Systems, methods, and computing platforms for executing credential-less network-based communication exchanges
US-12184638-B2 · Dec 31, 2024 · US
Synchronization of access tokens for session continuity across multiple devices
US9819665B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9819665-B1 |
| Application number | US-201514752530-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jun 26, 2015 |
| Priority date | Jun 26, 2015 |
| Publication date | Nov 14, 2017 |
| Grant date | Nov 14, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An access token is synchronized across multiple trusted devices when one of the trusted devices obtains an authorization grant from a resource owner, and uses the authorization grant to obtain the access token. The access token is synchronized with other trusted devices indicated in a trusted device list, by securely transmitting the access token to each of the trusted devices indicated in the trusted device list other than the first device. A second trusted device may then access the protected resource, using the access token originally obtained by the first device, without having to request the authorization grant from the resource owner to obtain a new access token.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method of synchronizing an access token across multiple devices, the method comprising the steps of: generating a trusted device list for a resource owner, the trusted device list storing indications of devices trusted by the resource owner, the trusted device list indicating at least a first device trusted by the resource owner and a second device trusted by the resource owner, wherein generating the trusted device list for the resource owner includes adding a device to the trusted device list by i) receiving a request from a new device, the new device not indicated in the trusted device list, wherein the request includes passphrase data from the new device, ii) in response to the request from the new device, transmitting a confirmation request to each of the devices indicated in the trusted device list, the confirmation request causing one of the devices indicated in the trusted device list to input passphrase data, iii) comparing the passphrase data received from the new device to the passphrase data input to one of the devices indicated in the trusted device list, and iv) adding the new device to the trusted device list in response to the passphrase data received from the new device matching the passphrase data input to one of the devices indicated in the trusted device list; inputting, by the first device trusted by the resource owner, an authorization grant from the resource owner; obtaining, by the first device using the authorization grant, an access token for a protected resource, wherein the access token includes credentials for accessing the protected resource; synchronizing the access token with the devices indicated in the trusted device list other than the first device by securely transmitting a copy of the access token to each of the trusted devices indicated in the trusted device list other than the first device, wherein securely transmitting a copy of the access token to each of the trusted devices indicated in the trusted device list other than the first device includes i) generating an encrypted version of the access token by encrypting the access token using a random data encryption key, ii) generating an encrypted version of the random data encryption key for each one of the devices indicated in the trusted device list other than the first device by encrypting the random data encryption key with a public key associated with the device, iii) creating an enveloped data package for each of the devices indicated in the trusted device list other than the first device, the package for each device containing the copy of the encrypted version of the access token and the encrypted version of the random data encryption key, iv) transmitting the enveloped data packages to a remote server, v) transmitting a notification to each device indicated in the trusted device list other than the first device, the notification indicating to the device that the device is to retrieve the enveloped data package for the device from the remote server, vi) receiving, at the remote server, requests for enveloped data packages from each device indicated in the trusted device list other than the first device, and vii) transmitting one of the enveloped data packages from the remote server in response to each of the requests, by identifying a requesting device from which the request was received, and transmitting, to the requesting device, the one of the enveloped data packages containing the encrypted version of the random key generated using the public key of the requesting device; and accessing the protected resource by the second device, using a decrypted version of the access token. 2. The method of claim 1 , further comprising: wherein the confirmation request includes the passphrase data from the new device; and wherein comparing the passphrase data received from the new device to the passphrase data input to one of the devices indicated in the trusted device list is performed at the one of the devices indicated in the trusted device list at which the passphrase data was input. 3. The method of claim 1 , wherein the passphrase data from the new device is represented in the request by a message authentication code based on passphrase data input to the new device, and further comprising: generating, by the one of the devices indicated in the trusted device list that input passphrase data, a message authentication code based on the passphrase data input to the one of the devices indicated in the trusted device list; and wherein comparing the passphrase data received from the new device to the passphrase data input to one of the devices indicated in the trusted device list includes comparing the message authentication code based on passphrase data input to the new device with the message authentication code based on the passphrase data input to the one of the devices indicated in the trusted device list. 4. The method of claim 1 , wherein the protected resource comprises a secure application, and further comprising: wherein obtaining the access token by the first device is part of establishing an authenticated session with the secure application for the resource owner; wherein accessing the protected resource by the second device includes i) detecting that the resource owner is requesting a connection with the secure application from the second device, ii) locating, in response to the resource owner requesting a connection with the secure application from the second device, a copy of the access token obtained by the first device and stored in the second device, and iii) using the copy of the access token stored in the second device to access the secure application from the second device. 5. The method of claim 1 , further comprising: detecting, in response to receipt of one of the requests for the access token from one of the devices indicated in the trusted device list other than the first device, that the access token has expired; and in response to detecting that the access token has expired, returning an error code to the device from which the request was received. 6. The method of claim 1 , wherein obtaining the access token for the protected resource includes obtaining a refresh token operable to obtain a new access token for the protected resource; and wherein synchronizing the access token with the devices indicated in the trusted device list other than the first device includes securely transmitting a copy of the refresh token to each of the trusted devices indicated in the trusted device list other than the first device. 7. A computer program product having a non-transitory computer readable medium which stores a set of instructions operable to synchronize an access token across multiple devices, the set of instructions, when executed, performing the steps of: generating a trusted device list for a resource owner, the trusted device list storing indications of devices trusted by the resource owner, the trusted device list indicating at least a first device trusted by the resource owner and a second device trusted by the resource owner, wherein the trusted device list for the resource owner is generated at least in part by adding a device to the trusted device list by i) receiving a request from a new device, the new device not indicated in the trusted device list, wherein the request includes passphrase data from the new device, ii) in response to the request from the new device, transmitting a confirmation request to each of the devices indicated in the trusted device list, the confirmation request causing one of the devices indicated in the trusted device list to input passphrase data, iii) comparing the passphrase data received from the new device to the passphrase data input to one of the devices indicated in the trusted
Assignees
Inventors
Classifications
- H04L63/08Primary
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
Key distribution {or management, e.g. generation, sharing or updating, of cryptographic keys or passwords (network architectures or network communication protocols for supporting key management in a packet data network H04L63/06)} · CPC title
involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token (network architectures or network communication protocols for supporting authentication of entities using an additional device in a packet data network H04L63/0853) · CPC title
- H04L63/102Primary
Entity profiles · CPC title
Transmitting and receiving encryption devices synchronised or initially set up in a particular manner · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9819665B1 cover?
- An access token is synchronized across multiple trusted devices when one of the trusted devices obtains an authorization grant from a resource owner, and uses the authorization grant to obtain the access token. The access token is synchronized with other trusted devices indicated in a trusted device list, by securely transmitting the access token to each of the trusted devices indicated in the …
- Who is the assignee on this patent?
- Emc Ip Holding Co Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/08. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 14 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).