Native single sign-on (sso) for mobile applications
US-2019394187-A1 · Dec 26, 2019 · US
Token exchange with client generated token
US11212101B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11212101-B2 |
| Application number | US-201816155878-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 9, 2018 |
| Priority date | Oct 9, 2018 |
| Publication date | Dec 28, 2021 |
| Grant date | Dec 28, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A client can be authenticated with an identity provider. The identity provider can generate an identity provider token after successful authentication. Prior to issuing a request to a service provider, the client can request a temporary (one time use) token from the identity provider. The request may include a client token to verify the client's identity. The identity provider can validate the client token using details saved in the identity provider token and issue the temporary token to the client. The client can provide the temporary token to a service provider in a request for service. The service provider can validate the temporary token with the identity provider. If the temporary token is valid (i.e., has not already been used), the service provider can respond to the request. The use of a temporary token and not sharing the identity provider token with the client can prevent security breaches.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for providing identity services, the method comprising: receiving credentials for a first client; in response to verifying the credentials: issuing a code to the first client, and generating an identity provider token, the identity provider token comprising information about the first client, wherein the identity provider token is not shared with the first client; receiving a request for a temporary token from the first client, the request including the code and a client token generated by the first client; generating the temporary token in response to validating the client token and the code, wherein validating the client token and the code comprises comparing information in the identity provider token with information in the client token; and providing the temporary token to the first client. 2. The method of claim 1 , wherein the temporary token comprises a one-time use token. 3. The method of claim 1 , further comprising: receiving, from a service provider, a request to validate the temporary token; in response to verifying that the temporary token is valid, providing a response to the service provider indicating the temporary token is valid; and invalidating the temporary token. 4. The method of claim 1 , wherein validating the client token and the code comprises verifying a signature associated with the request using a public key of the first client. 5. The method of claim 1 , wherein validating the client token and the code comprises decrypting the client token using a private key. 6. The method of claim 1 , further comprising: receiving, from a second client, a request for a second temporary token, the request including the code and the client token generated by the first client; and in response to verifying that the code and the client token are valid, providing the second temporary token to the second client. 7. The method of claim 6 , wherein the client token and the code are received by the second client from the first client. 8. The method of claim 1 , further comprising configuring the temporary token to have an expiration time of less than five minutes. 9. The method of claim 1 , wherein the temporary token is provided by the first client in a request to a service provider. 10. The method of claim 1 , wherein generating the temporary token comprises storing data associated with the first client in the temporary token. 11. An apparatus comprising: a processor circuit; and a machine-readable medium comprising instructions executable by the processor circuit to cause the apparatus to, receive credentials for a client; in response to verification of the credentials: issue a code to the client, and generate an identity provider token, the identity provider token comprising information about the first client, wherein the identity provider token is not shared with the first client; receive the code and a client token generated by the client from the client; generate a temporary token in response to a validating the client token and the code, wherein validating the client token and the code comprises comparing information in the identity provider token with information in the client token; provide the temporary token to the client; receive, from a service provider, a request to validate the temporary token; and in response to verification that the temporary token is valid, provide a response to the service provider to indicate that the temporary token is valid and invalidate the temporary token. 12. The apparatus of claim 11 , wherein the code and the client token are encrypted with one of a public or private key of a public/private key pair. 13. The apparatus of claim 11 , wherein the instructions executable by the processor circuit further cause the apparatus to verify a signature associated with the request using a public key of the client. 14. The apparatus of claim 11 , wherein the instructions executable by the processor circuit further cause the apparatus to: decrypt the client token using a private key; and verify that the code is associated with the client using information from the client token. 15. The apparatus of claim 11 , wherein the temporary token is configured with an expiration time of less than five minutes. 16. One or more non-transitory machine-readable media comprising machine executable instructions for managing application risks, the machine executable instructions comprising instructions to cause a processor to: in response to verification of credentials received from a client: issue a code to the client, and generate an identity provider token, the identity provider token comprising information about the first client, wherein the identity provider token is not shared with the first client; receive the code and a client token generated by the client from the client; generate a temporary token in response to validating the code and the temporary token; provide the temporary token to the client, wherein validating the client token and the code comprises comparing information in the identity provider token with information in the client token; receive a request to validate the temporary token; and in response to verification that the temporary token is valid, provide a response to the request indicating that the temporary token is valid, and invalidate the temporary token. 17. The one or more non-transitory machine-readable media of claim 16 , wherein the temporary token comprises a one-time use token. 18. The one or more non-transitory machine-readable media of claim 16 , wherein the code and the client token are encrypted with one of a public or private key of a public/private key pair. 19. The one or more non-transitory machine-readable media of claim 18 , wherein the machine executable instructions to validate the code and the client token comprise instructions to: verify a signature associated with the request using a public key of the client; and decrypt the client token using a private key.
Assignees
Inventors
Classifications
One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key · CPC title
- H04L9/3213Primary
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
using one-time-passwords · CPC title
using an additional device, e.g. smartcard, SIM or a different communication terminal (cryptographic mechanisms or cryptographic arrangements for entity authentication involving additional secure or trusted devices H04L9/3234) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11212101B2 cover?
- A client can be authenticated with an identity provider. The identity provider can generate an identity provider token after successful authentication. Prior to issuing a request to a service provider, the client can request a temporary (one time use) token from the identity provider. The request may include a client token to verify the client's identity. The identity provider can validate the …
- Who is the assignee on this patent?
- Ca Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3213. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 28 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).