Secure authentication for client application access to protected resources

摘要

An authorization server receives a request for an access token, for accessing a protected resource, from a client application executing on a device, wherein the request includes a client identifier that uniquely identifies the client application and a device identifier that uniquely identifies the device. The authorization server performs authentication of the client identifier and the device identifier. The authorization server returns a valid access token to the client application, based on the authentication of the client identifier and the device identifier, to enable the client application access to the protected resource.

主权项

1. A method, comprising:
receiving, from a first device at a network device, a first client identifier that uniquely identifies a first client application installed at the first device, and a first device identifier that uniquely identifies the first device; generating, at the network device, a first client application secret key based on the first client identifier; sending, from the network device, the first client application secret key to the first client application at the first device; receiving a request for an access token, for accessing a protected resource, from the first client application executing on the first device, wherein the request includes the first client identifier, the first device identifier, and a first signature generated at the first device using the first client application secret key; performing authentication of the first client application and the first device, wherein performing authentication of the first device comprises:
sending a first query, that includes the first device identifier, to a database to retrieve Authentication and Key Agreement (AKA) parameters, that correspond to the first device identifier, for use in authenticating the first device;receiving the AKA parameters from the database; andusing the AKA parameters to authenticate the first device; wherein performing authentication of the first client application comprises:
sending a second query, that includes the first client identifier, to the database to retrieve the first client application secret key,receiving the first client application secret key from the database, andattempting to validate the first signature using the first client application secret key to authenticate the first client application; directing a user associated with the first device to an authorization page; receiving the user's log-in and a denial or a grant of access to the protected resource via the authorization page; and returning a valid access token to the first client application, based on a successful authentication of the first client application and the first device and based on whether the grant of access to the protected resource is received via the authorization page, to enable the first client application access to the protected resource.