Systems and methods for in-application and in-browser purchases
US-2016379208-A1 · Dec 29, 2016 · US
Coordinating access authorization across multiple systems at different mutual trust levels
US2018337784A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2018337784-A1 |
| Application number | US-201715650470-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jul 14, 2017 |
| Priority date | May 19, 2017 |
| Publication date | Nov 22, 2018 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments presented herein provide a partner authentication (PA) system that coordinates a network-based authorization process for an application. The PA system exchanges a series of messages with the application seeking an access token for a protected resource, an authorization server associated with the resource, and an agent executing on a device accessed by a user who wants the application to access the resource. The PA system and the agent communicate with the authorization server on behalf of the application throughout the authorization process. At the completion of the authorization process, the PA system receives an access token and a refresh token from the server on behalf of the application and sends a partner authorization (PA) token to the application. When the application seeks access to the resource that is available to authorized parties via the resource server, the application sends the PA token to the PA system and receives the access token in return.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method comprising: receiving, from a beneficiary application via a network, an initiation message requesting the beneficiary application be authorized to access data hosted at a resource server connected to the network; verifying that a valid session for a user exists between the application and an agent executing at a user device; instructing the agent to obtain an authorization code on behalf of the application from an authorization server associated with the resource server; receiving the authorization code from the agent; obtaining an access token and a refresh token from the authorization server based on the authorization code; generating a partner authorization (PA) token associated with the access token and the refresh token; and transmitting the PA token to the beneficiary application to allow the beneficiary application to retrieve the access token when the user is logged in to the application. 2 . The method of claim 1 , further comprising: receiving the PA token from the beneficiary application in a request for the access token; and sending the access token to the beneficiary application. 3 . The method of claim 1 , further comprising: receiving the PA token from the beneficiary application in a request for the access token; verifying, via a communication from the agent, that the user is logged in to the application; determining the access token has expired; sending the refresh token to the authorization server to request an updated access token; receiving the updated access token and an updated refresh token from the authorization server; and sending the access token to the beneficiary application. 4 . The method of claim 1 , wherein verifying that the valid session exists between the beneficiary application and the agent comprises: generating a request token and a state identifier based on the initiation message; sending, to the beneficiary application in a verification-request message via the network, the request token and the state identifier; receiving, from the agent via the network, a verification-confirmation message, wherein the verification-confirmation message includes a first copy of the request token and a first copy of the state identifier; verifying the first copy of the state identifier received in the verification-confirmation message matches the state identifier sent in the verification-request message; and verifying the first copy of the request token received in the verification-confirmation message matches the request token sent in the verification-request message to confirm the agent is in communication with the beneficiary application. 5 . The method of claim 4 , wherein instructing the agent to obtain the authorization code comprises: sending, to the agent via the network in response to the verification-confirmation message, a redirect-to-issuer message, wherein the redirect-to-issuer message includes the state identifier and specifies a uniform resource identifier (URI) of an authorization server associated with the resource server. receiving, from the agent at the client device via the network, a code-transferal message that includes a second copy of the state identifier and an authorization code associated with the resource server; verifying the second copy of the state identifier received in the code-transferal message matches the state identifier sent in the verification-request message. 6 . The method of claim 5 , wherein obtaining an access token from the authorization server based on the authorization code comprises: sending, to the authorization server via the network, a token-request message requesting an access token and a refresh token, wherein the token-request message includes the authorization code and the state identifier. receiving, from the authorization server via the network, a token-grant message that includes the access token and the refresh token; and verifying the third copy of the state identifier received in the token-grant message matches the state identifier sent in the verification-request message. 7 . The method of claim 6 , further comprising: generating a response token for the agent based on the token-grant message sending, to the agent via the network, an redirect-to-beneficiary message, wherein the redirect-to-beneficiary message specifies a uniform resource identifier (URI) of the beneficiary server and includes the response token; receiving, via the network from the beneficiary application at the beneficiary server, a response-confirmation message, wherein the response-confirmation message includes a first copy of the response token; verifying the first copy of the response token received in the response-confirmation message matches the response token sent in the redirect-to-beneficiary message to confirm the beneficiary application is in communication with the agent; and sending, via the network to the beneficiary application in response to the response-confirmation message, a PA-grant message, wherein the PA-grant message includes the PA token. 8 . A system comprising: one or more processors; and memory storing one or more applications that, when executed on the one or more processors, perform an operation comprising: receiving, from a beneficiary application via a network, an initiation message requesting the beneficiary application be authorized to access data hosted at a resource server connected to the network; verifying that a valid session for a user exists between the application and an agent executing at a user device; instructing the agent to obtain an authorization code on behalf of the application from an authorization server associated with the resource server; receiving the authorization code from the agent; obtaining an access token and a refresh token from the authorization server based on the authorization code; generating a partner authorization (PA) token associated with the access token and the refresh token; and transmitting the PA token to the beneficiary application to allow the beneficiary application to retrieve the access token when the user is logged in to the application. 9 . The system of claim 8 , wherein the operation further comprises: receiving the PA token from the beneficiary application in a request for the access token; and sending the access token to the beneficiary application. 10 . The system of claim 8 , wherein the operation further comprises: receiving the PA token from the beneficiary application in a request for the access token; verifying, via a communication from the agent, that the user is logged in to the application; determining the access token has expired; sending the refresh token to the authorization server to request an updated access token; receiving the updated access token and an updated refresh token from the authorization server; and sending the access token to the beneficiary application. 11 . The system of claim 8 , wherein verifying that the valid session exists between the beneficiary application and the agent comprises: generating a request token and a state identifier based on the initiation message; sending, to the beneficiary application in a verification-request message via the network, the request token and the state identifier; receiving, from the agent via the network, a verification-confirmation message, wherein the verification-confirmation message includes a first copy of the request token and a first copy of the state identifier; verifying the first copy of the state identifier received in the verification-confirmation message matches the state identifier sent in the verification-request message; and verifying the first cop
Assignees
Inventors
Classifications
User authentication · CPC title
- H04L9/3213Primary
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
including means for verifying the identity or authority of a user of the system {or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials} · CPC title
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2018337784A1 cover?
- Embodiments presented herein provide a partner authentication (PA) system that coordinates a network-based authorization process for an application. The PA system exchanges a series of messages with the application seeking an access token for a protected resource, an authorization server associated with the resource, and an agent executing on a device accessed by a user who wants the applicatio…
- Who is the assignee on this patent?
- Intuit Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3213. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Nov 22 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).