Request-specific authentication for accessing Web service resources

摘要

Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.

主权项

1. A computing system for controlling access to a protected Web service resource, the computing system comprising:
a computer communication device for communicating across a communication network; a processor communicatively connected to the communication device; and memory storing program instructions, which when executed by the processor cause the computing system to: receive a first request from a client to access the protected Web service resource from the communication network, the first request including an identification of the protected Web service resource and an identification of an operation to be performed on the protected Web service resource; determine a level of the operation to be performed on the protected Web service resource identified in the first request; determine that the client has been authenticated by an authentication service according to a first factor using a first authentication token offered by the client; determine whether the first factor is of at least a first authentication level to grant the first request for the client to perform the operation, based on, at least in part, the level of the operation; grant the first request to access the protected Web service resource after determining that the client has been authenticated according to the first factor, and that authentication according to the first factor is of at least the first authentication level; receive a second request from the client to access the protected Web service resource from the communication network, the second request including the identification of the protected Web service resource and an identification of a second operation to be performed on the protected Web service resource; determine a level of the second operation to be performed on the protected Web service resource identified in the second request; send, to the client, a message to deny the second request to access the protected Web service resource based on, at least in part, the level of the second operation and on the authentication according to the first factor not being of at least a second authentication level to grant the second request, the message further comprising an address of the authentication service; determine that the client has been authenticated by the authentication service according to a second factor using a second authentication token offered by the client; determine whether the second factor is of at least the second authentication level to grant the second request for the client to perform the second operation, based on, at least in part, the level of the second operation; and grant the second request to access the protected Web service resource after determining that the client has been authenticated according to the second factor and that the authentication according to the second factor is of at least the second authentication level.