Authentication and authorization of a privilege-constrained application
First Claim
1. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors, cause the one or more processors to:
- assign an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account;
receive a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key;
determine that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier;
provide a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination;
receive a candidate authorization code and user identifier;
validate the candidate authorization code based on the SUA code provided; and
provide a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems are provided for managing access to a client account related (CAR) resource. When a privilege-constrained (PC) application requests access to an individual client account, a single use authorization (SUA) code is created that is associated with the individual client account. The SUA code is routed to, and returned from, the privilege-constrained (PC) application to authenticate the PC application. The PC application, once authenticated, receives a permitted action token that identifies a limited set of privileges that the PC application is authorized to perform in connection with the CAR resource. The PC application provides the permitted action token to an access service. The access service limits access, by the PC application, to the CAR resource based on the permitted action token.
44 Citations
15 Claims
-
1. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors, cause the one or more processors to:
-
assign an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account; receive a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key; determine that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier; provide a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination; receive a candidate authorization code and user identifier; validate the candidate authorization code based on the SUA code provided; and provide a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource. - View Dependent Claims (2, 3)
-
-
4. A computer implemented method for managing access to a client account utilizing a remote resource, comprising:
-
assigning an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account; receiving a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key; determining that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier; providing a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination; receiving a candidate authorization code and user identifier; validating the candidate authorization code based on the SUA code provided; and providing a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource. - View Dependent Claims (5, 6, 7, 8, 9, 10)
-
-
11. A system for managing access to a client account utilizing a remote resource, comprising:
-
at least one processor; and a memory, coupled to the at least one processor, storing program instructions when executed configures the at least one processor to; assign an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account; receive a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key; determine that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier; provide a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination; receive a candidate authorization code and user identifier; validate the candidate authorization code based on the SUA code provided; and provide a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource. - View Dependent Claims (12, 13, 14, 15)
-
Specification