Methods and systems for enabling access control based on credential properties

US 9,923,927 B1
Filed: 09/29/2015
Issued: 03/20/2018
Est. Priority Date: 09/29/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, from a client device, an authentication request message for accessing a server resource, the authentication request message including a credential;

authenticating the credential to generate an authentication result;

determining a credential property associated with the credential, the credential property operable for determining an access right with an access right level of a plurality of different access right levels with respect to the resource, the credential property comprising information identifying a strength of the credential that is based at least in part on a complexity of an algorithm utilized to generate the credential, a requestor property associated with the client device for a credential update frequency of the credential, and a resource property associated with the server resource that includes a level of security for the server resource;

generating an authorization code comprising the authentication result and the credential property associated with the credential;

providing an authentication response message corresponding to the authentication request, the authentication response message comprising the authorization code;

receiving an authorization request message with respect to the server resource, the authorization request message comprising the authorization code;

extracting the credential property from the authorization code;

determining the access right with respect to the server resource based at least in part on the credential property; and

providing an authorization response message corresponding to the authorization request message comprising an access token configured to grant access to the server resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided to enable access control based on credential properties. Besides authenticating a credential, an authentication service can provide additional credential-related information with respect to a credential such as last updated time. An entity receiving such additional credential-related information can implement access control policies based on the credential-related information. For instance, a user'"'"'s access rights may be gradually restricted after an initial expiration time and towards a final expiration time. In an example, such access control may be implemented by a client application or client website of the authentication service. Alternatively or additionally, such access control may be implemented by an authorization service used by the client application or client website.

Citations

18 Claims

1. A computer-implemented method, comprising:
- receiving, from a client device, an authentication request message for accessing a server resource, the authentication request message including a credential;
  
  authenticating the credential to generate an authentication result;
  
  determining a credential property associated with the credential, the credential property operable for determining an access right with an access right level of a plurality of different access right levels with respect to the resource, the credential property comprising information identifying a strength of the credential that is based at least in part on a complexity of an algorithm utilized to generate the credential, a requestor property associated with the client device for a credential update frequency of the credential, and a resource property associated with the server resource that includes a level of security for the server resource;
  
  generating an authorization code comprising the authentication result and the credential property associated with the credential;
  
  providing an authentication response message corresponding to the authentication request, the authentication response message comprising the authorization code;
  
  receiving an authorization request message with respect to the server resource, the authorization request message comprising the authorization code;
  
  extracting the credential property from the authorization code;
  
  determining the access right with respect to the server resource based at least in part on the credential property; and
  
  providing an authorization response message corresponding to the authorization request message comprising an access token configured to grant access to the server resource.
- View Dependent Claims (2, 3)
- - 2. The computer-implemented method of claim 1, wherein the credential property further comprises a last updated time of the credential.
  - 3. The computer-implemented method of claim 1, wherein determining the access right comprises:
    - determining a duration between a request time and an initial expiration time for the credential based at least in part on the credential property; and
      
      determining the access right with the access right level of the plurality of different access right levels with respect to the server resource based at least in part on the duration, the different access right levels respectively corresponding to different durations between the request time and the initial expiration time for the credential.

4. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed by a computing system, configure the computing system to perform operations comprising:
- receiving, from a client device, an authentication request message for accessing a server resource, the authentication request message including a credential;
  
  determining one or more credential properties operable for determining an access right with an access right level of a plurality of different access right levels with respect to the server resource, the one or more credential properties comprising information identifying a strength of the credential that is based at least in part on a complexity of an algorithm utilized to generate the credential and a resource property associated with the server resource that includes a level of security for the server resource; and
  
  transmitting an authentication response message corresponding to the authentication request message, the authentication response message including the credential and the one or more credential properties.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The computer-readable storage media of claim 4, wherein the one or more credential properties further comprise a last updated time, an initial expiration time, or a final expiration time of the credential.
  - 6. The computer-readable storage media of claim 4, wherein determining the one or more credential properties is based at least in part on one or more instructions from the client device.
  - 7. The computer-readable storage media of claim 4, wherein the determining the access right comprises:
    - determining a duration between a request time and an initial expiration time of the credential based at least in part on the one or more credential properties;
      
      comparing the determined duration and one or more intermediate durations relative to the initial expiration time, each of the one or more intermediate durations associated with a set of one or more access rules;
      
      selecting one of the one or more intermediate durations based on the comparison; and
      
      determining the access right based at least in part on the set of access rules associated with the selected intermediate duration.
  - 8. The computer-readable storage media of claim 7, wherein the one or more intermediate durations includes a first intermediate duration with a first set of access rules and a second intermediate duration with a second set of access rules, the second intermediate duration being longer than the first intermediate duration and the second set of access rules being more restrictive than the first set of access rules.
  - 9. The computer-readable storage media of claim 8, wherein the first set of access rules are configured to allow access to the resource and the second set of access rules are configured to deny access to the server resource.
  - 10. The computer-readable storage media of claim 8, wherein the first set of access rules are configured to allow read/write access to the server resource and the second set of access rules are configured to allow read-only access to the server resource.

11. A computer system, comprising:
- a memory that stores computer-executable instructions; and
  
  a processor configured to access the memory and execute the computer-executable instructions to at least;
  
  receive, from a client device, an authorization request message for accessing a resource, the authorization request message comprising an authorization code indicating an authentication of a credential;
  
  generate an access token for accessing the resource based at least in part on the authentication code and one or more credential properties associated with the credential, the access token indicating an access right with an access right level of a plurality of different access right levels with respect to the resource, the one or more credential properties comprising information identifying a strength of the credential that is based at least in part on a complexity of an algorithm utilized to generate the credential and a requestor property associated with the client device for a credential update frequency;
  
  determine the access right with respect to the resource based at least in part on the one or more credential properties; and
  
  provide an authorization response message to the client device comprising the access token configured to enable access to the resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer system of claim 11, wherein the one or more credential properties are obtained from the authorization request message.
  - 13. The computer system of claim 12, wherein the one or more credential properties are included in the authorization code.
  - 14. The computer system of claim 11, wherein the one or more credential properties are obtained from an authentication service that generates the authorization code.
  - 15. The computer system of claim 11, wherein generating the access token comprises:
    - determining a duration between a request time and an initial expiration time for the credential based at least in part on the one or more credential properties; and
      
      determining an access right with an access right level of a plurality of different access right levels with respect to the resource based at least in part on the duration, the different access right levels respectively corresponding to different durations between the request time and the initial expiration time for the credential.
  - 16. The computer system of claim 15, wherein generating the access token comprises:
    - determining a duration between a request time and an initial expiration time for the credential based at least in part on the one or more credential properties;
      
      comparing the duration and one or more intermediate durations relative to the initial expiration time, each of the one or more intermediate durations associated with a set of one or more access rules;
      
      selecting one of the one or more intermediate durations based on the comparison; and
      
      determining the access right based at least in part on the set of access rules associated with the selected intermediate duration.
  - 17. The computer system of claim 11, wherein the one or more intermediate durations includes a first intermediate duration with a first set of access rules and a second intermediate duration with a second set of access rules, the second intermediate duration being longer than the first intermediate duration and the second set of access rules being more restrictive than the first set of access rules.
  - 18. The computer system of claim 11, wherein the credential property further comprises a last updated time of the credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McClintock, Jon Arron, Golwalkar, Yogesh Vilas, Bhimanaik, Bharath Kumar, McAdams, Darin Keith, Sethi, Tushaar
Primary Examiner(s)
Shaw, Brian F

Application Number

US14/869,344
Time in Patent Office

903 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0846   using time-dependent-passwo...

H04L 63/105   Multiple levels of security

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

Methods and systems for enabling access control based on credential properties

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for enabling access control based on credential properties

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links