Performing a security action with regard to an access token based on clustering of access requests
US-2024406160-A1 · Dec 5, 2024 · US
Maintaining session stickiness across authentication and authorization channels for access management
US2021281560A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2021281560-A1 |
| Application number | US-202117325636-A |
| Country | US |
| Kind code | A1 |
| Filing date | May 20, 2021 |
| Priority date | Sep 27, 2017 |
| Publication date | Sep 9, 2021 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are described that enable maintaining of session stickiness across authentication and authorization channels in an access management system, through the use an identifier for an access manager from a plurality of access managers. The access manager authenticates a user of a client device based on an authentication request. In response to response to successful authentication of the user, the access manager creates a session. The access manager also generates the identifier and causes the identifier to be stored for the session. The access manager can then receive a second request, which is sent to the access manager based on identifying the access manager using the stored identifier.
First claim
Opening claim text (preview).
1 - 20 . (canceled) 21 . A computer-implemented method comprising: receiving, by an access management agent implemented using a computer system comprising at least one hardware processor and a memory, from a first access manager, a token that includes an identifier that identifies the first access manager, wherein the first access manager created a session and generated the token and in response to successful authentication of a user; storing, by the access management agent, for the session, the identifier that identifies the first access manager, wherein the first access manager is part of a plurality of access managers; receiving, by the access management agent, from the user during the session, a request for authentication or authorization of the user; determining, by the access management agent, based on the identifier that identifies the first access manager being stored for the session, that, from among the plurality of access managers, the first access manager is to be used for processing the request; and in response to the determining, sending, by the access management agent, to the first access manager, the request for authentication or authorization of the user, wherein the first access manager processes the request to authenticate or authorize the user. 22 . The method of claim 21 , wherein the request for authentication or authorization of the user is second request, and further comprising: generating, by the access management agent, a first request that is an authentication request; and sending, by the access management agent, the first request to the first access manager, wherein the first access manager authenticates the user, creates the session, and generates the token based on the first request. 23 . The method of claim 22 , further comprising: receiving, by the access management agent, from the user, a user request for a protected resource; determining, by the access management agent, that authentication is needed; sending, by the access management agent, to the user, a request for credential information; and receiving, by the access management agent, from the user, credential information, wherein the credential information is included in the first request. 24 . The method of claim 21 , wherein the first access manager generates the identifier that identifies the first access manager. 25 . The method of claim 21 , wherein the token is either an authentication token or an authorization token. 26 . The method of claim 21 , wherein the request for authentication or authorization of the user includes the token, and wherein the first access manager processes the request based on the token. 27 . The method of claim 21 , wherein the access managers in the plurality of access managers belong to different server clusters in a data center, and wherein the identifier that identifies the first access manager includes information identifying a server cluster to which the first access manager belongs. 28 . The method of claim 21 , wherein the access managers in the plurality of access managers belong to different data centers, and wherein the request to authenticate or authorize the user is sent to a data center of the first access manager based on the identifier that identifies the first access manager. 29 . The method of claim 21 , wherein the request for authentication or authorization of the user is a request to re-authenticate the user. 30 . The method of claim 21 , wherein the request for authentication or authorization of the user is a request to authorize the user to access a resource. 31 . A system, comprising: an access management agent implemented using a computer system comprising at least one hardware processor and a memory, wherein the access management agent is configured to: receive, from a first access manager, a token that includes an identifier that identifies the first access manager, wherein the first access manager created a session and generated the token and in response to successful authentication of a user; store, for the session, the identifier that identifies the first access manager, wherein the first access manager is part of a plurality of access managers; receive, from the user during the session, a request for authentication or authorization of the user; determine, based on the identifier that identifies the first access manager being stored for the session, that, from among the plurality of access managers, the first access manager is to be used for processing the request; and in response to the determining, send, to the first access manager, the request for authentication or authorization of the user, wherein the first access manager processes the request to authenticate or authorize the user. 32 . The system of claim 31 , further comprising: the first access manager configured to: authenticate the user; create the session in response to the successful authentication of the user; generate the token that includes the identifier that identifies the first access manager; send, to the access management agent for storage, the token including the identifier that identifies the first access manager; receive, from the access management agent, the request for authentication or authorization of the user; and process the request to authenticate or authorize the user. 33 . The system of claim 31 , further comprising: a data center, wherein the access managers in the plurality of access managers belong to different server clusters in the data center, and wherein the identifier that identifies the first access manager includes information identifying a server cluster to which the first access manager belongs. 34 . The system of claim 31 , further comprising: a first data center including the first access manager, wherein at least some of the access managers in the plurality of access managers belong to a second data center, and wherein the request to authenticate or authorize the user is sent to the first data center based on the identifier that identifies the first access manager. 35 . The system of claim 31 , further comprising: a load balancer configured to direct the request to authenticate or authorize the user to the first access manager based on the identifier that identifies the first access manager being included in the request. 36 . The system of claim 31 , wherein the request for authentication or authorization of the user is second request, and wherein the access management agent is further configured to: generate a first request that is an authentication request; and send the first request to the first access manager, wherein the first access manager authenticates the user, creates the session, and generates the token based on the first request. 37 . The system of claim 36 , wherein the second request includes the token, and wherein the token includes session information. 38 . The system of claim 36 , wherein the access management agent is further configured to send the first request over a first channel and the second request over a second channel, and wherein the first channel and the second channel use different communication protocols. 39 . The system of claim 38 , wherein the first channel uses Hypertext Transfer Protocol (HTTP) and the second channel uses Oracle Access Protocol (OAP). 40 . A non-transitory computer-readable storage medium storing a plurality of instructions that, when executed by one or more processors of a computer system, cause the one or more processors to: receive, f
Assignees
Inventors
Classifications
using different networks or channels, e.g. using out of band channels (cryptographic mechanisms or cryptographic arrangements for key distribution involving distinctive intermediate devices or communication paths H04L9/0827; cryptographic mechanisms or cryptographic arrangements for authentication using a plurality of channels H04L9/3215) · CPC title
- H04L63/0815Primary
providing single-sign-on or federations · CPC title
above the transport layer · CPC title
Entity profiles · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2021281560A1 cover?
- Techniques are described that enable maintaining of session stickiness across authentication and authorization channels in an access management system, through the use an identifier for an access manager from a plurality of access managers. The access manager authenticates a user of a client device based on an authentication request. In response to response to successful authentication of the u…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0815. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Sep 09 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).