| 发明名称 | Authored injections of context that are resolved at authentication time | ||
| 摘要 | Techniques are described for enabling principals to inject context information into a credential (e.g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential. | ||
| 申请公布号 | US9479492(B1) | 申请公布日期 | 2016.10.25 |
| 申请号 | US201314145654 | 申请日期 | 2013.12.31 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Roth Gregory Branchek;O'Neill Kevin Ross |
| 分类号 | H04L29/06;G06F21/10;G06F21/31 | 主分类号 | H04L29/06 |
| 代理机构 | Hogan Lovells US LLP | 代理人 | Hogan Lovells US LLP |
| 主权项 | 1. A computer-implemented method, the method comprising: receiving context information from a first principal, the context information relating to access rights for a second principal to perform at least one action; scoping the context information to a namespace associated with the first principal; inserting the context information in a credential, the credential having been issued to the second principal prior to the receiving of the context information; receiving, by a server, an authentication request from the second principal; determining a trusted status of the first principal based at least in part on a determination that the first principal was authorized to insert the context information into the credential; and sending, from the server to a client associated with the second principal, an authentication response that includes the credential having the context information inserted therein, the context information evaluated for the second principal to perform the at least one action based at least on the trusted status of the first principal. | ||
| 地址 | Reno NV US | ||