SUBSTITUTING CALLBACK URLS WHEN USING OAUTH PROTOCOL EXCHANGES

US 20190334911A1
Filed: 02/21/2018
Published: 10/31/2019
Est. Priority Date: 02/21/2018
Status: Active Grant

First Claim

Patent Images

1. A method for substituting callback uniform resource locators (URLs) when using an OAuth protocol exchange to authenticate an application, the method performed by a computing system and comprising:

establishing a proxy service at a first uniform resource locator to carry out communications between one or more identity access management servers and a plurality of application hosting sites, at least one application hosting site of the plurality of application hosting sites having a second uniform resource locator that is different from the first uniform resource locator;

registering the application and the first uniform resource locator with the one or more identity access management servers;

invoking the application from the at least one application hosting site;

carrying out at least a portion of the OAuth protocol exchange to authenticate the application and to generate an access token;

receiving, by the proxy service, at the first uniform resource locator, an authentication message;

forwarding a redirected authentication message to the at least one application hosting site that has the second uniform resource locator; and

receiving, by the at least one application hosting site at the second uniform resource locator, the redirected authentication message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems for computer security. A proxy service implements methods for substituting callback uniform resource locators (URLs) when using an OAuth protocol exchange to authenticate an application. A proxy service is established at a first uniform resource locator to carry out communications between one or more identity access management servers and a plurality of application hosting sites. At least one of the plurality of application hosting sites has a second uniform resource locator that is different from the first uniform resource locator. An identity access management server will register the application and the first uniform resource locator. From any hosting site, the application is invoked, upon which invocation, the application carries out at least a portion of the OAuth protocol exchange with the IAM. The proxy service at the first uniform resource locator receives an authentication message from the IAM and then redirects the authentication message to the application hosting site.

Citations

20 Claims

1. A method for substituting callback uniform resource locators (URLs) when using an OAuth protocol exchange to authenticate an application, the method performed by a computing system and comprising:
- establishing a proxy service at a first uniform resource locator to carry out communications between one or more identity access management servers and a plurality of application hosting sites, at least one application hosting site of the plurality of application hosting sites having a second uniform resource locator that is different from the first uniform resource locator;
  
  registering the application and the first uniform resource locator with the one or more identity access management servers;
  
  invoking the application from the at least one application hosting site;
  
  carrying out at least a portion of the OAuth protocol exchange to authenticate the application and to generate an access token;
  
  receiving, by the proxy service, at the first uniform resource locator, an authentication message;
  
  forwarding a redirected authentication message to the at least one application hosting site that has the second uniform resource locator; and
  
  receiving, by the at least one application hosting site at the second uniform resource locator, the redirected authentication message.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - receiving, from a user of the application, one or more application commands; and
      
      performing, by the application, at least a portion of the one or more application commands.
  - 3. The method of claim 2, wherein the access token is used when performing the one or more application commands.
  - 4. The method of claim 1, wherein the first uniform resource locator (URL) of the proxy service is a URL that resolves to a publicly-accessible IP address.
  - 5. The method of claim 1, wherein the one or more identity access management servers is hosted by at least one server addressed by at least one of, www.google.com, www.facebook.com, or www.linkedin.com.
  - 6. The method of claim 1, wherein the proxy service performs at least some functions of the one or more identity access management servers.
  - 7. The method of claim 1, wherein the proxy service performs all functions of the one or more identity access management servers.

8. A computer readable medium, embodied in a non-transitory computer readable medium, the non-transitory computer readable medium having stored thereon a sequence of instructions which, when stored in memory and executed by one or more processors causes the one or more processors to perform a set of acts for substituting callback uniform resource locators (URLs) when using an OAuth protocol exchange to authenticate an application, the acts comprising:
- establishing a proxy service at a first uniform resource locator to carry out communications between one or more identity access management servers and a plurality of application hosting sites, at least one application hosting site of the plurality of application hosting sites having a second uniform resource locator that is different from the first uniform resource locator;
  
  registering the application and the first uniform resource locator with the one or more identity access management servers;
  
  invoking the application from the at least one application hosting site;
  
  carrying out at least a portion of the OAuth protocol exchange to authenticate the application and to generate an access token;
  
  receiving, by the proxy service, at the first uniform resource locator, an authentication message;
  
  forwarding a redirected authentication message to the at least one application hosting site that has the second uniform resource locator; and
  
  receiving, by the at least one application hosting site at the second uniform resource locator, the redirected authentication message.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable medium of claim 8, further comprising instructions which, when stored in memory and executed by the one or more processors causes the one or more processors to perform acts of:
    - receiving, from a user of the application, one or more application commands; and
      
      performing, by the application, at least a portion of the one or more application commands.
  - 10. The computer readable medium of claim 9, wherein the access token is used when performing the one or more application commands.
  - 11. The computer readable medium of claim 8, wherein the first uniform resource locator (URL) of the proxy service is a URL that resolves to a publicly-accessible IP address.
  - 12. The computer readable medium of claim 8, wherein the one or more identity access management servers is hosted by at least one server addressed by at least one of, www.google.com, www.facebook.com, or www.linkedin.com.
  - 13. The computer readable medium of claim 8, wherein the proxy service performs at least some functions of the one or more identity access management servers.
  - 14. The computer readable medium of claim 8, wherein the proxy service performs all functions of the one or more identity access management servers.

15. A system for substituting callback uniform resource locators (URLs) when using an OAuth protocol exchange to authenticate an application, the system performed by a computing system and comprising:
- a storage medium having stored thereon a sequence of instructions; and
  
  one or more processors that execute the instructions to cause the one or more processors to perform a set of acts, the acts comprising,establishing a proxy service at a first uniform resource locator to carry out communications between one or more identity access management servers and a plurality of application hosting sites, at least one application hosting site of the plurality of application hosting sites having a second uniform resource locator that is different from the first uniform resource locator;
  
  registering the application and the first uniform resource locator with the one or more identity access management servers;
  
  invoking the application from the at least one application hosting site;
  
  carrying out at least a portion of the OAuth protocol exchange to authenticate the application and to generate an access token;
  
  receiving, by the proxy service, at the first uniform resource locator, an authentication message;
  
  forwarding a redirected authentication message to the at least one application hosting site that has the second uniform resource locator; and
  
  receiving, by the at least one application hosting site at the second uniform resource locator, the redirected authentication message.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the access token is used when performing application commands.
  - 17. The system of claim 15, wherein the first uniform resource locator (URL) of the proxy service is a URL that resolves to a publicly-accessible IP address.
  - 18. The system of claim 15, wherein the one or more identity access management servers is hosted by at least one server addressed by at least one of, www.google.com, www.facebook.com, or www.linkedin.com.
  - 19. The system of claim 15, wherein the proxy service performs at least some functions of the one or more identity access management servers.
  - 20. The system of claim 15, wherein the proxy service performs decryption of at least a portion of the authentication message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nutanix Incorporated
Original Assignee
Nutanix Incorporated
Inventors
PARTHASARATHY, Ranjan, GUPTA, Vinod

Granted Patent

US 10,841,313 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06F 21/44   Program or device authentic...

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

H04L 63/0281   Proxies

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 67/567   Integrating service provisi...

H04L 9/0891   Revocation or update of sec...

H04L 9/3213   using tickets or tokens, e....

SUBSTITUTING CALLBACK URLS WHEN USING OAUTH PROTOCOL EXCHANGES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SUBSTITUTING CALLBACK URLS WHEN USING OAUTH PROTOCOL EXCHANGES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links