Patent Issued for Complex composite tokens (USPTO 11758406): eBay Inc.
2023 OCT 04 (NewsRx) -- By a
The assignee for this patent, patent number 11758406, is
Reporters obtained the following quote from the background information supplied by the inventors: “Currently, many services provide Application Programming Interfaces (APIs) through which partner entities are integrated. A transaction platform can have multiple integrated partners that provide services or goods for customer transactions through platform APIs.
“For instance, a platform may have partners who accept credit cards or sensitive information from their customers. A customer’s sensitive information (e.g. credit card or personal identification data) is provided to the API of a service through a partner provider (e.g. a Payment Card Industry Data Security Standard (PCI DSS) compliant vault or Health Insurance Portability and Accountability Act (HIPPA) compliant service) that maintains the sensitive information.
“However, PCI DSS or HIPPA compliance can be complex and expensive to implement. Frequently, PCI DSS or HIPPA compliance is delegated to a compliant partner, which then participates in a transaction (e.g. a purchase or data transfer). This approach involves customers or users sharing their OAuth tokens with these compliant partners in order to perform a transaction. Sharing a token introduces security risk and prevents auditing the use of the token to accurately identify an entity participating in a transaction.
“Typically, sharing an OAuth token involves the partner impersonating another entity, such as the customer. The impersonating entity appears to the API to be the customer because the token identifies only the customer. Sharing the token creates a security risk. Impersonation of the customer prevents the token from being used to identify the impersonating entity as participating in the transaction and, therefore, limits the auditability of the transaction.
“It is with respect to these and other considerations that the disclosure made herein is presented.”
In addition to obtaining background information on this patent, NewsRx editors also obtained the inventors’ summary information for this patent: “The disclosed technology is directed toward advanced security networking protocol extensions and APIs that can extend composite tokens described in a recent OAuth proposal for delegating permissions from a subject entity to an actor entity to create trust stacks that provide for complex delegations of permissions that can be audited and verified.
“In certain simplified examples of the disclosed technologies, methods, systems or computer readable media for trust or authorization delegation for extension of OAuth multiple actor delegation in accordance with the disclosed technology involve receiving a first authorization request from a subject client and responding to the first authorization by sending a first token having a first set of permissions to the subject client. The disclosed technology also involves receiving a second authorization request from a first partner actor, the second authorization request including the first token and responding to the second authorization request by linking the first partner actor to the subject client in a trust stack pertaining to the subject client and sending a second token to the first actor partner with a second set of permissions, where the second token comprises a first complex token that identifies the subject client and the first partner actor. The technology further involves receiving a third authorization request from a second partner actor, the third authorization request including the second token and responding to the third authorization request by linking the second partner actor to the first partner actor in the trust stack, and sending a third token to the second actor partner with a third set of permissions, where the third token comprises a second complex token that identifies the first partner actor and the second partner actor.
“Examples in accordance with certain aspects of the disclosed technology can further include receiving an access request to a resource from the second partner actor, the access request including the third token and granting access to the resource based on the third set of permissions. Other examples in accordance with other aspects of the disclosed technology can include determining the second set of permissions based on either a union or intersection of permissions for the subject client and permissions for the first partner actor. In still other examples, the disclosed technologies can include determining the third set of permissions based on either a union or intersection of permissions for the subject client, permissions for the first partner actor, and permissions for the third partner actor.
“In certain examples, the authorization delegation pertains to a financial transaction, the first partner actor is not configured for compliance with a standard for secure handling of customer financial data, and the second partner actor is configured for compliance with the standard for secure handling of customer financial data.
“In certain other examples, the subject client can be an end user, the first partner actor can be a service provider to the end user, and the second partner actor can be a subcontractor to the first partner. In certain of these examples, the second partner actor is configured to provide one or more of shipping, packaging, warehousing and insurance to the first partner.”
The claims supplied by the inventors are:
“1. A computer-implemented method comprising: receiving a first authorization request from a subject client; responding to the first authorization request by sending a first token having a first set of permissions to the subject client; receiving a second authorization request from a first partner actor, the second authorization request including the first token; responding to the second authorization request by: linking the first partner actor to the subject client in a trust stack pertaining to the subject client, and sending a second token to the first actor partner with a second set of permissions, wherein the second token identifies the subject client and the first partner actor; receiving a third authorization request from a second partner actor, the third authorization request including the second token; and responding to the third authorization request by: linking the second partner actor to the first partner actor in the trust stack, sending a third token to the second partner actor with a third set of permissions, wherein the third token identifies the first partner actor and the second partner actor and determining the third set of permissions based on a union or an intersection of permissions for the subject client, permissions for the first partner actor, and permissions for the second partner actor.
“2. The computer-implemented method of claim 1, wherein the method further comprises: receiving an access request to a resource from the second partner actor, the access request including the third token; and granting access to the resource based on the third set of permissions.
“3. The computer-implemented method of claim 2, wherein the resource comprises user information associated with the subject client.
“4. The computer-implemented method of claim 1, wherein the method further comprises: determining the second set of permissions based on a union or an intersection of permissions for the subject client and permissions for the first partner actor.
“5. The computer-implemented method of claim 1, wherein the first set of permissions, the second set of permissions, and the third set of permissions each allow access to one or more application programming interface (APIs).
“6. The computer-implemented method of claim 1, wherein the method further comprises: receiving a fourth authorization request from a third partner actor, the fourth authorization request including the third token; and responding to the fourth authorization request by: linking the third partner actor to the second partner actor in the trust stack, and sending a fourth token to the third actor partner with a fourth set of permissions, where the fourth token comprises identifies the second partner actor and the third partner actor.
“7. One or more computer storage media storing computer-useable instructions that, when used by a computing device, cause the computing device to perform operations, the operations comprising: issuing, to a client device, a first token having a first set of permissions; in response to a first authorization request from a first partner server that includes the first token: linking the first partner server to the client device in a trust stack, and issuing, to the first partner server, a second token with a second set of permissions, wherein the second token identifies the client device and the first partner server; and in response to a second authorization request from a second partner server that includes the second token: linking the second partner server to the first partner server in the trust stack, issuing, to the second partner server, a third token with a third set of permissions, wherein the third token identifies the first partner server and the second partner server and determining the third set of permissions based on a union or an intersection of permissions for the client device, permissions for the first partner server, and permissions for the second partner server.
“8. The one or more computer storage media of claim 7, wherein the operations further comprise: receiving an access request to a resource from the second partner server, the access request including the third token; and granting access to the resource based on the third set of permissions.
“9. The one or more computer storage media of claim 8, wherein the resource comprises user information associated with the client device.
“10. The one or more computer storage media of claim 7, wherein the operations further comprise: determining the second set of permissions based on a union or an intersection of permissions for the client device and permissions for the first partner server.
“11. The one or more computer storage media of claim 7, wherein the first set of permissions, the second set of permissions, and the third set of permissions each allow access to one or more application programming interface (APIs).
“12. The one or more computer storage media of claim 7, wherein the operations further comprise: in response to a third authorization request from a third partner server that includes the third token: linking the third partner server to the second partner server in the trust stack, and issuing, to the third partner server, a fourth token with a fourth set of permissions, wherein the fourth token identifies the second partner server and the third partner server.
“13. A computer system comprising: a processor; and a computer storage medium storing computer-useable instructions that, when used by the processor, causes the computer system to perform operations comprising: issuing, to a client, a first token having a first set of permissions; in response to a first authorization request from a first partner that includes the first token: linking the first partner to the client in a trust stack, and issuing, to the first partner, a second token with a second set of permissions, wherein the second token identifies the client and the first partner; and in response to a second authorization request from a second partner that includes the second token: linking the second partner to the first partner in the trust stack, issuing, to the second partner, a third token with a third set of permissions, wherein the third token identifies the first partner and the second partner and determining the third set of permissions based on a union or an intersection of permissions for the client, permissions for the first partner, and permissions for the second partner.
“14. The computer system of claim 13, wherein the operations further comprise: receiving an access request to a resource from the second partner, the access request including the third token; and granting access to the resource based on the third set of permissions.
“15. The computer system of claim 14, wherein the resource comprises user information associated with the client.
“16. The computer system of claim 13, wherein the operations further comprise: determining the second set of permissions based on a union or an intersection of permissions for the client and permissions for the first partner.
“17. The computer system of claim 13, wherein the first set of permissions, the second set of permissions, and the third set of permissions each allow access to one or more application programming interface (APIs).”
For more information, see this patent: Frederick,
(Our reports deliver fact-based news of research and discoveries from around the world.)
Patent Issued for Cryptographically transmitting and storing identity tokens and/or activity data among spatially distributed computing devices (USPTO 11757862): Allstate Insurance Company
Studies from University of Arkansas System Have Provided New Information about Risk Management (Barriers To Implementing Risk Management Practices In Microgreens Growing Operations In the United States: Thematic Analysis of Interviews and …): Risk Management
Advisor News
- Americans less confident about retirement as worries grow
- 6 in 10 Americans struggle with financial decisions
- Trump bets his tax cuts will please Las Vegas voters on his swing West
- Lifetime income is the missing link to global retirement security
- Don’t let caregiving derail your clients’ retirement
More Advisor NewsAnnuity News
- Allianz Life Adds New Accumulation-Focused Fixed Index Annuities
- Allianz Life adds new accumulation-focused FIAs
- Industry objects to ‘tone and tenor’ of draft NAIC Annuity Buyer’s Guide
- Annuity industry grapples with consolidation, innovation and planning shifts
- Human connection still key in the new annuity era
More Annuity NewsHealth/Employee Benefits News
- How Auburn's retirement incentive for city employees would work
- Researchers at Harvard Medical School Discuss Findings in Managed Care (Time-Driven, Activity-Based Cost Analysis of Secondary Intraocular Lens Implantation): Managed Care
- New Endometriosis Study Findings Have Been Reported from Jose Arnaldo Shiomi da Cruz et al (Endometriosis treatment pathways in the largest private health insurance in Brazil: A real-world data study): Uterine Diseases and Conditions – Endometriosis
- Findings from University of Illinois Broadens Understanding of Managed Care (Variation In Medicaid And Medicare Payment Rates To Community Health Centers, 2023): Managed Care
- Georgia's ACA enrollment plunges, raising concerns for rural hospitals
More Health/Employee Benefits NewsLife Insurance News
- Prudential extends Japan sales ban another 6 months at a total $1B loss
- AM Best Affirms Credit Ratings of The Wawanesa Mutual Insurance Company and Wawanesa Life Insurance Company
- Life insurance for gig economy power earners: what advisors need to know
- Allianz Life Adds New Accumulation-Focused Fixed Index Annuities
- Milliman Launches Healthcare Inflation ETFs (MHIG & MHIP) to Hedge the Rising Cost of U.S. Healthcare
More Life Insurance News