| 发明名称 |
Bifurcated authentication token techniques |
| 摘要 |
Bifurcated authentication token techniques are described in which sign-on credentials are separated from corresponding privilege data for resources. During client authentication, a determination is made regarding whether a service provider is configured to support bifurcated authentication token techniques. If the techniques are supported, a lightweight token is issued to the client and corresponding privilege data is stored separately from the token in a centralized authentication database. If a service provider does not support bifurcated authentication token techniques, a traditional, combined authentication token that includes privilege data is issued to the client. The lightweight token contains identity information and a reference to the privilege data, but does not contain the actual privilege data. Therefore, the lightweight cookie token alone is not sufficient to gain access to corresponding resources. Moreover, privileges associated with a lightweight token may be revoked or altered without having to change or invalidate the lightweight token itself. |
| 申请公布号 |
US9350729(B2) |
申请公布日期 |
2016.05.24 |
| 申请号 |
US201414284221 |
申请日期 |
2014.05.21 |
| 申请人 |
Microsoft Technology Licensing, LLC |
发明人 |
Novak Mark F. |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
Churna Timothy;Yee Judy;Minhas Micky |
| 主权项 |
1. A method implemented by a computing device comprising:
authenticating a client to access resources from a service provider; in connection with authentication of the client, determining whether the service provider is configured to support bifurcated authentication token techniques; and based on the determination:
issuing a combined authentication token to the client that includes privilege data associated with the client when the service provider is not configured to support bifurcated authentication token techniques, the combined authentication token containing information sufficient to provide indications to service providers regarding access privileges of clients without reliance upon external information; orissuing a lightweight token to the client and communicating the privilege data associated with the client for storage in a centralized authentication database separate from the service provider when the service provider is configured to support bifurcated authentication token techniques, the lightweight token configured to contain identity information and a reference to enable look-up of the privilege data from the centralized authentication database instead of containing the privilege data itself. |
| 地址 |
Redmond WA US |
