[미국특허]
Authenticating and authorizing users with JWT and tokenization
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-007/04
H04L-009/40
H04L-009/32
G06F-015/16
출원번호
17130790
(2020-12-22)
등록번호
11431702
(2022-08-30)
발명자
/ 주소
Lores, Fernando
Tam, Albert
출원인 / 주소
LendingClub Bank, National Association
대리인 / 주소
Hickman Becker Bingham Ledesma LLP
인용정보
피인용 횟수 :
0인용 특허 :
0
초록▼
Techniques are provided for using tokenization in conjunction with “behind-the-wall” JWT authentication. “Behind-the-wall” JWT authentication refers to JWT authentication techniques in which the JWT stays exclusively within the private network that is controlled by the web application provider. Beca
Techniques are provided for using tokenization in conjunction with “behind-the-wall” JWT authentication. “Behind-the-wall” JWT authentication refers to JWT authentication techniques in which the JWT stays exclusively within the private network that is controlled by the web application provider. Because the JWT stays within the private network, the security risk posed by posting the JWT in a client cookie is avoided. However, because JWT is used behind-the-wall to authenticate a user with the services requested by the user, the authentication-related overhead is significantly reduced.
대표청구항▼
1. A method for improving security of web applications while reducing messaging overhead associated with authentication, comprising: receiving, at a web application executing on a secure network from a client that is not executing on the secure network, authentication information associated with a p
1. A method for improving security of web applications while reducing messaging overhead associated with authentication, comprising: receiving, at a web application executing on a secure network from a client that is not executing on the secure network, authentication information associated with a particular user;the web application sending the authentication information to an authentication service on the secure network, wherein the authentication service is distinct from the web application;in response to receiving the authentication information at the authentication service, the authentication service providing a session token to the web application;the web application receiving the session token;providing the session token from the web application to the client;receiving, at the web application, a service request from the client;wherein the service request includes the session token;in response to receiving the service request, the web application sending the session token to the authentication service;in response to receiving the session token at the authentication service, the authentication service providing the web application with a data item that comprises signature information and an unencrypted payload;the web application providing the data item to a first service executing on the secure network; andthe first service determining whether an operation requested in the service request is authorized based, at least in part, on the signature information and the unencrypted payload;wherein determining whether the operation requested in the service request is authorized includes decrypting the signature information with a public key of the authentication service;wherein the signature information is encrypted using a private key of the authentication service that corresponds to the public key;wherein the unencrypted payload includes information regarding one or more of: one or more rights of the particular user, or one or more roles of the particular user;wherein the method is performed by one or more computing devices. 2. The method of claim 1 wherein the data item is a JSON web token. 3. The method of claim 1 wherein: the data item is a limited-duration data item; andthe first service determines whether the operation requested in the service request is authorized further based, at least in part, on whether an expiration time specified in the limited-duration data item has expired. 4. The method of claim 1 wherein: the service request is a first service request; andthe method further comprises: after the authentication service provides the web application with the data item, the data item being stored, in association with the session token, in a cache entry in cache;receiving, at the web application, a second service request from the client;wherein the second service request includes the session token;identifying the cache entry, in the cache, based on the session token;the web application obtaining the data item from the identified cache entry;the web application providing the data item to a second service executing on the secure network; andthe second service determining whether an operation requested in the second service request is authorized based, at least in part, on the signature information and the unencrypted payload from the data item. 5. The method of claim 4 wherein: the data item is a limited-duration item that expires after a first duration;the cache entry is set to expire after a second duration; andthe second duration is less than the first duration. 6. The method of claim 1 wherein: the first service determines that the operation requested in the service request requires the first service to request that a second service perform a particular operation;the first service calling the second service and providing the data item to the second service; andthe second service determining whether the particular operation requested by the first service is authorized based, at least in part, on the signature information and the unencrypted payload. 7. The method of claim 1 further comprising: receiving, at an impersonation copy of the web application: administrator-level authentication information associated with an administrator, anddata that identifies a to-be-impersonated user;wherein the impersonation copy executes on the secure network and is not accessible by entities that are not on the secure network;the impersonation copy of the web application sending the administrator-level authentication information to the authentication service on the secure network;in response to receiving the administrator-level authentication information at the authentication service, the authentication service providing an impersonation session token to the impersonation copy of the web application;receiving, at the impersonation copy of the web application, a particular service request that includes the impersonation session token;in response to the particular service request, the impersonation copy of the web application sending the impersonation session token to the authentication service;in response to receiving the impersonation session token at the authentication service, the authentication service providing the impersonation copy of the web application with a particular data item that comprises particular signature information and a particular unencrypted payload;wherein the particular data item identifies: one or more rights of the administrator, andthe to-be-impersonated user;the impersonation copy of the web application providing the particular data item to a particular service executing on the secure network; andthe particular service determining whether a particular operation requested in the particular service request is authorized based, at least in part, on the particular signature information and the particular unencrypted payload; andthe particular service providing output as if the particular operation had been requested by the to-be-impersonated user. 8. One or more non-transitory computer-readable media storing one or more sequences of instructions comprising instructions that, when executed by one or more computing devices, cause: receiving, at a web application executing on a secure network from a client that is not executing on the secure network, authentication information associated with a particular user;the web application sending the authentication information to an authentication service on the secure network, wherein the authentication service is distinct from the web application;in response to receiving the authentication information at the authentication service, the authentication service providing a session token to the web application;the web application receiving the session token;providing the session token from the web application to the client;receiving, at the web application, a service request from the client;wherein the service request includes the session token;in response to receiving the service request, the web application sending the session token to the authentication service;in response to receiving the session token at the authentication service, the authentication service providing the web application with a data item that comprises signature information and an unencrypted payload;the web application providing the data item to a first service executing on the secure network; andthe first service determining whether an operation requested in the service request is authorized based, at least in part, on the signature information and the unencrypted payload;wherein determining whether the operation requested in the service request is authorized includes decrypting the signature information with a public key of the authentication service;wherein the signature information is encrypted using a private key of the authentication service that corresponds to the public key;wherein the unencrypted payload includes information regarding one or more of: one or more rights of the particular user, or one or more roles of the particular user. 9. The one or more non-transitory computer-readable media of claim 8 wherein the data item is a JSON web token. 10. The one or more non-transitory computer-readable media of claim 8 wherein: the data item is a limited-duration data item; andthe first service determines whether the operation requested in the service request is authorized further based, at least in part, on whether an expiration time specified in the limited-duration data item has expired. 11. The one or more non-transitory computer-readable media of claim 8 wherein: the service request is a first service request; andthe one or more sequences of instructions further comprise instructions that, when executed by one or more computing devices, cause: after the authentication service provides the web application with the data item, the data item being stored, in association with the session token, in a cache entry in cache;receiving, at the web application, a second service request from the client;wherein the second service request includes the session token;identifying the cache entry, in the cache, based on the session token;the web application obtaining the data item from the identified cache entry;the web application providing the data item to a second service executing on the secure network; andthe second service determining whether an operation requested in the second service request is authorized based, at least in part, on the signature information and the unencrypted payload from the data item. 12. The one or more non-transitory computer-readable media of claim 11 wherein: the data item is a limited-duration item that expires after a first duration;the cache entry is set to expire after a second duration; andthe second duration is less than the first duration. 13. The one or more non-transitory computer-readable media of claim 8 wherein: the first service determines that the operation requested in the service request requires the first service to request that a second service perform a particular operation;the first service calling the second service and providing the data item to the second service; andthe second service determining whether the particular operation requested by the first service is authorized based, at least in part, on the signature information and the unencrypted payload. 14. The one or more non-transitory computer-readable media of claim 8 wherein the one or more sequences of instructions comprise instructions that, when executed by one or more computing devices, cause: receiving, at an impersonation copy of the web application: administrator-level authentication information associated with an administrator, anddata that identifies a to-be-impersonated user;wherein the impersonation copy executes on the secure network and is not accessible by entities that are not on the secure network;the impersonation copy of the web application sending the administrator-level authentication information to the authentication service on the secure network;in response to receiving the administrator-level authentication information at the authentication service, the authentication service providing an impersonation session token to the impersonation copy of the web application;receiving, at the impersonation copy of the web application, a particular service request that includes the impersonation session token;in response to the particular service request, the impersonation copy of the web application sending the impersonation session token to the authentication service;in response to receiving the impersonation session token at the authentication service, the authentication service providing the impersonation copy of the web application with a particular data item that comprises particular signature information and a particular unencrypted payload;wherein the particular data item identifies: one or more rights of the administrator, andthe to-be-impersonated user;the impersonation copy of the web application providing the particular data item to a particular service executing on the secure network; andthe particular service determining whether a particular operation requested in the particular service request is authorized based, at least in part, on the particular signature information and the particular unencrypted payload; andthe particular service providing output as if the particular operation had been requested by the to-be-impersonated user.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.