Method for remotely acquiring secret key, pos terminal and storage medium
US-2019312720-A1 · Oct 10, 2019 · US
Digital signature injection for user authentication across multiple independent systems
US11533309B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11533309-B2 |
| Application number | US-202017134540-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 28, 2020 |
| Priority date | Dec 28, 2020 |
| Publication date | Dec 20, 2022 |
| Grant date | Dec 20, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A process running on client devices intercepts requests destined for an identity provider (“IdP”) system and injects a digital signature corresponding to a user associated with the request. In order to reduce or eliminate the burden on providers of the applications or other resources used by the users, the organization providing the IdP system may also provide components that run locally on the client devices of users and integrate with the users' applications. For example, in one embodiment code of the IdP system is run within a container of an application to handle communication with the IdP system. Additionally, code of the IdP system is run as a local process that handles request interception and digital signature injection. For client devices not supporting the use of the local process, a separate verifier application of the IdP can be run locally and allow interactively performing authentication via a user interface.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for providing federated identity services for a client device of a user, the computer-implemented method comprising: enrolling the user on the client device, the enrollment comprising: generating a public key and a private key for the user; and registering the public key with a remote identity provider (IdP) system in association with the user and the client device; receiving, at the client device, an indication of an access of the user to a third-party application; sending, by the client device, an authentication challenge request to the IdP system; intercepting, by a proxy server signature injection module executing on the client device, the authentication challenge request; generating, by the proxy server signature injection module, using the private key for the user, a signature corresponding to the user; injecting, by the proxy server signature injection module, the signature into the authentication challenge request; forwarding, by the proxy server signature injection module, the authentication challenge request with the injected signature to the IdP system, wherein the IdP system authenticates the user, based at least in part on the injected signature and the registered public key for the user, in response to the forwarded authentication challenge request. 2. The computer-implemented method of claim 1 , further comprising: executing scripting code within a container of the application to redirect an authentication request to the IdP system; and responsive to the redirecting, obtaining a sign-in widget from the IdP system. 3. The computer-implemented method of claim 2 , further comprising: displaying the sign-in widget; and receiving a user selection of the sign-in widget; wherein the sign-in widget sends the authentication challenge request to the IdP system responsive to the user selection of the sign-in widget. 4. The computer-implemented method of claim 1 , further comprising: receiving, from the IdP system, session information for a session of the user with the third-party application; and sending the received session information to a third-party application server of the third-party application along with a request to perform an action for the user within the third-party application. 5. A non-transitory computer-readable storage medium storing instructions for providing federated identity services for a client device of a user, the instructions when executed by a computer processor performing actions comprising: enrolling the user on the client device, the enrollment comprising: generating a public key and a private key for the user; and registering the public key with a remote identity provider (IdP) system in association with the user and the client device; sending, by the client device responsive to the user accessing a third-party application, an authentication challenge request to the IdP system; intercepting, by a proxy server signature injection module executing on the client device, the authentication challenge request; generating, by the proxy server signature injection module, using the private key for the user, a signature corresponding to the user; injecting, by the proxy server signature injection module, the signature into the authentication challenge request; forwarding, by the proxy server signature injection module, the authentication challenge request with the injected signature to the IdP system, wherein the IdP system authenticates the user, based at least in part on the injected signature and the registered public key for the user, in response to the forwarded authentication challenge request. 6. The non-transitory computer-readable storage medium of claim 5 , the actions further comprising: executing scripting code within a container of the application to redirect an authentication request to the IdP system; and responsive to the redirecting, obtaining a sign-in widget from the IdP system. 7. The non-transitory computer-readable storage medium of claim 6 , the actions further comprising: displaying the sign-in widget; and receiving a user selection of the sign-in widget; wherein the sign-in widget sends the authentication challenge request to the IdP system responsive to the user selection of the sign-in widget. 8. The non-transitory computer-readable storage medium of claim 5 , the actions further comprising: receiving, from the IdP system, session information for a session of the user with the third-party application; and sending the received session information to a third-party application server of the third-party application along with a request to perform an action for the user within the third-party application. 9. A computer system providing federated identity services for a client device of a user, the computer system comprising: a computer processor; and a non-transitory computer-readable storage medium storing instructions user, the instructions when executed by the computer processor performing actions comprising: enrolling the user on the client device, the enrollment comprising: generating a public key and a private key for the user; and registering the public key with a remote identity provider (IdP) system in association with the user and the client device; sending, by the client device responsive to the user accessing a third-party application, an authentication challenge request to the IdP system; intercepting, by a proxy server signature injection module executing on the client device, the authentication challenge request; generating, by the proxy server signature injection module, using the private key for the user, a signature corresponding to the user; injecting, by the proxy server signature injection module, the signature into the authentication challenge request; forwarding, by the proxy server signature injection module, the authentication challenge request with the injected signature to the IdP system, wherein the IdP system authenticates the user, based at least in part on the injected signature and the registered public key for the user, in response to the forwarded authentication challenge request. 10. The computer system of claim 9 , the actions further comprising: executing scripting code within a container of the application to redirect an authentication request to the IdP system; and responsive to the redirecting, obtaining a sign-in widget from the IdP system. 11. The computer system of claim 10 , the actions further comprising, further comprising: displaying the sign-in widget; and receiving a user selection of the sign-in widget; wherein the sign-in widget sends the authentication challenge request to the IdP system responsive to the user selection of the sign-in widget. 12. The computer system of claim 9 , the actions further comprising: receiving, from the IdP system, session information for a session of the user with the third-party application; and sending the received session information to a third-party application server of the third-party application along with a request to perform an action for the user within the third-party application.
Assignees
Inventors
Classifications
- H04L63/0884Primary
by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity · CPC title
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title
wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for public-key encryption H04L9/30) · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
applying self-generating credentials, e.g. instead of receiving credentials from an authority or from another peer, the credentials are generated at the entity itself · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11533309B2 cover?
- A process running on client devices intercepts requests destined for an identity provider (“IdP”) system and injects a digital signature corresponding to a user associated with the request. In order to reduce or eliminate the burden on providers of the applications or other resources used by the users, the organization providing the IdP system may also provide components that run locally on the…
- Who is the assignee on this patent?
- Okta Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0884. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 20 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).