Inter-application delegated authentication
US-9888000-B2 · Feb 6, 2018 · US
Inter-application delegated authentication
US11539698B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11539698-B2 |
| Application number | US-202117306873-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 3, 2021 |
| Priority date | Apr 29, 2014 |
| Publication date | Dec 27, 2022 |
| Grant date | Dec 27, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed is a system for delegating authentication of an untrusted application executing on a client device. For delegated authentication, an untrusted application relies on a trusted application executing in the same environment for authentication purposes. The delegated authentication process avoids requiring the user of the untrusted application to provide authentication credentials. The disclosed system for delegating authentication enables any trusted application executing in the same computing environment to authenticate the untrusted application.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: one or more computers and one or more storage devices storing instructions that when executed by one or more computers cause the one or more computers to perform respective operations, the operations comprising: receiving a first authentication request from a first application installed on a first client device, the first authentication request comprising a first application identifier for the first application and a first device identifier for the first client device; receiving data representing one or more device profiles, each of the one or more device profiles including a device identifier for a client device and a list of applications, wherein each application of the list of applications includes a corresponding application identifier for the application; using the first device identifier to determine, from the one or more device profiles, a first device profile for first client device; determining, from a list of applications in the first device profile, whether the first application identifier is included in the list of applications; in response to determining that the first application identifier is not included in the list of applications, authenticating the first application using at least one application in the list of applications in the first device profile; and updating the first device profile by adding the first application to the list of applications in the first device profile. 2. The system of claim 1 , wherein each application in the list of applications is associated with one or more authentication tokens generated for the application and a usage history of the application. 3. The system of claim 1 , wherein authenticating the first application using the at least one application comprises: transmitting, to the first application, a first nonce and a first instruction to continue the authentication process using the at least one application; wherein the first nonce is an arbitrary number used for secured communication between the first application and the at least one application. 4. The system of claim 3 , wherein authenticating the first application using the at least one application further comprises: receiving, after the first application transmits an inter-application authentication request to the at least one application, a first verification request from the at least one application on behalf of authenticating the first application; in response, determining whether the first verification request is received within a particular time window; in response to determining the first verification request is received within the particular time window, authorizing the first verification request; and transmitting, to the at least one application, a second nonce and a second instruction to authorize the first application. 5. The system of claim 4 , wherein authenticating the first application using the at least one application further comprises: receiving a second authentication request, from the first application, wherein the second authentication request includes a hash of the first application identifier and the second nonce, wherein the hash is generated, by the first application, based on the second instruction and second nonce received from the at least one application; and in response, generating a respective access token and a respective key for the first application. 6. The system of claim 5 , wherein updating the first device profile by adding the first application to the list of applications in the first device profile further comprises: transmitting, to the first application, the respective token and the respective key generated for the first application; and adding, to the list of applications, the first application, the respective token, and the respective key so that the first application is an authorized application. 7. The system of claim 1 , wherein authenticating the first application using the at least one application further comprises: selecting an application, as the at least one application, from the list of applications in the first device profile; wherein the selecting is based on a likelihood of each application in the list of applications being currently installed on the first client device. 8. A method comprising: receiving a first authentication request from a first application installed on a first client device, the first authentication request comprising a first application identifier for the first application and a first device identifier for the first client device; receiving data representing one or more device profiles, each of the one or more device profiles including a device identifier for a client device and a list of applications, wherein each application of the list of applications includes a corresponding application identifier for the application; using the first device identifier to determine, from the one or more device profiles, a first device profile for first client device; determining, from a list of applications in the first device profile, whether the first application identifier is included in the list of applications; in response to determining that the first application identifier is not included in the list of applications, authenticating the first application using at least one application in the list of applications in the first device profile; and updating the first device profile by adding the first application to the list of applications in the first device profile. 9. The method of claim 8 , wherein each application in the list of applications is associated with one or more authentication tokens generated for the application and a usage history of the application. 10. The method of claim 8 , wherein authenticating the first application using the at least one application comprises: transmitting, to the first application, a first nonce and a first instruction to continue the authentication process using the at least one application; wherein the first nonce is an arbitrary number used for secured communication between the first application and the at least one application. 11. The method of claim 10 , wherein authenticating the first application using the at least one application further comprises: receiving, after the first application transmits an inter-application authentication request to the at least one application, a first verification request from the at least one application on behalf of authenticating the first application; in response, determining whether the first verification request is received within a particular time window; in response to determining the first verification request is received within the particular time window, authorizing the first verification request; and transmitting, to the at least one application, a second nonce and a second instruction to authorize the first application. 12. The method of claim 11 , wherein authenticating the first application using the at least one application further comprises: receiving a second authentication request, from the first application, wherein the second authentication request includes a hash of the first application identifier and the second nonce, wherein the hash is generated, by the first application, based on the second instruction and second nonce received from the at least one application; and in response, generating a respective access token and a respective key for the first application. 13. The method of claim 12 , wherein updating the first device profile by adding the first application to the list of applications in the first device profile further comprises: transmitting, to the first application, the respective tok
Assignees
Inventors
Classifications
Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) (network architectures or network communication protocols for key distribution in a packet data network H04L63/062) · CPC title
using tickets, e.g. Kerberos (cryptographic mechanisms or cryptographic arrangements for entity authentication using tickets or tokens H04L9/3213) · CPC title
using shared identity modules, e.g. SIM sharing · CPC title
using cryptographic hash functions · CPC title
- G06F21/44Primary
Program or device authentication · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11539698B2 cover?
- Disclosed is a system for delegating authentication of an untrusted application executing on a client device. For delegated authentication, an untrusted application relies on a trusted application executing in the same environment for authentication purposes. The delegated authentication process avoids requiring the user of the untrusted application to provide authentication credentials. The di…
- Who is the assignee on this patent?
- Twitter Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/44. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 27 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).