Pre-authorizing a client application to access a user account on a content management system

US 9,973,504 B2
Filed: 12/30/2015
Issued: 05/15/2018
Est. Priority Date: 12/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a content management system from a first application on a client device, an installation request to install a second application on the client device;

determining whether the installation request is associated with an authenticated user account at the content management system;

when the installation request is associated with the authenticated user account, tagging an installer of the second application with an identification tag associated with the authenticated user account;

transmitting, to the client device, the installer tagged with the identification tag;

receiving, from the client device, a pre-authorization request associated with the second application, the pre-authorization request including the identification tag;

based on the identification tag in the pre-authorization request, determining that the second application is pre-authorized to access the authenticated user account; and

logging the second application into the authenticated user account at least partly in response to determining that the second application is pre-authorized to access the authenticated user account.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A content management system can tag a client installer with an information tag linking the client installer to a user account. The client installer can be configured to install the client-side application on the client device and pass the identification tag to the installed client-side application. The client-side application can transmit the identification tag to the content management system, which can use the identification tag to identify the linked user account and log the client-side application into the user account. The content management system can implement several verification measures such as limiting the number of times and when an identification tag can be used, as well as IP addresses that can use the identification tag. The content management system can also use data cached by the web-browser application to determine if the web-browser application was used to access the user account in the past.

5 Citations

21 Claims

1. A method comprising:
- receiving, at a content management system from a first application on a client device, an installation request to install a second application on the client device;
  
  determining whether the installation request is associated with an authenticated user account at the content management system;
  
  when the installation request is associated with the authenticated user account, tagging an installer of the second application with an identification tag associated with the authenticated user account;
  
  transmitting, to the client device, the installer tagged with the identification tag;
  
  receiving, from the client device, a pre-authorization request associated with the second application, the pre-authorization request including the identification tag;
  
  based on the identification tag in the pre-authorization request, determining that the second application is pre-authorized to access the authenticated user account; and
  
  logging the second application into the authenticated user account at least partly in response to determining that the second application is pre-authorized to access the authenticated user account.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - prior to receiving the installation request from the first application, receiving, from the first application running on the client device, login credentials associated with the authenticated user account;
      
      based on the login credentials;
      
      authenticating a user account associated with the login credentials to yield the authenticated user account; and
      
      logging the first application into the content management system via the authenticated user account;
      
      prior to sending the installer to the client device, verifying that the first application associated with the installation request is logged in via the authenticated user account; and
      
      upon verifying that the first application associated with the installation request is logged in via the authenticated user account, determining that the installation request is associated with the authenticated user account.
  - 3. The method of claim 1, further comprising:
    - creating an entry in a pre-authorization index, the entry including;
      
      the identification tag,a creation time of the identification tag,an account identifier identifying the authenticated user account, andan IP address.
  - 4. The method of claim 3, wherein the first application comprises a web-browser application and the second application comprises a client-side application, the method further comprising:
    - receiving the preauthorization request indicating installation of the client-side application on the client device prior to an expiration of a predetermined period of time associated with the identification tag;
      
      generating an authentication key;
      
      in response to the client-side application being installed on the client device, causing the web-browser application to transmit an authorization message comprising the authentication key to the content management system;
      
      receiving the authorization message and authentication key; and
      
      in response to the authentication key matching a respective authentication key associated with the identification tag, logging the client-side application on the content management system via the authenticated user account.
  - 5. The method of claim 3, further comprising:
    - identifying a requesting IP address that the pre-authorization request was received from; and
      
      determining that the identification tag was received from an authorized IP address when the requesting IP address matches the IP address in the entry in the pre-authorization index.
  - 6. The method of claim 3, further comprising:
    - determining whether the identification tag has been previously used to pre-authorize the second application, to yield a previous-usage determination; and
      
      based on the previous-usage determination, determining that use of the identification tag to pre-authorize the second application does not exceed a previous use restriction, wherein the previous use restriction defines a maximum number of times that the identification tag can be used to pre-authorize the second application.
  - 7. The method of claim 6, further comprising:
    - upon logging the second application via the authenticated user account on the content management system, flagging the entry in the pre-authorization index to indicate that the identification tag has been used to pre-authorize the second application.

8. A content management system comprising:
- one or more processors; and
  
  at least one memory containing instructions that, when executed by the one or more processors, cause the content management system to;
  
  receive, from a first application on a client device, an installation request to install a second application on the client device;
  
  determine whether the installation request is associated with an authenticated user account at the content management system;
  
  when the installation request is associated with the authenticated user account, tag an installer of the second application with an identification tag associated with the authenticated user account;
  
  transmit, to the client device, the installer tagged with the identification tag;
  
  receive, from the client device, a pre-authorization request associated with the second application, the pre-authorization request including the identification tag;
  
  based on the identification tag in the pre-authorization request, determine that the second application is pre-authorized to access the authenticated user account; and
  
  log the second application into the authenticated user account at least partly in response to determining that the second application is pre-authorized to access the authenticated user account.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The content management system of claim 8, the at least one memory containing additional instructions which, when executed by the one or more processors, cause the content management system to:
    - prior to receiving the installation request from the first application, receive, from the first application running on the client device, login credentials associated with the authenticated user account;
      
      based on the login credentials;
      
      authenticate a user account associated with the login credentials to yield the authenticated user account; and
      
      log the first application into the content management system via the authenticated user account;
      
      prior to sending the installer to the client device, verify that the first application associated with the installation request is logged in via the authenticated user account; and
      
      upon verifying that the first application associated with the installation request is logged in via the authenticated user account, determine that the installation request is associated with the authenticated user account.
  - 10. The content management system of claim 8, the at least one memory containing additional instructions which, when executed by the one or more processors, further cause the content management system to:
    - create an entry in a pre-authorization index, the entry including;
      
      the identification tag,an account identifier identifying the authenticated user account,a creation time for the identification tag, andan IP address.
  - 11. The content management system of claim 10, wherein the first application comprises a web-browser application and the second application comprises a client-side application, the at least one memory containing additional instructions which, when executed by the one or more processors, further cause the content management system to:
    - receive the preauthorization request indicating installation of the client-side application on the client device prior to an expiration of a predetermined period of time associated with the identification tag;
      
      generate an authentication key;
      
      in response to the client-side application being installed on the client device, cause the web-browser application to transmit an authorization message comprising the authentication key to the content management system;
      
      receive the authorization message and authentication key; and
      
      in response to the authentication key matching a respective authentication key associated with the identification tag, log the client-side application on the content management system via the authenticated user account.
  - 12. The content management system of claim 10, the at least one memory containing additional instructions which, when executed by the one or more processors, further cause the content management system to:
    - identify a requesting IP address that the pre-authorization request was received from; and
      
      determine that the identification tag was received from an authorized IP address when the requesting IP address matches the IP address in the entry in the pre-authorization index.
  - 13. The content management system of claim 10, the at least one memory containing additional instructions which, when executed by the one or more processors, further cause the content management system to:
    - determine whether the identification tag has been previously used to pre-authorize the second application, to yield a previous usage determination; and
      
      based on the previous usage determination, determine that use of the identification tag to pre-authorize the second application does not exceed a previous use restriction, wherein the previous use restriction defines a maximum number of times that the identification tag can be used to pre-authorize the second application.
  - 14. The content management system of claim 13, the at least one memory containing additional instructions which, when executed by the one or more processors, further cause the content management system to:
    - upon pre-authorizing the second application to access the authenticated user account, mark the entry in the pre-authorization index to indicate that the identification tag has been used to pre-authorize the second application.

15. A non-transitory computer-readable medium containing instructions that, when executed by one or more processors, cause the one or more processors to:
- receive, at a content management system, from a first application on a client device, an installation request to install a second application on the client device;
  
  determine whether the installation request is associated with an authenticated user account at the content management system;
  
  when the installation request is associated with the authenticated user account, tagging an installer of the second application with an identification tag associated with the authenticated user account;
  
  transmit, to the client device, the installer tagged with the identification tag;
  
  receive a pre-authorization request associated with the second application, the pre-authorization request including the identification tag;
  
  based on the identification tag in the pre-authorization request, determine that the second application is pre-authorized to access the authenticated user account; and
  
  authorize the second application to access the authenticated user account on the content management system at least partly in response to determining that the second application is pre-authorized to access the authenticated user account.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable medium of claim 15, storing additional instructions which, when executed by the one or more processors, further cause the one or more processors to:
    - prior to receiving the installation request from the first application, receive, from the first application running on the client device, login credentials associated with the authenticated user account;
      
      based on the login credentials;
      
      authenticate a user account associated with the login credentials to yield the authenticated user account; and
      
      log the first application into the content management system via the authenticated user account;
      
      prior to sending the installer to the client device, verify that the first application associated with the installation request is logged in via the authenticated user account; and
      
      upon verifying that the first application associated with the installation request is logged in via the authenticated user account, determine that the installation request is associated with the authenticated user account.
  - 17. The non-transitory computer-readable medium of claim 15, storing additional instructions which, when executed by the one or more processors, further cause the one or more processors to:
    - create an entry in a pre-authorization index, the entry including;
      
      the identification tag,an account identifier identifying the authenticated user account,a creation time for the identification tag, andan IP address.
  - 18. The non-transitory computer-readable medium of claim 17, wherein the first application comprises a web-browser application and the second application comprises a client-side application, the non-transitory computer-readable medium including additional instructions which, when executed by the one or more processors, further cause the one or more processors to:
    - receive the preauthorization request indicating installation of the client-side application on the client device prior to an expiration of a predetermined period of time associated with the identification tag;
      
      generate an authentication key;
      
      in response to the client-side application being installed on the client device, cause the web-browser application to transmit an authorization message to the content management system, the authorization message including the authentication key;
      
      receive the authorization message and authentication key; and
      
      in response to the authentication key matching a respective authentication key associated with the identification tag, log the client-side application into the content management system via the authenticated user account.
  - 19. The non-transitory computer-readable medium of claim 17, storing additional instructions which, when executed by the one or more processors, further cause the one or more processors to:
    - identify a requesting IP address that the pre-authorization request was received from; and
      
      determine that the identification tag was received from an authorized IP address when the requesting IP address matches the IP address in the entry in the pre-authorization index.
  - 20. The non-transitory computer-readable medium of claim 17, storing additional instructions which, when executed by the one or more processors, further cause the one or more processors to:
    - determine whether the identification tag has been previously used to pre-authorize the second application, to yield a previous usage determination;
      
      based on the previous usage determination, determine that use of the identification tag to pre-authorize the second application does not exceed a previous use restriction, wherein the previous use restriction defines a maximum number of times that the identification tag can be used to pre-authorize the second application; and
      
      upon authorizing the second application to access the authenticated user account, mark an index in the pre-authorization index to indicate that the identification tag has been used to pre-authorize the second application.
  - 21. The non-transitory computer-readable medium of claim 20, wherein logging the second application into the authenticated user account comprises:
    - authenticating the second application to access the authenticated user account on the content management system without receiving, from the second application, login credentials associated with the second application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dropbox, Inc.
Original Assignee
Dropbox, Inc.
Inventors
Nguyen, Huy, Kaplan, Josh, Mody, Viraj, Vincent, Ritu, Bortz, Andrew, Euresti, David
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US14/984,255
Publication Number

US 20160112426A1
Time in Patent Office

867 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

G06F 21/6218   to a system of files or obj...

G06F 2221/2117   User registration

G06F 2221/2137   Time limited access, e.g. t...

G06F 8/61   Installation

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

H04L 67/02   based on web technology, e....

H04L 67/34   involving the movement of s...

Pre-authorizing a client application to access a user account on a content management system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Pre-authorizing a client application to access a user account on a content management system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links