Computer-implemented systems and methods of device based, internet-centric, authentication
First Claim
1. A system for authorizing respective access by each of a plurality of Internet users to a respective plurality of Internet services, comprising:
- a processor at a single identity provider;
a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises;
for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to a user credential of the Internet user and to an identity provider application of the single identity provider residing on a computing device of one or more devices of the Internet user and that is configured to be used by the Internet user to receive authorized access to each of a plurality of Internet services;
for each one of the respective plurality of Internet services, a respective identifier, and a respective one or more call-back Internet addresses;
a second non-transitory machine-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for;
requiring the respective single identity provider application residing on each of the respective computing devices of the plurality of Internet users to create the respective authentication token, to store a respective private key portion of the respective authentication token on the respective computing device, and to prevent transmission of the respective private key portion of the respective authentication token from the respective computing device;
for each selection by a respective Internet user of a respective one Internet service of the respective plurality of Internet services, receiving, via a respective application programming interface (API) call from a computer server, a respective identifier for the respective selected one Internet service; and
in response to receiving each of the respective identifiers, requiring the respective single identity provider application residing on the respective computing device of each of the selecting Internet users to validate a respective received user credential using the respective stored private key portion of the respective authentication token for the respective selecting Internet user;
receiving a respective approved authentication challenge message from the respective single identity provider application residing on the respective computing device of each of a plurality of the selecting Internet users;
validating a plurality of the received approved authentication challenge messages using the respective stored public key portion of the respective authentication token for each of the plurality of the selecting Internet users, and;
in response to validating the plurality of received approved authentication challenge messages, authorizing access by at least one of the respective selecting Internet users to the respective selected one Internet service by re-directing a respective web browser residing on a device of the respective one or more devices of the at least one of the respective selecting Internet users to a respective one of the respective stored one or more call-back Internet addresses for the respective selected one Internet service.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and computer-implemented methods for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers. A system includes a processor, and non-transient computer readable storage media, at a single identity provider. The storage media is encoded with program code executable by the processor for requiring an identity provider application residing on each of a plurality of devices to create a respective authentication token that is specific to a respective identifier and user credential of a respective Internet user, a respective device identifier, and the respective identity provider application, and for authorizing respective access by the plurality of Internet users to a respective requested one of the Internet services provided by each Internet service provider using the respective created authentication tokens and respective identifiers for each of the respective requested Internet services.
56 Citations
20 Claims
-
1. A system for authorizing respective access by each of a plurality of Internet users to a respective plurality of Internet services, comprising:
-
a processor at a single identity provider; a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises; for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to a user credential of the Internet user and to an identity provider application of the single identity provider residing on a computing device of one or more devices of the Internet user and that is configured to be used by the Internet user to receive authorized access to each of a plurality of Internet services; for each one of the respective plurality of Internet services, a respective identifier, and a respective one or more call-back Internet addresses; a second non-transitory machine-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for; requiring the respective single identity provider application residing on each of the respective computing devices of the plurality of Internet users to create the respective authentication token, to store a respective private key portion of the respective authentication token on the respective computing device, and to prevent transmission of the respective private key portion of the respective authentication token from the respective computing device; for each selection by a respective Internet user of a respective one Internet service of the respective plurality of Internet services, receiving, via a respective application programming interface (API) call from a computer server, a respective identifier for the respective selected one Internet service; and in response to receiving each of the respective identifiers, requiring the respective single identity provider application residing on the respective computing device of each of the selecting Internet users to validate a respective received user credential using the respective stored private key portion of the respective authentication token for the respective selecting Internet user; receiving a respective approved authentication challenge message from the respective single identity provider application residing on the respective computing device of each of a plurality of the selecting Internet users; validating a plurality of the received approved authentication challenge messages using the respective stored public key portion of the respective authentication token for each of the plurality of the selecting Internet users, and; in response to validating the plurality of received approved authentication challenge messages, authorizing access by at least one of the respective selecting Internet users to the respective selected one Internet service by re-directing a respective web browser residing on a device of the respective one or more devices of the at least one of the respective selecting Internet users to a respective one of the respective stored one or more call-back Internet addresses for the respective selected one Internet service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer readable storage device encoded with program code, wherein, when the program code is executed by a processor of a computing device, the processor performs a method comprising:
-
an identity provider application of a single identity provider residing on the computing device; creating an authentication token comprising a public key portion and a private key portion, wherein the created authentication token is specific to the single identity provider application; storing the private key portion of the created authentication token in a memory of the computing device; and transmitting, via an application programming interface (API) call to a computer server of the single identity provider, only the public key portion of the created authentication token; in an out-of-band interaction with other than the single identity provider application, a web browser of the computing device receiving a selection of a link on a web page identifying a respective one of a plurality of Internet services, and, in response to receiving the selection of the link on the web page, the web browser transmitting an electronic signal indicative of an Internet user identifier to the computer server of the single identity provider; in response to receiving an API call from the computer server of the single identity provider, the single identity provider application; displaying a page to receive an Internet user input; validating a received Internet user input by attempting to decrypt the stored private key portion of the created authentication token; and if the received input is validated, transmitting an approved authentication challenge message via an API call to the computer server of the single identity provider; and in response to receiving another API call from the computer server of the single identity provider indicating successful validation of the transmitted authentication challenge message, the single identity provider application authorizing access by the Internet user to the selected one of the plurality of Internet services by re-directing the web browser to a call-back Internet address of, and displaying content of, another web page for the selected one of the plurality of Internet services. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system for authorizing respective access by each of a plurality of Internet users to a respective plurality of Internet services, comprising:
-
a processor at a single identity provider; a first non-transitory computer readable storage device of the single identity provider, wherein the first non-transitory computer readable storage device is configured to store data, and wherein the stored data comprises; for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to; a credential of the Internet user, and an identity provider application of the single identity provider residing on a computing device of one or more devices of the Internet user and that is configured to be used by the Internet user to receive authorized access to each of a plurality of Internet services; a second non-transitory machine-readable storage device of the single identity provider, wherein the second non-transitory computer readable storage device is encoded with program code executable by the processor for; requiring the respective single identity provider application residing on each of the computing devices to create the respective authentication token, to store a respective private key portion of the respective created authentication token on the respective computing device, and to prevent transmission of the respective private key portion of the respective created authentication token from the respective computing device, wherein the respective stored private key portion of each of the created authentication tokens is configured to be decrypted by the credential of the respective Internet user that is received by the respective single identity provider application; requiring the respective single identity provider application residing on each of the computing devices to create a new respective authentication token at a predetermined periodicity, to delete the respective stored private key portion of the prior respective authentication token, to store a respective private key portion of the new respective created authentication token on the respective computing device, and to prevent transmission of the respective private key portion of the new respective created authentication token from the respective computing device, wherein the respective stored private key portion of each of the new created authentication tokens is configured to be decrypted by the credential of the respective Internet user that is received by the respective single identity provider application; deleting the respective stored public key portion of the prior respective authentication token for each of the plurality of Internet users from the stored data; storing the respective public key portion of the new respective created authentication token for each of the plurality of Internet users in the stored data; and authorizing respective access by two or more of the plurality of Internet users to a respective selected one of the respective plurality of Internet services in response to validating respective approved authentication challenge messages received in a respective API call from the respective single identity provider application residing on the respective computing device of each of the two or more Internet users using the respective stored public key portion of the respective new created authentication token for each of the two or more Internet users, wherein each respective approved authentication challenge message comprises an indication of successful decryption of the respective stored private key portion of the respective new created authentication token for the respective Internet user. - View Dependent Claims (18, 19, 20)
-
Specification