by the client web browser are relayed by the intermediary server; and

the intermediary server comprises an intermediary web browser configured to cooperate with the client web browser to form a distributed web browser in which a first subset of webpage state of remotely hosted webpages is mirrored on both the client web browser and the intermediary server and a second subset of webpage state of the remotely hosted webpages is formed on the intermediary server but not on the client web browser;

determining, at the intermediary server, that the user needs to be authenticated before accessing at least some content reachable via the web content server, wherein an access credential by which the user is authenticated is accessible to the intermediary server but not to the user of the client computing device;

submitting, from the intermediary server, to a remote server configured to authenticate the user, via a network socket by which the intermediary web browser is connected to a second network, a value by which possession of the access credential is demonstrated, wherein the value is part of the second subset of webpage state and is withheld from the client web browser;

receiving, by the intermediary web browser, via the network socket by which the intermediary web browser is connected to the second network, instructions to store in web browser memory an access token, poof of possession of which is to be sent with subsequent messages to one or more severs hosting the at least some content to demonstrate the respective message is from an authenticated user; and

sending, from the intermediary server, to the client web browser executing on the client computing device, via the first network, instructions to store the access token in browser memory of the client web browser, wherein;

the instructions cause the client web browser to send messages with a value that demonstrates possession of the access token, thereby authenticating the client web browser without the client web browser having access to the value by which possession of the access credential is demonstrated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a process including: receiving, with an intermediary server, a request to access web content at a web server; submitting, from the intermediary server a value by which possession of an access credential is demonstrated, wherein the value is withheld from the client web browser; receiving, by the intermediary web browser, instructions to store in web browser memory an access token; and sending, from the intermediary server, to the client web browser executing on the client computing device, instructions to store the access token in browser memory of the client web browser, thereby authenticating the client web browser without the client web browser having access to the value by which possession of the access credential is demonstrated.

Citations

20 Claims

1. A tangible, non-transitory, machine-readable medium storing instructions that when executed by one or more processors effectuate operations comprising:
- receiving, via a first network, with an intermediary server, a request to access web content at a web content server, wherein;
  
  the request is received from a client web browser executing on a client computing device, the client computing device being a different computing device from the intermediary server;
  
  at least some communications between the client web browser and at least some remote websites accessed by the client web browser are relayed by the intermediary server; and
  
  the intermediary server comprises an intermediary web browser configured to cooperate with the client web browser to form a distributed web browser in which a first subset of webpage state of remotely hosted webpages is mirrored on both the client web browser and the intermediary server and a second subset of webpage state of the remotely hosted webpages is formed on the intermediary server but not on the client web browser;
  
  determining, at the intermediary server, that the user needs to be authenticated before accessing at least some content reachable via the web content server, wherein an access credential by which the user is authenticated is accessible to the intermediary server but not to the user of the client computing device;
  
  submitting, from the intermediary server, to a remote server configured to authenticate the user, via a network socket by which the intermediary web browser is connected to a second network, a value by which possession of the access credential is demonstrated, wherein the value is part of the second subset of webpage state and is withheld from the client web browser;
  
  receiving, by the intermediary web browser, via the network socket by which the intermediary web browser is connected to the second network, instructions to store in web browser memory an access token, poof of possession of which is to be sent with subsequent messages to one or more severs hosting the at least some content to demonstrate the respective message is from an authenticated user; and
  
  sending, from the intermediary server, to the client web browser executing on the client computing device, via the first network, instructions to store the access token in browser memory of the client web browser, wherein;
  
  the instructions cause the client web browser to send messages with a value that demonstrates possession of the access token, thereby authenticating the client web browser without the client web browser having access to the value by which possession of the access credential is demonstrated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The medium of claim 1, wherein:
    - the value by which possession of the access credential is demonstrated is the access credential, a cryptographic hash value based on the access credential, or a digital signature signed with the access credential;
      
      the remote server configured to authenticate the user is the web content server, an authorization server in a OAuth protocol, or an authorization server in an OAuth 2 protocol;
      
      the access token is received from the remote server configured to authenticate the user or a different remote server;
      
      the web browser memory is a cookie, a local Storage object, or a web browser SQLite database; and
      
      all communications between the client web browser and the web content server are relayed by the intermediary server.
  - 3. The medium of claim 1, wherein:
    - the intermediary web browser is a headless web browser configured to render web content requested by the client computing device, such that at least some web content responsive to a single request is rendered twice, once by the intermediary web browser and once by the client web browser.
  - 4. The medium of claim 3, wherein:
    - the headless web browser is configured to execute JavaScript and WebAssembly by which a document object model or virtual document object model is modified.
  - 5. The medium of claim 1, wherein:
    - the value by which possession of the access credential is demonstrated is a password to a software-as-a-service application that includes the at least some content.
  - 6. The medium of claim 1, wherein the operations comprise:
    - obtaining, at the intermediary server, with the intermediary web browser, a login interface for users to enter access credentials to access the at least some content;
      
      rendering, at the intermediary server, with the intermediary web browser, the interface;
      
      programmatically identifying, at the intermediary server, with the intermediary web browser, a text box input in a document object model or virtual document object model of the interface;
      
      programmatically entering, at the intermediary server, with the intermediary web browser, the access credential in the identified textbox input of the rendered interface; and
      
      programmatically creating, at the intermediary server, with the intermediary web browser, a user-interface event that causes the rendered interface to submit the value by which possession of the access credential is demonstrated.
  - 7. The medium of claim 6, wherein the operations comprise:
    - classifying a subset of a document object model or virtual document object model of the rendered interface as pertaining to captcha; and
      
      in response to the classifying, sending web content that renders to form at least the subset of the document object model or the virtual document object model to the client web browser for human input.
  - 8. The medium of claim 1, wherein:
    - the first network is a virtual private network or a private subnet directly connecting the client computing device and the intermediary server; and
      
      the second network is the Internet.
  - 9. The medium of claim 1, wherein the operations comprise:
    - obtaining, at the intermediary server, a browser fingerprint of the client device browser, the browser fingerprint including at least some user-agent fields from a user-agent string parsed from an application-layer transport protocol message from the client web browser; and
      
      configuring the intermediary web browser to have at least some attributes of the client web browser based on the obtained browser fingerprint.
  - 10. The medium of claim 9, wherein:
    - configuring the intermediary web browser to have at least some attributes comprises configuring the intermediary web browser to have an identical user-agent string to the client web browser.
  - 11. The medium of claim 1, wherein:
    - the intermediary web browser mimics the client web browser for at least a subset of exchanges with one or more remote servers.
  - 12. The medium of claim 1, wherein:
    - the client computing device is configured to access a private domain name service or hosts file that causes the client computing device to send requests to an Internet Protocol address of the intermediary server rather than an Internet Protocol address of the web content server; and
      
      the intermediary web browser is configured to access a public domain name service to advance messages to the Internet Protocol address of the web content server.
  - 13. The medium of claim 1, wherein:
    - a third subset of webpage state is formed in the client web browser but is not mirrored at the intermediary web browser.
  - 14. The medium of claim 1, wherein:
    - transport-layer security (TLS) encryption between the intermediary web browser and the web content server is maintained while mirroring content on the client web browser.
  - 15. The medium of claim 1, wherein the operations comprise:
    - executing a helper application on a client computing device having a native application configured to be authenticated via a remote server; and
      
      authenticating, with the helper application, the user to access the native application with another access credential stored in a sandboxed area of memory by submitting the access credential without providing the user access to the other access credential.
  - 16. The medium of claim 1, wherein the operations comprise:
    - causing the access credential to be segmented onto a plurality of segments; and
      
      causing different subsets of the plurality of segments to be stored in different tamper-evident, immutable directed acyclic graph having edges defined by cryptographic hash pointers based on respective subsets of the segments.
  - 17. The medium of claim 1, wherein the operations comprise:
    - logging the access request to a tamper-evident, immutable directed acyclic graph having edges defined by cryptographic hash pointers based on log entries.
  - 18. The medium of claim 1, wherein the operations comprise:
    - steps for logging a user into a web-service without an access credential being made available to the user'"'"'s web browser.
  - 19. The medium of claim 1, wherein the operations comprise:
    - accessing plurality of software-as-a-service enterprise applications by authenticating the user to the software-as-a-service enterprise applications without the user having access to access credentials for the software-as-a-service enterprise applications.

20. A method, comprising:
- receiving, via a first network, with an intermediary server, a request to access web content at a web content server, wherein;
  
  the request is received from a client web browser executing on a client computing device, the client computing device being a different computing device from the intermediary server;
  
  at least some communications between the client web browser and at least some remote websites accessed by the client web browser are relayed by the intermediary server; and
  
  the intermediary server comprises an intermediary web browser configured to cooperate with the client web browser to form a distributed web browser in which a first subset of webpage state of remotely hosted webpages is mirrored on both the client web browser and the intermediary server and a second subset of webpage state of the remotely hosted webpages is formed on the intermediary server but not on the client web browser;
  
  determining, at the intermediary server, that the user needs to be authenticated before accessing at least some content reachable via the web content server, wherein an access credential by which the user is authenticated is accessible to the intermediary server but not to the user of the client computing device;
  
  submitting, from the intermediary server, to a remote server configured to authenticate the user, via a network socket by which the intermediary web browser is connected to a second network, a value by which possession of the access credential is demonstrated, wherein the value is part of the second subset of webpage state and is withheld from the client web browser;
  
  receiving, by the intermediary web browser, via the network socket by which the intermediary web browser is connected to the second network, instructions to store in web browser memory an access token, poof of possession of which is to be sent with subsequent messages to one or more severs hosting the at least some content to demonstrate the respective message is from an authenticated user; and
  
  sending, from the intermediary server, to the client web browser executing on the client computing device, via the first network, instructions to store the access token in browser memory of the client web browser, wherein;
  
  the instructions cause the client web browser to send messages with a value that demonstrates possession of the access token, thereby authenticating the client web browser without the client web browser having access to the value by which possession of the access credential is demonstrated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Altr Solutions, Inc.
Original Assignee
Altr Solutions, Inc.
Inventors
Beecham, James Douglas
Primary Examiner(s)
Lim, Krisna

Application Number

US15/675,434
Publication Number

US 20170346804A1
Time in Patent Office

151 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/025   for remote control or remot...

H04L 67/53   using third party service p...

H04L 67/56   Provisioning of proxy servi...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

Credential-free user login to remotely executed applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Credential-free user login to remotely executed applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links