Method and system for propagating a client identity
First Claim
1. A computer system for securely propagating an identity included in a service call request message for an open Application Programming Interface (API) service application from a first service system to a target service system in a service provider (SP) computer system, the service application stored within a service owner (SO) computer device, the SO computer device associated with a SO, the computer system comprising:
- a memory device for storing data; and
a service provider (SP) computer system comprising a processor and an open application programming interface (API) platform, the SP computer system in communication with the memory device and the SO computer device, said SP computer system programmed to;
receive a first request message from an entity outside of the SP computer system, at the first service system, the first request message defining an API service request comprising a header portion and a payload portion;
determine, by the first service system, identity information to be transmitted to the target service system, the target system within the SP computer system, the identity information identifying a source outside of the SP computer system of the received message;
construct a data structure that contains the identity information and is able to be digitally signed;
receive, from the target service system, signature information for creating a digital signature;
digitally sign the identity information wherein the signature information used in the creation of the digital signature is pre-established with the target service system;
pair the identity information and the corresponding digital signature in a header of a second request message to be transmitted from the first service system to the target service system;
receive by the target service system the second request message and extract the identity information and corresponding digital signature from the header;
validate by the target service system the corresponding digital signature; and
for signatures that are successfully validated, construct using the corresponding identity information a data structure that represents the original identity established in the first service system.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for securely propagating client identities in a service call from a first system to a target service system are provided. The system includes a memory device for storing data and a service provider (SP) computer system. The SP computer system is programmed to determine identities to transmit to the target system in association with a request, construct a data structure to represent each identity and additional information related to the identity, digitally sign the identity information, pair the identity information and the corresponding digital signature in a header of a request message from the first system to the target service system, receive the request message and extract the identity information and corresponding digital signatures from the header, validate the corresponding digital signatures, and construct using the corresponding identity information a data structure that represents each of the original identities established in the first system.
116 Citations
32 Claims
-
1. A computer system for securely propagating an identity included in a service call request message for an open Application Programming Interface (API) service application from a first service system to a target service system in a service provider (SP) computer system, the service application stored within a service owner (SO) computer device, the SO computer device associated with a SO, the computer system comprising:
-
a memory device for storing data; and a service provider (SP) computer system comprising a processor and an open application programming interface (API) platform, the SP computer system in communication with the memory device and the SO computer device, said SP computer system programmed to; receive a first request message from an entity outside of the SP computer system, at the first service system, the first request message defining an API service request comprising a header portion and a payload portion; determine, by the first service system, identity information to be transmitted to the target service system, the target system within the SP computer system, the identity information identifying a source outside of the SP computer system of the received message; construct a data structure that contains the identity information and is able to be digitally signed; receive, from the target service system, signature information for creating a digital signature; digitally sign the identity information wherein the signature information used in the creation of the digital signature is pre-established with the target service system; pair the identity information and the corresponding digital signature in a header of a second request message to be transmitted from the first service system to the target service system; receive by the target service system the second request message and extract the identity information and corresponding digital signature from the header; validate by the target service system the corresponding digital signature; and for signatures that are successfully validated, construct using the corresponding identity information a data structure that represents the original identity established in the first service system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer-implemented method of propagating a client identity included in a service call from a gateway system to a target service system in a service provider (SP) computer system, said method comprising:
-
receiving, at the gateway system from an entity outside of the SP computer system, a message defining an Application Programming Interface (API) service request comprising at least a header portion and a payload portion; determining at the gateway system an identity of an application outside of the SP computer system transmitting the received message using identity information contained in the header portion that has already been established within the gateway system; receiving, from the target service system, signature information configured to be used in the creation of a digital signature, the target system within the SP computer system; digitally signing the identity information wherein signature information used in the digital signature is pre-established with the target service system; pairing the identity information and the corresponding digital signature in a header of a request message to be transmitted from the gateway system to the target service system; receiving by the target service system the request message and extracting the identity information and corresponding digital signature from the header; validating by the target service system the corresponding digital signature; and for signatures that are successfully validated, constructing using the corresponding identity information a data structure that represents the original identity established in the gateway system. - View Dependent Claims (20, 21, 22)
-
-
23. One or more computer-readable non-transitory media comprising a computer-executable program that instructs at least one processor to propagate a client identity included in a service call from a first service system to a target service system for an Application Programming Interface (API) service application stored within a service provider (SP) computer system through an open API platform, said computer-executable program comprising at least one code segment that instructs the at least one processor to:
-
receive, from the first service system from an entity outside of the SP computer system, a message defining an API service request comprising at least a header portion and a payload portion; determine at the first service system an identity of an application outside of the SP computer system transmitting the received API service request message using identity information contained in the header portion that has already been established within the first service system; receive, from the target service system, signature information configured to be used in the creation of a digital signature, the target system within the SP computer system; digitally sign the identity information wherein signature information used in the digital signature is pre-established with the target service system; pair the identity information and the corresponding digital signature in a header of a request message to be transmitted from the first service system to the target service system; receive by the target service system the API service request message and extract the identity information and corresponding digital signature from the header; validate by the target service system the corresponding digital signature; and for signatures that are successfully validated, construct using the corresponding identity information a data structure that represents the original identity established in the first service system. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification