Identity verification and associated platform
US-2024403403-A1 · Dec 5, 2024 · US
Securing authorization tokens using client instance specific secrets
US2018367306A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2018367306-A1 |
| Application number | US-201715622834-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jun 14, 2017 |
| Priority date | Jun 14, 2017 |
| Publication date | Dec 20, 2018 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system, method, and computer program product are provided for securing authorization tokens using client instance specific secrets. Tokens are valid for service requests only if time constraints and additional security constraints are met by additional information stored in the token in hashed form. A required comparison of a timestamp in a client service request header to the current server time limits the useful token life, e.g., to a few minutes. The service request header also includes data generated based on a secret previously assigned to a specific client instance. The secret may be generated by the server according to a public/private key scheme and sent to a particular client instance only once, e.g., during initial device registration. The secret may be omitted from service requests for public information. Service request headers may include device identifiers, so that service requests from known rogue clients may be ignored.
First claim
Opening claim text (preview).
1 . A computer-implemented method for validating an authorization token, the method comprising: receiving an initial client registration event from a client; in response to the initial client registration event, transmitting a hashing key and a hashing algorithm to the client; receiving a service request from the client, the service request comprising the authorization token, wherein the authorization token is based on the hashing key and the hashing algorithm, a secret associated with the client, and a current client timestamp; validating the authorization token at the server by comparing the authorization token with a token calculated by the server from the secret, the hashing key, and the hashing algorithm; and granting the service request if the authorization token is successfully validated. 2 . The method of claim 1 , further comprising, in response to the initial client registration event, sending the secret associated with the client to the client. 3 . The method of claim 1 , wherein the secret associated with the client is generated as a private key by the client, the method further comprising receiving a public key corresponding to the private key from the client. 4 . The method of claim 1 , further comprising sending to the client at least one of a device identifier and an application version number. 5 . The method of claim 4 , wherein the service request further comprises authentication token attributes, and wherein the authentication token attributes comprise the hashing key, the hashing algorithm, the timestamp, the device identifier, and the application version number, in hashed form. 6 . The method of claim 5 , further comprising selectively invalidating service requests having a device identifier associated with a fraudulent client. 7 . The method of claim 5 , wherein the validating further comprises comparing the timestamp to the current server time and determining if the timestamp matches the current server time to within a predetermined time span. 8 . The method of claim 7 , wherein the predetermined time span comprises five minutes. 9 . The method of claim 1 , further comprising referring to authorization token attributes by an index instead of sending copies of attribute values. 10 . The method of claim 1 , further comprising omitting the validating if the service request is for public information. 11 . The method of claim 1 , wherein the service request is for access to an online resource. 12 . A non-transitory computer-readable storage medium having embedded therein a set of instructions which, when executed by at least one hardware-implemented processor of a computer, cause the computer to execute operations for validating authorization tokens, the operations comprising: receiving an initial client registration event from a client; in response to the initial client registration event, transmitting a hashing key and a hashing algorithm to the client; receiving a service request from the client, the service request comprising the authorization token, wherein the authorization token is based on the hashing key and the hashing algorithm, a secret associated with the client, and a current client timestamp; validating the authorization token at the server by comparing the authorization token with a token calculated by the server from the secret, the hashing key, and the hashing algorithm; and granting the service request if the authorization token is successfully validated. 13 . The medium of claim 12 , wherein the operations further comprise sending, in response to the initial client registration event, the secret associated with the client to the client. 14 . The medium of claim 12 , wherein the secret associated with the client is generated as a private key by the client, the operations further comprising receiving a public key corresponding to the private key from the client. 15 . The medium of claim 12 , wherein the operations further comprise sending to the client at least one of a device identifier and an application version number. 16 . The medium of claim 15 , wherein the service request further comprises authentication token attributes, and wherein the authentication token attributes comprise the hashing key, the hashing algorithm, the timestamp, the device identifier, and the application version number, in hashed form. 17 .- 19 . (canceled) 20 . A system for generating and validating authorization tokens, the system comprising: a hardware-implemented processor and a memory that are configured to execute stored instructions to: receive an initial client registration event from a client; in response to the initial client registration event, transmit a hashing key and a hashing algorithm to the client; receive a service request from the client, the service request comprising the authorization token, wherein the authorization token is based on the hashing key and the hashing algorithm, a secret associated with the client, and a current client timestamp; validate the authorization token at the server by comparing the authorization token with a token calculated by the server from the secret, the hashing key, and the hashing algorithm; and grant the service request if the authorization token is successfully validated. 21 . The system of claim 20 , further comprising, in response to the initial client registration event, sending the secret associated with the client to the client. 22 . The system of claim 20 , further comprising sending to the client at least one of a device identifier and an application version number. 23 . The system of claim 22 , wherein the service request further comprises authentication token attributes, and wherein the authentication token attributes comprise the hashing key, the hashing algorithm, the timestamp, the device identifier, and the application version number, in hashed form.
Assignees
Inventors
Classifications
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC · CPC title
by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity · CPC title
- H04L9/3213Primary
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
Electronic shopping [e-shopping] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2018367306A1 cover?
- A system, method, and computer program product are provided for securing authorization tokens using client instance specific secrets. Tokens are valid for service requests only if time constraints and additional security constraints are met by additional information stored in the token in hashed form. A required comparison of a timestamp in a client service request header to the current server …
- Who is the assignee on this patent?
- Ebay Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3213. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Dec 20 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).