Authenticating a limited input device via an authenticated application
US-2016099941-A1 · Apr 7, 2016 · US
Authentication and authorization of a privilege-constrained application
US9819673B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9819673-B1 |
| Application number | US-201514748312-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jun 24, 2015 |
| Priority date | Jun 24, 2015 |
| Publication date | Nov 14, 2017 |
| Grant date | Nov 14, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods and systems are provided for managing access to a client account related (CAR) resource. When a privilege-constrained (PC) application requests access to an individual client account, a single use authorization (SUA) code is created that is associated with the individual client account. The SUA code is routed to, and returned from, the privilege-constrained (PC) application to authenticate the PC application. The PC application, once authenticated, receives a permitted action token that identifies a limited set of privileges that the PC application is authorized to perform in connection with the CAR resource. The PC application provides the permitted action token to an access service. The access service limits access, by the PC application, to the CAR resource based on the permitted action token.
First claim
Opening claim text (preview).
What is claimed is: 1. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors, cause the one or more processors to: assign an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account; receive a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key; determine that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier; provide a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination; receive a candidate authorization code and user identifier; validate the candidate authorization code based on the SUA code provided; and provide a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource. 2. The non-transitory computer-readable storage medium of claim 1 , further comprising receiving a request from an application developer to develop the privilege-constrained application, assigning an application key to the privilege-constrained application, along with the at least one permitted action and the at least one blocked action. 3. The non-transitory computer readable storage medium of claim 1 , wherein the authorization code is provided from an authorization service to a client computing device over a first channel the candidate authorization code is received by the authorization service over a second channel. 4. A computer implemented method for managing access to a client account utilizing a remote resource, comprising: assigning an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account; receiving a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key; determining that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier; providing a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination; receiving a candidate authorization code and user identifier; validating the candidate authorization code based on the SUA code provided; and providing a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource. 5. The method of claim 4 , wherein the authorization code is provided to a client computing device over a first channel and the candidate authorization code is received over a different second channel. 6. The method of claim 5 , wherein the second channel represents one of a short messaging service (SMS) messaging channel, an email channel, or a telecommunications channel. 7. The method of claim 5 , wherein the remote resource represents an online resource. 8. The method of claim 4 , further comprising: receiving the permitted action token and a client request from the privilege-constrained application, and managing client requests based on the permitted action token. 9. The method of claim 8 , wherein the client request directs remote resource to perform an action of interest, the method further comprising passing the client request to the remote resource when the action of interest falling within the limited set of privileges identified by the permitted action token. 10. The method of claim 8 , further comprising denying the client request, access to the remote resource when the action of interest falls outside the limited set of privileges. 11. A system for managing access to a client account utilizing a remote resource, comprising: at least one processor; and a memory, coupled to the at least one processor, storing program instructions when executed configures the at least one processor to: assign an application key to a privilege-constrained application that is configured to load onto a client computing device, the privilege-constrained application loaded onto the client computing device with limited privileges, wherein the privilege-constrained application is authorized to perform at least one permitted action and lacks permission to perform at least one blocked action in connection with a client account; receive a request for privileged access to the client account through an online resource, the request including a user identifier associated with the client account and the application key; determine that the application key matches a stored application key associated with the privilege-constrained application and associated with the user identifier; provide a single use authorization (SUA) code allocated for the privilege-constrained application and associated with the user identifier upon the successful determination; receive a candidate authorization code and user identifier; validate the candidate authorization code based on the SUA code provided; and provide a permitted action token based on the validate operation, the permitted action token is presented by the privilege-constrained application to an access service, and the permitted action token indicates that the privilege-constrained application is authorized to perform the at least one permitted action and lacks permission to perform the at least one blocked action in connection with the online resource. 12. The system of claim 11 , wherein the memory includes a data store that stores client account records that include a listing of accounts and remote resources to which the accounts correspond, the client account records including information identifying clients that have registered for a corresponding remote resource. 13. The system of claim 11 , wherein the program instructions are further executable by the at least one processor to generate a second permitted action token that at least one of adds, removes or changes a limited set of privileges associated with the privilege-constrained application. 14. The system of claim 11 , wherein the permitted action token identifies a limited set of privileges that the privilege-constrained application i
Assignees
Inventors
Classifications
- H04L63/0838Primary
using one-time-passwords · CPC title
Entity profiles · CPC title
wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption (cryptographic mechanisms or cryptographic arrangements using a plurality of keys or algorithms H04L9/14) · CPC title
using different networks or channels, e.g. using out of band channels (cryptographic mechanisms or cryptographic arrangements for key distribution involving distinctive intermediate devices or communication paths H04L9/0827; cryptographic mechanisms or cryptographic arrangements for authentication using a plurality of channels H04L9/3215) · CPC title
Admission control; Resource allocation · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9819673B1 cover?
- Methods and systems are provided for managing access to a client account related (CAR) resource. When a privilege-constrained (PC) application requests access to an individual client account, a single use authorization (SUA) code is created that is associated with the individual client account. The SUA code is routed to, and returned from, the privilege-constrained (PC) application to authentic…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0838. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 14 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).