Researchers Submit Patent Application, “Complex Composite Tokens”, for Approval (USPTO 20230052525): Patent Application
2023 MAR 02 (NewsRx) -- By a
No assignee for this patent application has been made.
News editors obtained the following quote from the background information supplied by the inventors: “Currently, many services provide Application Programming Interfaces (APIs) through which partner entities are integrated. A transaction platform can have multiple integrated partners that provide services or goods for customer transactions through platform APIs.
“For instance, a platform may have partners who accept credit cards or sensitive information from their customers. A customer’s sensitive information (e.g. credit card or personal identification data) is provided to the API of a service through a partner provider (e.g. a Payment Card Industry Data Security Standard (PCI DSS) compliant vault or Health Insurance Portability and Accountability Act (HIPPA) compliant service) that maintains the sensitive information.
“However, PCI DSS or HIPPA compliance can be complex and expensive to implement. Frequently, PCI DSS or HIPPA compliance is delegated to a compliant partner, which then participates in a transaction (e.g. a purchase or data transfer). This approach involves customers or users sharing their OAuth tokens with these compliant partners in order to perform a transaction. Sharing a token introduces security risk and prevents auditing the use of the token to accurately identify an entity participating in a transaction.
“Typically, sharing an OAuth token involves the partner impersonating another entity, such as the customer. The impersonating entity appears to the API to be the customer because the token identifies only the customer. Sharing the token creates a security risk. Impersonation of the customer prevents the token from being used to identify the impersonating entity as participating in the transaction and, therefore, limits the auditability of the transaction.
“It is with respect to these and other considerations that the disclosure made herein is presented.”
As a supplement to the background information on this patent application, NewsRx correspondents also obtained the inventors’ summary information for this patent application: “The disclosed technology is directed toward advanced security networking protocol extensions and APIs that can extend composite tokens described in a recent OAuth proposal for delegating permissions from a subject entity to an actor entity to create trust stacks that provide for complex delegations of permissions that can be audited and verified.
“In certain simplified examples of the disclosed technologies, methods, systems or computer readable media for trust or authorization delegation for extension of OAuth multiple actor delegation in accordance with the disclosed technology involve receiving a first authorization request from a subject client and responding to the first authorization by sending a first token having a first set of permissions to the subject client. The disclosed technology also involves receiving a second authorization request from a first partner actor, the second authorization request including the first token and responding to the second authorization request by linking the first partner actor to the subject client in a trust stack pertaining to the subject client and sending a second token to the first actor partner with a second set of permissions, where the second token comprises a first complex token that identifies the subject client and the first partner actor. The technology further involves receiving a third authorization request from a second partner actor, the third authorization request including the second token and responding to the third authorization request by linking the second partner actor to the first partner actor in the trust stack, and sending a third token to the second actor partner with a third set of permissions, where the third token comprises a second complex token that identifies the first partner actor and the second partner actor.
“Examples in accordance with certain aspects of the disclosed technology can further include receiving an access request to a resource from the second partner actor, the access request including the third token and granting access to the resource based on the third set of permissions. Other examples in accordance with other aspects of the disclosed technology can include determining the second set of permissions based on either a union or intersection of permissions for the subject client and permissions for the first partner actor. In still other examples, the disclosed technologies can include determining the third set of permissions based on either a union or intersection of permissions for the subject client, permissions for the first partner actor, and permissions for the third partner actor.
“In certain examples, the authorization delegation pertains to a financial transaction, the first partner actor is not configured for compliance with a standard for secure handling of customer financial data, and the second partner actor is configured for compliance with the standard for secure handling of customer financial data.
“In certain other examples, the subject client can be an end user, the first partner actor can be a service provider to the end user, and the second partner actor can be a subcontractor to the first partner. In certain of these examples, the second partner actor is configured to provide one or more of shipping, packaging, warehousing and insurance to the first partner.
“It should be appreciated that the above-described subject matter may also be implemented as a computer-controlled apparatus, a computer process, a computing system, or as an article of manufacture such as a computer-readable medium. These and various other features will be apparent from a reading of the following Detailed Description and a review of the associated drawings. This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description.
“This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended that this Summary be used to limit the scope of the claimed subject matter. Furthermore, the claimed subject matter is not limited to implementations that solve any or all disadvantages noted in any part of this disclosure.”
The claims supplied by the inventors are:
“1. A computer-implemented method comprising: receiving a first authorization request from a subject client; responding to the first authorization request by sending a first token having a first set of permissions to the subject client; receiving a second authorization request from a first partner actor, the second authorization request including the first token; responding to the second authorization request by: linking the first partner actor to the subject client in a trust stack pertaining to the subject client, and sending a second token to the first actor partner with a second set of permissions, wherein the second token identifies the subject client and the first partner actor; receiving a third authorization request from a second partner actor, the third authorization request including the second token; and responding to the third authorization request by: linking the second partner actor to the first partner actor in the trust stack, and sending a third token to the second partner actor with a third set of permissions, wherein the third token identifies the first partner actor and the second partner actor.
“2. The computer-implemented method of claim 1, wherein the method further comprises: receiving an access request to a resource from the second partner actor, the access request including the third token; and granting access to the resource based on the third set of permissions.
“3. The computer-implemented method of claim 2, wherein the resource comprises user information associated with the subject client.
“4. The computer-implemented method of claim 1, wherein the method further comprises: determining the second set of permissions based on a union or an intersection of permissions for the subject client and permissions for the first partner actor.
“5. The computer-implemented method of claim 1, wherein the method further comprises: determining the third set of permissions based on a union or an intersection of permissions for the subject client, permissions for the first partner actor, and permissions for the second partner actor.
“6. The computer-implemented method of claim 1, wherein the first set of permissions, the second set of permissions, and the third set of permissions each allow access to one or more application programming interface (APIs).
“7. The computer-implemented method of claim 1, wherein the method further comprises: receiving a fourth authorization request from a third partner actor, the fourth authorization request including the third token; and responding to the fourth authorization request by: linking the third partner actor to the second partner actor in the trust stack, and sending a fourth token to the third actor partner with a fourth set of permissions, where the fourth token comprises identifies the second partner actor and the third partner actor.
“8. One or more computer storage media storing computer-useable instructions that, when used by a computing device, cause the computing device to perform operations, the operations comprising: issuing, to a client device, a first token having a first set of permissions; in response to a first authorization request from a first partner server that includes the first token: linking the first partner server to the client device in a trust stack, and issuing, to the first partner server, a second token with a second set of permissions, wherein the second token identifies the client device and the first partner server; and in response to a second authorization request from a second partner server that includes the second token: linking the second partner server to the first partner server in the trust stack, and issuing, to the second partner server, a third token with a third set of permissions, wherein the third token identifies the first partner server and the second partner server.
“9. The one or more computer storage media of claim 8, wherein the operations further comprise: receiving an access request to a resource from the second partner server, the access request including the third token; and granting access to the resource based on the third set of permissions.
“10. The one or more computer storage media of claim 9, wherein the resource comprises user information associated with the client device.
“11. The one or more computer storage media of claim 8, wherein the operations further comprise: determining the second set of permissions based on a union or an intersection of permissions for the client device and permissions for the first partner server.
“12. The one or more computer storage media of claim 8, wherein the operations further comprise: determining the third set of permissions based on a union or an intersection of permissions for the client device, permissions for the first partner server, and permissions for the second partner server.
“13. The one or more computer storage media of claim 8, wherein the first set of permissions, the second set of permissions, and the third set of permissions each allow access to one or more application programming interface (APIs).
“14. The one or more computer storage media of claim 8, wherein the operations further comprise: in response to a third authorization request from a third partner server that includes the third token: linking the third partner server to the second partner server in the trust stack, and issuing, to the third partner server, a fourth token with a fourth set of permissions, wherein the fourth token identifies the second partner server and the third partner server.
“15. A computer system comprising: a processor; and a computer storage medium storing computer-useable instructions that, when used by the processor, causes the computer system to perform operations comprising: issuing, to a client, a first token having a first set of permissions; in response to a first authorization request from a first partner that includes the first token: linking the first partner to the client in a trust stack, and issuing, to the first partner, a second token with a second set of permissions, wherein the second token identifies the client and the first partner; and in response to a second authorization request from a second partner that includes the second token: linking the second partner to the first partner in the trust stack, and issuing, to the second partner, a third token with a third set of permissions, wherein the third token identifies the first partner and the second partner.
“16. The computer system of claim 15, wherein the operations further comprise: receiving an access request to a resource from the second partner, the access request including the third token; and granting access to the resource based on the third set of permissions.
“17. The computer system of claim 16, wherein the resource comprises user information associated with the client.
“18. The computer system of claim 15, wherein the operations further comprise: determining the second set of permissions based on a union or an intersection of permissions for the client and permissions for the first partner.
“19. The one or more computer storage media of claim 8, wherein the operations further comprise: determining the third set of permissions based on a union or an intersection of permissions for the client, permissions for the first partner, and permissions for the second partner.
“20. The computer system of claim 15, wherein the first set of permissions, the second set of permissions, and the third set of permissions each allow access to one or more application programming interface (APIs).”
For additional information on this patent application, see: FREDERICK,
(Our reports deliver fact-based news of research and discoveries from around the world.)
Research from Tsinghua University in Risk Management Provides New Insights (Effect of impact velocity on molten aluminum and copper droplets igniting expanded polystyrene foam): Insurance – Risk Management
NsureHub Launches Homeowners Insurance Platform in Louisiana, Simplifying the Home Insurance Buying Process for Customers
Advisor News
- Trump pick for Treasury: extending tax cuts the ‘most important’ issue
- Treasury Secretary nominee Scott Bessent says Trump tax cuts should not expire
- Five retirement-industry trends to watch in 2025
- U.S. military veteran workers report higher levels of financial well-being
- US inflation picked up in December, though underlying price pressures ease
More Advisor NewsAnnuity News
- Midland Advisory Focused on Growing Registered Investment Advisor Channel Presence
- Delaware Life Announces Suite of Innovative Fixed Index Annuities
- Allianz Life moves to strengthen annuity operations with own reinsurer
- Global Atlantic Announces New Registered Index-Linked Annuity
- AM Best Affirms Credit Ratings of Reinsurance Group of America, Incorporated and Subsidiaries
More Annuity NewsHealth/Employee Benefits News
- Is a 'people before profit' model the solution in the United States?
- Missouri proposal could block health insurers from limiting anesthesia coverage
- WA doulas now eligible for highest Medicaid reimbursement in U.S.
- AM Best Affirms Credit Ratings of Prudential Financial, Inc. and Its Life/Health Subsidiaries
- ‘Uncomfortable things’ necessary to fix NC Health Plan, new treasurer says
More Health/Employee Benefits NewsLife Insurance News
- AM Best Affirms Credit Ratings of Prudential Financial, Inc. and Its Life/Health Subsidiaries
- Symetra reaches $32.5 million settlement over cost-of-insurance charges
- Registration Statement – Specified Transactions (Form S-3)
- Symetra Names Christine Carlson Vice President, Stop Loss Claims
- Best’s Market Segment Report: AM Best Maintains Stable Outlook on India’s Non-Life Insurance Segment
More Life Insurance News