Identity management and device enrollment in a cloud service

US 10,444,743 B2
Filed: 11/13/2018
Issued: 10/15/2019
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for enabling data communication between a machine and a remote service application via a network and using an authorization service, the method comprising:

receiving from a first machine, user-based credential data at an authorization service application via a first network;

providing via the first network an authorization code from the authorization service application to the machine when the user-based credential data is valid;

receiving from the first machine and via the first network, the authorization code and a request for a first access token, and in response, sending the first access token from the authorization service application to the first machine via the first network;

wherein the first machine responsively sends the first access token and an enrollment request to an enrollment service application via a second network, the enrollment request including a request for data access to a cloud-based application, and the enrollment service application sends machine credential data selected by the enrollment service application to the first machine via the second network to permit the first machine later access to the cloud-based application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data communications are enabled between a machine and a remote service application. When user-based credential data is valid, an authorization code is provided from an authorization service application to the machine. The authorization code and a request for a first access token are received and in response, the first access token is sent from the authorization service application to the first machine. The first machine responsively sends the first access token and an enrollment request to an enrollment service application. The enrollment service application sends machine credential data to the first machine to permit the first machine later access to cloud-based applications.

380 Citations

14 Claims

1. A method for enabling data communication between a machine and a remote service application via a network and using an authorization service, the method comprising:
- receiving from a first machine, user-based credential data at an authorization service application via a first network;
  
  providing via the first network an authorization code from the authorization service application to the machine when the user-based credential data is valid;
  
  receiving from the first machine and via the first network, the authorization code and a request for a first access token, and in response, sending the first access token from the authorization service application to the first machine via the first network;
  
  wherein the first machine responsively sends the first access token and an enrollment request to an enrollment service application via a second network, the enrollment request including a request for data access to a cloud-based application, and the enrollment service application sends machine credential data selected by the enrollment service application to the first machine via the second network to permit the first machine later access to the cloud-based application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the authorization service application subsequently receives the first access token from the enrollment services application.
  - 3. The method of claim 2, wherein the authorization service determines whether the first access token is valid, and when the first access token is valid, sends one or more scopes associated with the first access token to the enrollment services application.
  - 4. The method of claim 3 wherein the scopes define whether the first machine is permitted access to a specified other service, module, data, or other feature available in or via the cloud.
  - 5. The method of claim 3, further comprising receiving from the enrollment service application at the authorization service application a request for a second access token and wherein the authorization service application responsively sends the second access token and device credentials data to the enrollment service application.
  - 6. The method of claim 5, receiving from the enrollment service application the second access token together with a client or device identifier.
  - 7. The method of claim 6, further comprising sending the client or device identifier to the enrollment service application from the authorization service application when enrollment of the first machine is successful.

8. An apparatus that is configured to enabling data communication between a machine and a remote service application via a network, the apparatus comprising:
- a network interface device;
  
  a processor, the processor coupled to the network interface device;
  
  an authorization service application that is executed on the processor, the authorization service application being configured to;
  
  receive from a first machine, user-based credential data via the network interface device;
  
  provide to the first machine via the network interface device an authorization code when the user-based credential data is valid;
  
  receive from the first machine and via the network interface device, the authorization code and a request for a first access token, and in response, send the first access token to the first machine via the network interface device;
  
  wherein the first machine responsively sends the first access token and an enrollment request to an enrollment service application via a second network, the enrollment request including a request for data access to a cloud-based application, and the enrollment service application sends machine credential data selected by the enrollment service application to the first machine via the second network to permit the first machine later access to the cloud-based application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the authorization service application subsequently receives the first access token from the enrollment services application via the network interface device.
  - 10. The apparatus of claim 9, wherein the authorization service determines whether the first access token is valid, and when the first access token is valid sends one or more scopes associated with the first access token to the enrollment services application.
  - 11. The apparatus of claim 10 wherein the scopes define whether the first machine is permitted access to a specified other service, module, data, or other feature available in or via the cloud.
  - 12. The apparatus of claim 10, wherein the authorization service application receives from the enrollment service application via the network interface device a request for a second access token and wherein the authorization service application responsively sends the second access token and device credentials data to the enrollment service application.
  - 13. The apparatus of claim 12, wherein the authorization service application receives from the enrollment service application the second access token together with a client or device identifier.
  - 14. The apparatus of claim 13, wherein the authorization service application sends the client or device identifier to the enrollment service application when enrollment of the first machine is successful.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Digital Holdings LLC (GE Aerospace)
Original Assignee
General Electric Company
Inventors
Wu, Jiaqi, Lammers, Greg
Primary Examiner(s)
Zaidi, Syed A

Application Number

US16/189,680
Publication Number

US 20190079504A1
Time in Patent Office

336 Days
Field of Search

726 4
US Class Current
CPC Class Codes

G05B 19/41885   characterised by modeling, ...

G05B 2219/23005   Expert design system, uses ...

G05B 2219/33139   Design of industrial commun...

G06F 2203/04806   Zoom, i.e. interaction tech...

G06F 3/0482   Interaction with lists of s...

G06F 3/04842   Selection of displayed obje...

G06F 3/04845   for image manipulation, e.g...

G06F 3/04847   Interaction techniques to c...

G06F 3/04883   for inputting data by handw...

G06Q 10/04   Forecasting or optimisation...

G06Q 10/06   Resources, workflows, human...

H04L 41/12   Discovery or management of ...

H04L 43/045   for graphical visualisation...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/18   using different networks or...

H04L 67/10   in which an application is ...

Y02P 90/80   Management or planning

Identity management and device enrollment in a cloud service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

380 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Identity management and device enrollment in a cloud service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

380 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links