| 摘要 |
Systems and computer-implemented methods for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers. A system includes a processor, and non-transient computer readable storage media, at a single identity provider. The storage media is encoded with program code executable by the processor for requiring an identity provider application residing on each of a plurality of devices to create a respective authentication token that is specific to a respective identifier and user credential of a respective Internet user, a respective device identifier, and the respective identity provider application, and for authorizing respective access by the plurality of Internet users to a respective requested one of the Internet services provided by each Internet service provider using the respective created authentication tokens and respective identifiers for each of the respective requested Internet services. |
| 主权项 |
1. A system for authorizing respective access by each of a plurality of Internet users to a respective one or more Internet services provided by each of a plurality of Internet service providers, comprising:
a processor at a single identity provider; a first non-transient computer readable storage medium of the single identity provider, wherein the first non-transient computer readable storage medium is configured to store data, and wherein the stored data comprises:
for each of a plurality of Internet users, a respective public key portion of a respective authentication token, wherein the respective authentication token is specific to:
an electronic mail address, or anonymous identifier, of the Internet user;a user credential of the Internet user;a device identifier for each of one or more devices;an identity provider application residing on a mobile device of the one or more devices and that is usable by the Internet user to access a respective one or more Internet services provided by each of a plurality of Internet service providers;for each of the plurality of Internet service providers, a respective identifier that is visually perceptible when displayed on a page of the identity provider application and when displayed on a web page belonging to the Internet service provider; andfor each of a respective one or more Internet services provided by each of the plurality of Internet service providers, a respective identifier, and a respective one or more call-back Internet addresses; a second non-transient machine-readable storage medium of the single identity provider, wherein the second non-transient computer readable storage medium is encoded with program code executable by the processor for:
requiring the respective identity provider application residing on each of the respective mobile devices to create the respective authentication token and to store a respective private key portion of the respective authentication token on the respective mobile device;receiving, via a respective application programming interface (API) call from a respective computer server of each of the plurality of Internet service providers, a respective identifier for a respective requested one of the respective one or more Internet services provided by the respective Internet service provider, wherein each respective identifier is received in response to a respective Internet user selection of a respective link on the respective web page belonging to the respective Internet service provider and displayed on a respective web browser to request access to the respective requested one Internet service;automatically generating, and transmitting to the respective web browser, a respective web page that displays:
the respective visually perceptible identifier of the respective Internet service provider; anda respective Internet address of the respective web page belonging to the respective Internet service provider;requiring the respective identity provider application residing on each of the respective mobile devices to display a respective page to input the respective user credential of the respective Internet user, wherein each input user credential is usable to decrypt the respective stored private key portion of the respective authentication token;receiving, via a respective API call from the respective identity provider application residing on each of the respective mobile devices, a respective approved authentication challenge message;validating each of a plurality of the received respective approved authentication challenge messages using the respective stored public key portion of the respective authentication token;in response to validating the plurality of received approved authentication challenge messages, authorizing access by the respective Internet user to the respective requested one Internet service by re-directing the respective web browser to a respective one of the respective one or more call-back Internet addresses for the respective requested one Internet service. |
