Methods and systems for controlling access to a protected resource
US-2019372993-A1 · Dec 5, 2019 · US
Adaptive authorization using access token
US11245682B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11245682-B2 |
| Application number | US-201916286366-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 26, 2019 |
| Priority date | Oct 18, 2018 |
| Publication date | Feb 8, 2022 |
| Grant date | Feb 8, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques for described for generating and using rule-enhanced access tokens in connection with authorization for access to resources. An access token is generated in response to determining that a user is authorized to access a protected resource. The access token contains rule information including one or more constraints, each constraint corresponding to a condition for granting or denying access to the protected resource. Upon receiving the access token, a client application can present the access token for accessing the protected resource. The client application can be configured to enforce one or more rules represented in the rule information. The client application can, for example, determine based on the one or more constraints that a condition for granting access is unmet and, in response, cancel a pending access request for the protected resource.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: receiving, by an access management system (AMS), an access token request from a client application at a client device, the access token request identifying a user of the client device and a resource to be accessed; authenticating, by the AMS, the user based on one or more user-supplied credentials prior to generating a first access token; determining, by the AMS, that the user of the client device is authorized to access the resource; generating, by the AMS, the first access token in response to the determining that the user of the client device is authorized to access the resource, wherein the first access token includes one or more constraints, each constraint corresponding to a condition for granting or denying user access to the resource, wherein the one or more constraints correspond to at least one of the following conditions: a time during which access is allowed, a time during which access is denied, a user or user group that is allowed access, a user or user group that is denied access, an Internet Protocol (IP) address that is allowed access, an IP address that is denied access, a geographic location that is allowed access, or a geographic location that is denied access; and sending, by the AMS, the first access token to the client application at the client device, wherein the first access token is presentable by the client application at the client device in an access request for obtaining access to the resource by the client application at the client device, and wherein the client application at the client device reads the one or more constraints from the first access token, the client application at the client device determines whether each condition for granting or denying user access to the resource is met according to the one or more constraints, the client application at the client device determines whether to proceed with the access request based on whether each condition for granting or denying user access to the resource is met, and, when the determination is to proceed with the access request, the client application at the client device presents the first access token in the access request to a resource host that hosts the resource, and the client application at the client device thereby obtains access to the resource. 2. The method of claim 1 , wherein generating the first access token further comprises adding to the first access token information indicating an expiration time for a rule represented by the one or more constraints. 3. The method of claim 2 , wherein generating the first access token further comprises adding to the first access token information indicating an expiration time for the first access token. 4. The method of claim 3 , wherein the expiration time for the rule is different from the expiration time for the first access token. 5. The method of claim 1 , further comprising: receiving, by the AMS, a request from the client application for a new access token presentable for obtaining access to the resource; and generating, by the AMS, a second access token in response to the request for a new access token, wherein the second access token includes at least one of an additional constraint not included in the first access token, a removal of a constraint included in the first access token, or a replacement for a constraint included in the first access token. 6. The method of claim 1 , wherein the AMS determines that the user is authorized to access the resource based on an Open Authorization (OAuth) protocol. 7. The method of claim 1 , wherein the client application at the client device generates the access request that includes the first access token in a header of the access request. 8. The method of claim 1 , wherein the client application at the client device determines to proceed with the access request when each condition for granting user access to the resource is met, and wherein the client application at the client device enforces the conditions without a backchannel request to the AMS in connection with the access request. 9. A non-transitory computer-readable storage medium containing instructions that, when executed by one or more processors of an access management system (AMS), cause the one or more processors to perform processing comprising: receiving an access token request from a client application at a client device, the access token request identifying a user of the client device and a resource to be accessed; authenticating the user based on one or more user-supplied credentials prior to generating a first access token; determining that the user of the client device is authorized to access the resource; generating the first access token in response to the determining that the user of the client device is authorized to access the resource, wherein the first access token includes one or more constraints, each constraint corresponding to a condition for granting or denying user access to the resource, wherein the one or more constraints correspond to at least one of the following conditions: a time during which access is allowed, a time during which access is denied, a user or user group that is allowed access, a user or user group that is denied access, an Internet Protocol (IP) address that is allowed access, an IP address that is denied access, a geographic location that is allowed access, or a geographic location that is denied access; and sending the first access token to the client application at the client device, wherein the first access token is presentable by the client application at the client device in an access request for obtaining access to the resource by the client application at the client device, and wherein the client application at the client device reads the one or more constraints from the first access token, the client application at the client device determines whether each condition for granting or denying user access to the resource is met according to the one or more constraints, the client application at the client device determines whether to proceed with the access request based on whether each condition for granting or denying user access to the resource is met, and, when the determination is to proceed with the access request, the client application at the client device presents the first access token in the access request to a resource host that hosts the resource, and the client application at the client device thereby obtains access to the resource. 10. The non-transitory computer-readable storage medium of claim 9 , wherein generating the first access token further comprises adding to the first access token information indicating an expiration time for a rule represented by the one or more constraints. 11. The non-transitory computer-readable storage medium of claim 10 , wherein generating the first access token further comprises adding to the first access token information indicating an expiration time for the first access token. 12. The non-transitory computer-readable storage medium of claim 11 , wherein the expiration time for the rule is different from the expiration time for the first access token. 13. The non-transitory computer-readable storage medium of claim 9 , wherein the instructions further cause the one or more processors to perform processing comprising: receiving a request from the client application for a new access token presentable for obtaining access to the resource; and generating a second access token in response to the request for a new access token, wherein the second access token includes at least one of an additional constraint not included in the first access token, a removal of a constraint inc
Assignees
Inventors
Classifications
- G06F21/335Primary
for accessing specific resources, e.g. using Kerberos tickets · CPC title
User authentication · CPC title
- H04L63/0807Primary
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
Location-sensitive, e.g. geographical location, GPS · CPC title
Time limited access, e.g. to a computer or data · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11245682B2 cover?
- Techniques for described for generating and using rule-enhanced access tokens in connection with authorization for access to resources. An access token is generated in response to determining that a user is authorized to access a protected resource. The access token contains rule information including one or more constraints, each constraint corresponding to a condition for granting or denying …
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/335. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 08 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).