What technology area does this patent fall under?

Primary CPC classification G06F21/44. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jun 27 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Consumption control of protected cloud resources by open authentication-based applications in end user devices

US9690925B1 · US · B1

Patent metadata
Field	Value
Publication number	US-9690925-B1
Application number	US-201213600009-A
Country	US
Kind code	B1
Filing date	Aug 30, 2012
Priority date	Aug 30, 2012
Publication date	Jun 27, 2017
Grant date	Jun 27, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A server computer system identifies a request from an application hosted on a mobile device to consume a protected resource hosted by a cloud. The request is transmitted via a resource authorization protocol. The server computer system identifies a token state of an application on the mobile device. The token state is stored in a policy data store that is separate from expiration data that is stored on an access token on the mobile device. The server computer system determines whether the token state violates a security policy that is associated with a user that is assigned to the mobile device and prevents consumption of the protected resource in response to a determination that the token state violates the security policy. The server computer system allows consumption of the protected resource in response to a determination that the token state does not violate the security policy.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: intercepting, at a proxy server computer system, resource authorization traffic between an application hosted on a mobile device and an authorization server in a cloud, wherein the traffic is associated with a request from the application to consume a protected resource hosted by the cloud, wherein the application is associated with one or more access tokens specific to the application; identifying, by a processing device of the proxy server computer system, a token state associated with the application on the mobile device, wherein the token state is identified using an identifier of the mobile device, wherein the token state is stored independent from expiration data stored on the one or more access tokens associated with the application, and wherein the token state is stored in a first policy data store associated with the proxy server computer system; identifying, by the processing device and using the identifier of the mobile device, at least one security policy stored in the first policy data store and associated with a user assigned to the mobile device, wherein the at least one security policy specifies at least one geographic location at which the protected resource may not be consumed; determining whether the token state or a current geographic location of the mobile device violates the at least one security policy; preventing consumption of the protected resource by the application in response to a determination that the token state or the current geographic location violates the at least one security policy without affecting the consumption of other protected resources by other applications hosted on the mobile device, and allowing consumption of the protected resource in response to a determination that the token state and the current geographic location do not violate the at least one security policy; synchronizing policy data stored in the first policy data store and a second policy data store associated with the authorization server in the cloud; receiving user input indicating a password to access the protected resource has changed; and assigning an expired state as the token state in the first policy data store to one or more mobile devices that are associated with the user in response to the changed password. 2. The method of claim 1 , wherein preventing consumption comprises: determining that the token state is in an expired state, wherein the token state does not match the expiration data that is stored on the one or more access tokens. 3. The method of claim 1 , wherein preventing consumption comprises: sending a message to the mobile device to obtain a new access token. 4. The method of claim 1 , wherein the resource authorization protocol is Open Authentication (OAuth) protocol. 5. A proxy server computer system comprising: a first memory associated with the proxy server computer system configured to store a token state associated with an application of a mobile device and at least one security policy associated with a user assigned to the mobile device, wherein the token state and the at least one security policy are identified using an identifier of the mobile device, wherein the token state is stored independent from expiration data stored on one or more access tokens specific to the application; and a processing device coupled with the first memory to: intercept resource authorization traffic between the application hosted on the mobile device and an authorization server in a cloud, wherein the traffic is associated with a request from the application to consume a protected resource hosted by the cloud, wherein the application is associated with the one or more access tokens specific to the application; identify the token state associated with the application on the mobile device from the first memory; identify, using the identifier of the mobile device, the at least one security policy associated with the user from the first memory, wherein the at least one security policy specifies at least one geographic location at which the protected resource may not be consumed; determine whether the token state or a current geographic location of the mobile device violates the at least one security policy; prevent consumption of the protected resource by the application in response to a determination that the token state or the current geographic location violates the at least one security policy without affecting the consumption of other protected resources by other applications hosted on the mobile device, and allow consumption of the protected resource in response to a determination that the token state and the current geographic location do not violate the at least one security policy; synchronize policy data stored in the first memory and a second memory associated with the authorization server in the cloud; receive user input indicating a password to access the protected resource has changed; and assign an expired state as the token state in the first memory to one or more mobile devices that are associated with the user in response to the changed password. 6. The system of claim 5 , wherein preventing consumption comprises: determining that the token state is in an expired state, wherein the token state does not match the expiration data that is stored on the one or more access tokens. 7. The system of claim 5 , wherein preventing consumption comprises: sending a message to the mobile device to obtain a new access token. 8. The system of claim 5 , wherein the resource authorization protocol is Open Authentication (OAuth) protocol. 9. A non-transitory computer readable storage medium including instructions that, when executed by a processing device at a proxy server computer system, cause the processing device to perform operations comprising: intercepting resource authorization traffic between an application hosted on a mobile device and an authorization server in a cloud, wherein the traffic is associated with a request from the application to consume a protected resource hosted by the cloud, wherein the application is associated with one or more access tokens specific to the application; identifying, by the processing device of the proxy server computer system, a token state associated with the application on the mobile device, wherein the token state is identified using an identifier of the mobile device, wherein the token state is stored independent from expiration data stored on the one or more access tokens, and wherein the token state is stored in a first policy data store associated with the proxy server computer system; identifying, by the processing device and using the identifier of the mobile device, at least one security policy stored in the first policy data store and associated with a user assigned to the mobile device, wherein the at least one security policy specifies at least one geographic location at which the protected resource may not be consumed; determining, by the processing device, whether the token state or a current geographic location of the mobile device violates the at least one security policy; preventing consumption of the protected resource by the application in response to a determination that the token state or the current geographic location violates the at least one security policy without affecting the consumption of other protected resources by other applications hosted on the mobile device, and allowing consumption of the protected resource in response to a determination that the token state and the current geographic location do not violate the at least one security policy; synchronizing policy data stored in the first policy data store and a second policy data store associated with the authorization s

Assignees

Inventors

Banerjee Deb

Classifications

G06F21/88
Detecting or preventing theft or loss · CPC title
G06F21/44Primary
Program or device authentication · CPC title
G06F21/6245Primary
Protecting personal data, e.g. for financial or medical purposes · CPC title
G06F2221/2111
Location-sensitive, e.g. geographical location, GPS · CPC title

Patent family

Related publications grouped by family.

View patent family 59069524

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9690925B1 cover?: A server computer system identifies a request from an application hosted on a mobile device to consume a protected resource hosted by a cloud. The request is transmitted via a resource authorization protocol. The server computer system identifies a token state of an application on the mobile device. The token state is stored in a policy data store that is separate from expiration data that is s…
Who is the assignee on this patent?: Banerjee Deb, Symantec Corp
What technology area does this patent fall under?: Primary CPC classification G06F21/44. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jun 27 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).