Methods and systems for enabling access control based on credential properties
First Claim
1. A computer-implemented method, comprising:
- receiving, from a client device, an authentication request message for accessing a server resource, the authentication request message including a credential;
authenticating the credential to generate an authentication result;
determining a credential property associated with the credential, the credential property operable for determining an access right with an access right level of a plurality of different access right levels with respect to the resource, the credential property comprising information identifying a strength of the credential that is based at least in part on a complexity of an algorithm utilized to generate the credential, a requestor property associated with the client device for a credential update frequency of the credential, and a resource property associated with the server resource that includes a level of security for the server resource;
generating an authorization code comprising the authentication result and the credential property associated with the credential;
providing an authentication response message corresponding to the authentication request, the authentication response message comprising the authorization code;
receiving an authorization request message with respect to the server resource, the authorization request message comprising the authorization code;
extracting the credential property from the authorization code;
determining the access right with respect to the server resource based at least in part on the credential property; and
providing an authorization response message corresponding to the authorization request message comprising an access token configured to grant access to the server resource.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems are provided to enable access control based on credential properties. Besides authenticating a credential, an authentication service can provide additional credential-related information with respect to a credential such as last updated time. An entity receiving such additional credential-related information can implement access control policies based on the credential-related information. For instance, a user'"'"'s access rights may be gradually restricted after an initial expiration time and towards a final expiration time. In an example, such access control may be implemented by a client application or client website of the authentication service. Alternatively or additionally, such access control may be implemented by an authorization service used by the client application or client website.
-
Citations
18 Claims
-
1. A computer-implemented method, comprising:
-
receiving, from a client device, an authentication request message for accessing a server resource, the authentication request message including a credential; authenticating the credential to generate an authentication result; determining a credential property associated with the credential, the credential property operable for determining an access right with an access right level of a plurality of different access right levels with respect to the resource, the credential property comprising information identifying a strength of the credential that is based at least in part on a complexity of an algorithm utilized to generate the credential, a requestor property associated with the client device for a credential update frequency of the credential, and a resource property associated with the server resource that includes a level of security for the server resource; generating an authorization code comprising the authentication result and the credential property associated with the credential; providing an authentication response message corresponding to the authentication request, the authentication response message comprising the authorization code; receiving an authorization request message with respect to the server resource, the authorization request message comprising the authorization code; extracting the credential property from the authorization code; determining the access right with respect to the server resource based at least in part on the credential property; and providing an authorization response message corresponding to the authorization request message comprising an access token configured to grant access to the server resource. - View Dependent Claims (2, 3)
-
-
4. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed by a computing system, configure the computing system to perform operations comprising:
-
receiving, from a client device, an authentication request message for accessing a server resource, the authentication request message including a credential; determining one or more credential properties operable for determining an access right with an access right level of a plurality of different access right levels with respect to the server resource, the one or more credential properties comprising information identifying a strength of the credential that is based at least in part on a complexity of an algorithm utilized to generate the credential and a resource property associated with the server resource that includes a level of security for the server resource; and transmitting an authentication response message corresponding to the authentication request message, the authentication response message including the credential and the one or more credential properties. - View Dependent Claims (5, 6, 7, 8, 9, 10)
-
-
11. A computer system, comprising:
- a memory that stores computer-executable instructions; and
a processor configured to access the memory and execute the computer-executable instructions to at least;receive, from a client device, an authorization request message for accessing a resource, the authorization request message comprising an authorization code indicating an authentication of a credential; generate an access token for accessing the resource based at least in part on the authentication code and one or more credential properties associated with the credential, the access token indicating an access right with an access right level of a plurality of different access right levels with respect to the resource, the one or more credential properties comprising information identifying a strength of the credential that is based at least in part on a complexity of an algorithm utilized to generate the credential and a requestor property associated with the client device for a credential update frequency; determine the access right with respect to the resource based at least in part on the one or more credential properties; and provide an authorization response message to the client device comprising the access token configured to enable access to the resource. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- a memory that stores computer-executable instructions; and
Specification