Method and system for propagating a client identity

US 9,083,534 B2
Filed: 12/22/2011
Issued: 07/14/2015
Est. Priority Date: 01/07/2011
Status: Active Grant

First Claim

Patent Images

1. A computer system for securely propagating an identity included in a service call request message for an open Application Programming Interface (API) service application from a first service system to a target service system in a service provider (SP) computer system, the service application stored within a service owner (SO) computer device, the SO computer device associated with a SO, the computer system comprising:

a memory device for storing data; and

a service provider (SP) computer system comprising a processor and an open application programming interface (API) platform, the SP computer system in communication with the memory device and the SO computer device, said SP computer system programmed to;

receive a first request message from an entity outside of the SP computer system, at the first service system, the first request message defining an API service request comprising a header portion and a payload portion;

determine, by the first service system, identity information to be transmitted to the target service system, the target system within the SP computer system, the identity information identifying a source outside of the SP computer system of the received message;

construct a data structure that contains the identity information and is able to be digitally signed;

receive, from the target service system, signature information for creating a digital signature;

digitally sign the identity information wherein the signature information used in the creation of the digital signature is pre-established with the target service system;

pair the identity information and the corresponding digital signature in a header of a second request message to be transmitted from the first service system to the target service system;

receive by the target service system the second request message and extract the identity information and corresponding digital signature from the header;

validate by the target service system the corresponding digital signature; and

for signatures that are successfully validated, construct using the corresponding identity information a data structure that represents the original identity established in the first service system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for securely propagating client identities in a service call from a first system to a target service system are provided. The system includes a memory device for storing data and a service provider (SP) computer system. The SP computer system is programmed to determine identities to transmit to the target system in association with a request, construct a data structure to represent each identity and additional information related to the identity, digitally sign the identity information, pair the identity information and the corresponding digital signature in a header of a request message from the first system to the target service system, receive the request message and extract the identity information and corresponding digital signatures from the header, validate the corresponding digital signatures, and construct using the corresponding identity information a data structure that represents each of the original identities established in the first system.

116 Citations

32 Claims

1. A computer system for securely propagating an identity included in a service call request message for an open Application Programming Interface (API) service application from a first service system to a target service system in a service provider (SP) computer system, the service application stored within a service owner (SO) computer device, the SO computer device associated with a SO, the computer system comprising:
- a memory device for storing data; and
  
  a service provider (SP) computer system comprising a processor and an open application programming interface (API) platform, the SP computer system in communication with the memory device and the SO computer device, said SP computer system programmed to;
  
  receive a first request message from an entity outside of the SP computer system, at the first service system, the first request message defining an API service request comprising a header portion and a payload portion;
  
  determine, by the first service system, identity information to be transmitted to the target service system, the target system within the SP computer system, the identity information identifying a source outside of the SP computer system of the received message;
  
  construct a data structure that contains the identity information and is able to be digitally signed;
  
  receive, from the target service system, signature information for creating a digital signature;
  
  digitally sign the identity information wherein the signature information used in the creation of the digital signature is pre-established with the target service system;
  
  pair the identity information and the corresponding digital signature in a header of a second request message to be transmitted from the first service system to the target service system;
  
  receive by the target service system the second request message and extract the identity information and corresponding digital signature from the header;
  
  validate by the target service system the corresponding digital signature; and
  
  for signatures that are successfully validated, construct using the corresponding identity information a data structure that represents the original identity established in the first service system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. A computer system in accordance with claim 1, wherein the received first request message comprises an HTTP message defining the API service request.
  - 3. A computer system in accordance with claim 1, wherein the identity information represents at least one of a message source computer system, an application, an organization and a user.
  - 4. A computer system in accordance with claim 1, wherein the data structure used to represent the identity information takes the form of a string of text, XML or SAML.
  - 5. A computer system in accordance with claim 1, wherein the first service system is programmed to pair the identity information and the corresponding signature in an HTTP header of the request message to the target service system wherein a name of the HTTP request message header is pre-established with the target service system.
  - 6. A computer system in accordance with claim 1, wherein the service provider computer system is programmed to determine that the received first request message has not been tampered with.
  - 7. A computer system in accordance with claim 1, wherein signature information used in the construction of the digital signature comprises a public/private key certificate pre-established with the target service system.
  - 8. A computer system in accordance with claim 1, wherein the identity information that is digitally signed comprises profile information related to an identified entity.
  - 9. A computer system in accordance with claim 8, wherein the profile information related to the identified entity comprises application user profile information.
  - 10. A computer system in accordance with claim 8, wherein the profile information related to the identified entity comprises application developer profile information.
  - 11. A computer system in accordance with claim 8, wherein the profile information related to the identified entity comprises merchant profile information.
  - 12. A computer system in accordance with claim 8, wherein the profile information related to the identified entity comprises security authorization information, including security roles or groups.
  - 13. A computer system in accordance with claim 1, wherein the target service system provides access to data or logic as a service.
  - 14. A computer system in accordance with claim 1, wherein the identity information and corresponding digital signature are stored in separate HTTP headers within an HTTP request message.
  - 15. A computer system in accordance with claim 14, wherein the first service system is programmed to store the identity information and the corresponding signature in separate HTTP headers of the HTTP request message to the target service system wherein the names of the HTTP request message headers are pre-established with the target service system.
  - 16. A computer system in accordance with claim 1, wherein the first service system communicates more than one identity to the target service system within a single second request message.
  - 17. A computer system in accordance with claim 16, wherein the first service system uses separate HTTP headers for communication of each pair of identity information and corresponding digital signature.
  - 18. A computer system in accordance with claim 17 wherein the first service system uses separate public/private key certificates to digitally sign each set of identity information.

19. A computer-implemented method of propagating a client identity included in a service call from a gateway system to a target service system in a service provider (SP) computer system, said method comprising:
- receiving, at the gateway system from an entity outside of the SP computer system, a message defining an Application Programming Interface (API) service request comprising at least a header portion and a payload portion;
  
  determining at the gateway system an identity of an application outside of the SP computer system transmitting the received message using identity information contained in the header portion that has already been established within the gateway system;
  
  receiving, from the target service system, signature information configured to be used in the creation of a digital signature, the target system within the SP computer system;
  
  digitally signing the identity information wherein signature information used in the digital signature is pre-established with the target service system;
  
  pairing the identity information and the corresponding digital signature in a header of a request message to be transmitted from the gateway system to the target service system;
  
  receiving by the target service system the request message and extracting the identity information and corresponding digital signature from the header;
  
  validating by the target service system the corresponding digital signature; and
  
  for signatures that are successfully validated, constructing using the corresponding identity information a data structure that represents the original identity established in the gateway system.
- View Dependent Claims (20, 21, 22)
- - 20. A method in accordance with claim 19, wherein receiving a message defining an API service request comprises receiving an HTTP message defining an API service request.
  - 21. A method in accordance with claim 19, wherein pairing the identity information and the corresponding signature in a header of a request message to be transmitted from the gateway system to the target service system comprises pairing the identity information and the corresponding signature in a header of a request message wherein a name of the request message header is pre-established with the target service system.
  - 22. A method in accordance with claim 19, further comprising determining that the received message has not been tampered with.

23. One or more computer-readable non-transitory media comprising a computer-executable program that instructs at least one processor to propagate a client identity included in a service call from a first service system to a target service system for an Application Programming Interface (API) service application stored within a service provider (SP) computer system through an open API platform, said computer-executable program comprising at least one code segment that instructs the at least one processor to:
- receive, from the first service system from an entity outside of the SP computer system, a message defining an API service request comprising at least a header portion and a payload portion;
  
  determine at the first service system an identity of an application outside of the SP computer system transmitting the received API service request message using identity information contained in the header portion that has already been established within the first service system;
  
  receive, from the target service system, signature information configured to be used in the creation of a digital signature, the target system within the SP computer system;
  
  digitally sign the identity information wherein signature information used in the digital signature is pre-established with the target service system;
  
  pair the identity information and the corresponding digital signature in a header of a request message to be transmitted from the first service system to the target service system;
  
  receive by the target service system the API service request message and extract the identity information and corresponding digital signature from the header;
  
  validate by the target service system the corresponding digital signature; and
  
  for signatures that are successfully validated, construct using the corresponding identity information a data structure that represents the original identity established in the first service system.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 24. A computer-readable non-transitory media in accordance with claim 23, wherein the received message comprises an HTTP message defining the API service request.
  - 25. A computer-readable non-transitory media in accordance with claim 23, wherein the identity represents at least one of an entity responsible to the SP computer system for the application, a merchant, and an application user.
  - 26. A computer-readable non-transitory media in accordance with claim 23, wherein the at least one code segment instructs the at least one processor to pair the identity information and the corresponding signature in a header of the request message wherein a name of the request message header is pre-established with the target service system.
  - 27. A computer-readable non-transitory media in accordance with claim 23, wherein the at least one code segment instructs the at least one processor to determine that the received message has not been tampered with.
  - 28. A computer-readable non-transitory media in accordance with claim 23, wherein information used in the digital signature comprises a certificate pre-established with the target service system.
  - 29. A computer-readable non-transitory media in accordance with claim 23, wherein information used in the digital signature comprises profile information related to the identified entity.
  - 30. A computer-readable non-transitory media in accordance with claim 29, wherein the profile information related to the identified entity comprises application user profile information.
  - 31. A computer-readable non-transitory media in accordance with claim 29, wherein the profile information related to the identified entity comprises application developer profile information.
  - 32. A computer-readable non-transitory media in accordance with claim 29, wherein the profile information related to the identified entity comprises merchant profile information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Original Assignee
Mastercard International Incorporated (MasterCard Incorporated)
Inventors
Kirk, Stephen Christopher, Byrd, Nathaniel David, Alger, Eric G.
Primary Examiner(s)
CHOUDHURY, AZIZUL Q

Application Number

US13/335,496
Publication Number

US 20120179913A1
Time in Patent Office

1,300 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 9/3247   involving digital signatures

Method and system for propagating a client identity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

116 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for propagating a client identity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

116 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links