Browser login session via non-extractable asymmetric keys

文档序号：1909829 发布日期：2021-11-30 浏览：2次中文

阅读说明：本技术 经由不可提取的不对称密钥的浏览器登录会话 (Browser login session via non-extractable asymmetric keys ) 是由 K·R·欧内尔 D·M·沃戈 G·纳嘎拉加 S·莎玛于 2020-10-14 设计创作，主要内容包括：提供了用于使用非对称密码术与应用建立会话的技术。技术包括使用非对称密码术的安全单点登录能力。利用非对称签名、浏览器本地存储空间和Web Crypto应用编程接口(API)的使用,不能从为其生成密钥的浏览器中提取密钥。该机制允许web域使用存储在客户端的web浏览器中的不可提取的非对称密钥来跟踪用户登录会话,并充分利用不可提取的非对称密钥进行单点登录。(Techniques are provided for establishing a session with an application using asymmetric cryptography. Techniques include secure single sign-on capabilities using asymmetric cryptography. With asymmetric signatures, browser local storage space, and the use of Web Crypto Application Programming Interfaces (APIs), keys cannot be extracted from the browser for which they were generated. The mechanism allows a web domain to track user login sessions using a non-extractable asymmetric key stored in a client's web browser and leverage the non-extractable asymmetric key for single sign-on.)

1. A method, comprising:

receiving, by a computing device comprising a processor and a memory, a first request to log in to a first application;

generating, by a computing device, a first public-private key pair comprising a first public key and a first private key, wherein the first public-private key pair is associated with a first application;

storing, by a computing device, a first public-private key pair on a local data store for the computing device;

sending, by the computing device, a second request to authorize the first public key, wherein the second request includes the first public key;

generating, by the computing device, a second public-private key pair comprising a second public key and a second private key, wherein the second public-private key pair is associated with the server computer;

receiving, by a computing device, credential information;

sending, by the computing device, an authentication request including credential information, the first public key, and the second public key to the server computer;

receiving, by the computing device, a server token from the server computer, wherein the server token is generated based on the second public key;

storing, by the computing device, the received server token in a second local data store;

sending, by the computing device, a third request to the server computer, wherein the third request includes the server token and the second request is signed using a second private key;

receiving, by a computing device, a first application token from a server computer; and

a first request to login to a first application is authenticated by a computing device.

2. The method of claim 1, further comprising:

receiving, by the computing device, a fourth request to log into the second application;

generating, by the computing device, a third public-private key pair comprising a third public key and a third private key, wherein the third public-private key pair is associated with the second application;

storing, by the computing device, the third public-private key pair on a second local data store for the computing device;

sending, by the computing device, a fifth request to authorize the third public key, wherein the fourth request includes the third public key;

receiving, by the computing device, the second JavaScript;

determining, by the computing device, whether the second JavaScript includes a valid server token;

obtaining, by the computing device, the server token from the second local data store;

sending, by the computing device, a sixth request to the server computer, wherein the sixth request includes the server token and the sixth request is signed using the second private key;

receiving, by the computing device, a second application token from the server computer; and

authenticating, by the computing device, the fourth request to log into the second application.

3. The method of claim 1, wherein the computing device comprises a web browser.

4. The method of claim 1, wherein the credential information comprises a username and password.

5. The method of claim 1, wherein prior to generating the first public-private key pair:

receiving, by the computing device, the first JavaScript from the server computer; and

determining, by the computing device, whether a valid JSON Web Token (JWT) exists based on the first JavaScript.

6. The method of claim 1, wherein the first public-private key pair is stored on a first local IndexedDB associated with the first application.

7. The method of claim 1, wherein the server token is stored on a second local IndexedDB associated with the server computer.

8. A non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors of a computing device, cause the one or more processors to perform a method, the method comprising:

receiving, by a computing device, a first request to log in to a first application;

storing, by a computing device, a first public-private key pair on a local data store for the computing device;

sending, by the computing device, a second request to authorize the first public key, wherein the second request includes the first public key;

receiving, by a computing device, credential information;

sending, by the computing device, an authentication request including credential information, the first public key, and the second public key to the server computer;

receiving, by the computing device, a server token from the server computer, wherein the server token is generated based on the second public key;

storing, by the computing device, the received server token in a second local data store;

sending, by the computing device, a third request to the server computer, wherein the third request includes the server token and the second request is signed using a second private key;

receiving, by a computing device, a first application token from a server computer; and

a first request to login to a first application is authenticated by a computing device.

9. The non-transitory computer-readable storage medium of claim 8, comprising instructions to cause the one or more processors to perform the method, the method further comprising:

receiving, by the computing device, a fourth request to log into the second application;

storing, by the computing device, the third public-private key pair on a second local data store for the computing device;

sending, by the computing device, a fifth request to authorize the third public key, wherein the fourth request includes the third public key;

receiving, by the computing device, the second JavaScript;

determining, by the computing device, whether the second JavaScript includes a valid server token;

obtaining, by the computing device, the server token from the second local data store;

sending, by the computing device, a sixth request to the server computer, wherein the sixth request includes the server token and the sixth request is signed using the second private key;

receiving, by the computing device, a second application token from the server computer; and

authenticating, by the computing device, the fourth request to log into the second application.

10. The non-transitory computer-readable storage medium of claim 8, wherein the computing device comprises a web browser.

11. The non-transitory computer-readable storage medium of claim 8, wherein the credential information comprises a username and a password.

12. The non-transitory computer-readable storage medium of claim 8, wherein prior to generating the first public-private key pair:

receiving, by the computing device, the first JavaScript from the server computer; and

determining, by the computing device, whether a valid JSON Web Token (JWT) exists based on the first JavaScript.

13. The non-transitory computer-readable storage medium of claim 8, wherein the first public-private key pair is stored on a first local IndexedDB associated with the first application.

14. A computing device, comprising:

a memory; and

one or more processors configured to:

receiving a first request to log in to a first application;

generating a first public-private key pair comprising a first public key and a first private key, wherein the first public-private key pair is associated with a first application;

storing, on a local data store for the computing device, the first public-private key pair;

sending a second request to authorize the first public key, wherein the second request includes the first public key;

generating a second public-private key pair comprising a second public key and a second private key, wherein the second public-private key pair is associated with the server computer;

receiving credential information;

sending an authentication request including credential information, a first public key, and a second public key to a server computer;

receiving a server token, wherein the server token is generated based on the second public key;

storing the received server token in a second local data store;

sending a third request to the server computer, wherein the third request includes the server token and the second request is signed using a second private key;

receiving a first application token from a server computer; and

a first request to login to a first application is authenticated.

15. The computing device of claim 14, further comprising one or more processors configured to:

receiving a fourth request to log in to the second application;

generating a third public-private key pair comprising a third public key and a third private key, wherein the third public-private key pair is associated with the second application;

storing the third public-private key pair on a second local data store for the computing device;

sending a fifth request to authorize the third public key, wherein the fourth request includes the third public key;

receiving a second JavaScript;

determining whether the second JavaScript includes a valid server token;

obtaining a server token from a second local data store;

sending a sixth request to the server computer, wherein the sixth request includes the server token and the sixth request is signed using the second private key;

receiving a second application token from the server computer; and

the fourth request to log in to the second application is authenticated.

16. The computing device of claim 14, wherein the second request is signed using a digital signature.

17. The computing device of claim 14, wherein the computing device is a web browser that stores the non-extractable second private key.

18. The computing device of claim 14, the webcrypt vault to facilitate storage of the non-extractable second private key.

19. The computing device of claim 14, wherein the computing device is a client-side computing device.

Background

Single Sign On (SSO) can be a feature of an access management system. For example, with this feature, a user may log into the access management system with a single ID (e.g., username, email address, etc.) and password. After a user logs into the system, the user is allowed to access the website across multiple pages over time without re-authenticating during a single login session. The user does not need to authenticate himself to each page of the visited website.

However, since single sign-on provides access to many resources once a user is initially authenticated, there may be negative impacts if credentials are available to others and/or abused. The industry standard is to use cookies or other forms of anonymous tokens (bearer tokens), which require a cookie to be sent to the server for authentication (either via cryptography or by matching with server-side state). A cookie with a token is sent to the server and the server verifies if the user is logged in. However, these tokens can be extracted and possibly stolen, thereby weakening their security profile. If attacked, attackers can typically use cookies and anonymous tokens. This makes cookie-based security vulnerable to man-in-the-middle attacks, session hijacking, and other vulnerabilities.

Example embodiments of the present disclosure address these and other issues individually and collectively.

Disclosure of Invention

Example embodiments relate to establishing a session with an application using asymmetric cryptography. In particular, example embodiments include systems and methods that include secure single sign-on capabilities using asymmetric cryptography.

Example embodiments allow single sign-on using asymmetric cryptography. With asymmetric signatures, the secret used to verify the session state cannot be extracted from the browser that generated it, by using the browser local storage and the Web Crypto Application Programming Interface (API).

This mechanism allows the web domain to track user login sessions using non-extractable asymmetric keys stored in the client's web browser and leverage single sign-on (e.g., using Security Assertion Markup Language (SAML) or OpenID connections). The non-extractable private key stored in the client's Web browser may be stored using the Web Crypto API. A server (e.g., an access management server) verifies session state by verifying a signed request to a login server instead of accepting a cookie, thereby allowing login sessions to be tracked while precluding man-in-the-middle and session hijacking attacks. Each request may include a digital signature that is verified by the access management server.

Example embodiments provide a non-extractable private key stored in a browser of a client. The non-extractable private key may be created using a Web Crypto API. The client authenticates to the login server via a one-time signed request rather than by transmitting a cookie or anonymous token. This mechanism improves the extensibility and security of the web sign-on session. The single sign-on (SSO) system as disclosed in the example embodiments is not susceptible to many of the attack vectors used by conventional sign-on sessions.

Other embodiments are directed to systems, devices, and computer-readable media associated with the methods described herein.

A better understanding of the nature and advantages of the exemplary embodiments may be obtained with reference to the following detailed description and the accompanying drawings.

Drawings

The present disclosure will be readily understood by the following detailed description in conjunction with the accompanying drawings, wherein like reference numerals designate like elements, and in which:

FIG. 1 is a simplified block diagram of a computing environment including an identity and access management system, according to some example embodiments.

Fig. 2 illustrates a sequence diagram of a method for logging into a first application, according to some example embodiments.

Fig. 3 illustrates a flow chart of a method for logging into a first application according to another example embodiment.

Fig. 4 illustrates a sequence diagram of a method for logging into a second application, according to some example embodiments.

Fig. 5 illustrates a user interface displaying information for accessing a first application, according to some example embodiments.

Fig. 6 illustrates a user interface for entering cloud tenant information, according to some example embodiments.

Fig. 7 illustrates a user interface that guides a user to log into a particular infrastructure, according to some example embodiments.

Fig. 8 illustrates a user interface for entering credential information, according to some example embodiments.

FIG. 9 illustrates a user interface displayed when processing a request according to some example embodiments.

FIG. 10 illustrates a user interface displaying complete information for accessing a first application, according to some example embodiments.

FIG. 11 illustrates a user interface displaying information for accessing a second application, according to some example embodiments.

Fig. 12 illustrates a user interface displaying complete information for accessing a second application, according to some example embodiments.

Figure 13 illustrates a simplified diagram of a distributed system for implementing some embodiments.

Fig. 14 is a simplified block diagram of one or more components of a system environment in which a service may be provided as a cloud service, according to some embodiments.

FIG. 15 illustrates an exemplary computer system that may be used to implement certain components according to some embodiments.

Fig. 16 illustrates key storage in IndexedDb according to some example embodiments.

Fig. 17 illustrates JWT storage in IndexedDb according to some example embodiments.

Fig. 18 illustrates a sequence diagram of a method for logging into a first application using a server database, according to some example embodiments.

Fig. 19 illustrates a sequence diagram of a method for logging into a second application using a server database, according to some example embodiments.

Detailed Description

In the following description, for purposes of explanation, specific details are set forth in order to provide a thorough understanding of the example embodiments. It may be evident, however, that the various embodiments may be practiced without these specific details. For example, systems, algorithms, structures, techniques, networks, processes, and other components may be shown in block diagram form as components in order not to obscure the embodiments in unnecessary detail. The drawings and description are not intended to be limiting.

Example embodiments enable single sign-on (SSO) for a user who wants to log on to multiple applications. A user may also be referred to as a client. For example, a user may log into multiple applications in an enterprise. When a user attempts to log into a first application, an application on a browser on the user's computer (e.g., a browser application) may generate a first public-private key pair [ Ab and Av ] that includes a first public key [ Ab ] and a first private key [ Av ] for the first application.

The browser may be any browser that supports IndexDB and encryption Application Programming Interfaces (APIs). IndexEDDB is an application programming interface provided by web browsers for managing objects. IndexDB may provide a large amount of data storage compared to, for example, web storage. In addition, IndexEDDB does not require Structured Query Language (SQL) to retrieve data.

The browser on the user computer may store the first public-private key pair [ Ab and Av ] in a memory space (e.g., IndexedDB) of the browser associated with the first application. The IndexedDB application may be used for client-side storage of application data. By storing data on the client side, the burden of the server to securely store and maintain the data is reduced. IndexedDB IAM may be used for client-side storage of server data. IndexedDB may also be referred to as IndexedDB or index DB. A first public-private key pair for a first application is stored in a local browser storage space, which stores information associated with the application.

After the first public-private key pair [ Ab and Av ] is stored in the browser's IndexedDB, the user's browser is redirected to the login application, where the first public key [ Ab ] is one of the parameters. The login application is associated with a server, such as an access management server. The access management server may also be referred to as an Identity Access Management (IAM) server or an Oracle Access Management (OAM) server.

The login application generates a second public-private key pair [ Sb, Sv ] in the user's browser. The user is then prompted via the client device to enter credential information (e.g., username, email address, password, token, etc.). The user may be prompted to enter their credential information through a form displayed on the client device. After the user enters their credentials, the user may submit the form, and the form is submitted to a login application associated with the server. The user may submit the form by selecting, for example, a submit button after entering their credential information.

If the credential information entered by the user is correct (e.g., the user entered their correct username and password), the user is authenticated and a security token is generated for the user. The security Token may be a JSON Web Token (JWT) security Token. In an example embodiment, the JWT is a signed JWT. JWT is signed by a server (e.g., an IAM server) using a private key known only to the server. Therefore, the JWT disclosed in the example embodiments cannot be manipulated or modified. The security token embeds a second public key Sb. Thus, the security token generated for the user with the second public key [ Sb ] may be identified as SJWT [ Sb ]. The token generated for the server may be referred to as an SJWT. "S" indicates that the JWT token is in the server' S domain. The token generated for the first application (application a) may be AJWT. "A" indicates that JWT is in the domain of the first application. The token generated for the second application (application B) may be referred to as BJWT. "B" indicates that JWT is used for the second application.

In the present disclosure, the first application token refers to the application token generated for application a and the second application token refers to the application token generated for application B. The security token generated for the server may also be referred to as a server token. Application a and application B may comprise any application that uses an access management server.

The security token (SJWT Sb) is then stored in the browser's local memory space. The token SJWT [ Sb ] can now be used to securely communicate with the server application by signing a request issued to the server by the non-extractable key Sv (e.g., sign { Sv, { request, SJWT (Sb) }). The security token may be stored in the IndexDB IAM of the browser, which is the client browser storage space that stores information associated with the server. Sv and SWJT [ Sb ] can both be stored in IndexedDB IAM.

The first private key [ Av ] and the second private key [ Bv ] stored in the local data store may be used to sign requests and application JWTs (e.g., AJWT, BJWT) with corresponding public keys [ Ab, Bb ] sent as authorization information.

Since the security token SJWT [ Sb ] is an authenticated token, the authenticated token SJWT [ Sb ] may be used to obtain an application token for the first application from the server computer by issuing a signed request (sign { Sv, { request (Ab), SJWT [ Sb ] }) to the server to exchange SJWT [ Sb ] for the application token AJWT [ Ab ]. The application token for the first application may be represented by, for example, AJWT [ Ab ]. The application token includes an application jwt (ajwt) and a first public key [ Ab ]. The server token SJWT [ Sb ] is exchanged for the application token AJWT [ Ab ] by issuing a signed request (sign { Sv, { request (Ab) }, SJWT [ Sb ] }) to the server, SJWT [ Sb ] for the application token AJWT [ Ab ]. After the user obtains the token for the first application, the user is authenticated to the first application. The user can now access the first application.

If the user wants to obtain authentication for the second application, the second application will generate a third public-private key pair [ Bb and Bv ] for the second application. The third public-private key pair [ Bb and Bv ] may be stored in a local store of the browser. For example, the third public-private key pair [ Bb and Bv ] may be stored in the browser's IndexedDB application. The third public-private key pair for the second application may be stored in a local browser storage space that stores information associated with the application.

After locally storing the third public-private key pair [ Bb and Bv ], the user's browser is redirected to the login application. The login application will return JavaScript to the user's browser. JavaScript indicates a script running on the browser that generates the key pair and accesses indexedb, which is embedded in the page returned by the application when the browser navigates to it. The login application will return JavaScript because when the user logs into the first application, a security token SJWT Sb is created. The same Server JSON Web Token (SJWT) can be used to exchange another application JWT. Thus, the same JWT used to generate the first application token may be used to create the application token BJWT [ Bb ] for the second application. At this point, the user has been authenticated for the second application. The user can now access the second application.

In an example embodiment, the server maintains the login session using a key pair generated at the client side. The server described in the specification may refer to a plurality of different types of servers. The authentication server may perform an initial authentication to start a login session. The authentication server is then responsible for verifying the public key associated with the session. Each request may include a digital signature that is verified by the server.

To contact other "data servers" that respect the session, the client may use a digital signature. The data server may comply with the authentication server to verify the signature for the session. The signature is sent by the data server to the authentication server for verification, which asks the authentication server for the public key of the session so that it can verify, the authentication server issues a token/certificate (e.g., JWT) to the client after initial authentication, which is signed using a pre-existing key pair whose public key is shared with the data server, which can comply with the authentication server to verify the signature for the session. Then, when the client issues a session request to the data server, it sends a digital signature using the session private key and the token from the identity server. The data server then (a) verifies the token to determine the public key for the session, and (b) verifies the digital signature of the request using the public key from JWT.

The illustrative embodiments use asymmetric signatures instead of providing a dedicated session to a web console, for example, using cookies. cookies are small files stored on a user's computer and that store data that may be used to access additional applications after the user's initial login. Cookies may be forged, stolen, or obtained by unauthorized users. Thus, it is not secure to use cookies to make a user permanently logged in.

A Cookie includes an identifier and a string that uniquely identifies the session. The browser will send that cookie to each page loaded for that web site. Thus, instead of requiring the user to re-enter their credentials each time a different page is accessed, the cookie is authenticated when the user accesses a different page of the website.

However, cookies are often sent over insecure connections. In addition, cookies may be subject to phishing attacks or spoofing. For example, someone on a different machine may steal the user's account information by spoofing the user. Cookies are sent in clear text over a connection to the visited site using a symmetric secret known to both parties. Therefore, there is a risk that the cookie information is recognized by an unauthorized user.

The example embodiment uses a signed asymmetric key to let the user call the API from the browser. The client is allowed to characterize the state transfer (REST) API from JavaScript calls within the browser using the asymmetric key signed for the particular client session. A session includes a store of information that is expected to persist throughout the user's interaction with the website or web application during the session.

Example embodiments call the REST API to represent an authenticated session with the website. Instead of using an asymmetric secret (such as done with a cookie), the example embodiment uses an asymmetric key that is stored only in a secure manner in the browser. Instead of sending a secret on the network wire every time a new web page is loaded, an asymmetric key is used. The request is signed using the private key. In an example embodiment, the public key is not registered because the public key is embedded within the JT. However, in an alternative embodiment, the public key may be registered with the website that is verifying the session.

According to an example embodiment, a client's browser may make an API call and may sign the API call asymmetrically. The call is signed using a secret proof of knowledge securely stored in the browser. The server can verify your session without sending secrets that are vulnerable to e.g. hacking, phishing spoofing, etc.

Example embodiments provide a novel method of single sign-on in the field of identity management. A session is established with a login server that can be used for single sign-on across many sites. A user may log on to a number of different applications through a single sign-on process. Although single sign-on is described, example embodiments may be used in situations other than single sign-on.

Identity and access management system

Fig. 1 is a simplified block diagram of a computing environment including an identity and access management system 100, according to some example embodiments.

As shown in fig. 1, the identity and access management system 100 includes a user 110, a client device 120, a communication network 130, a browser 140, a target resource system 170, an application 150, an access management server 160, and a data store 161 of the access management server 160. Data store 161 may store, for example, public keys of key pairs for sessions. Application 150 may be stored on target resource system 170.

The identity and access management system 100 may also be referred to as an IAM system. The client may also be referred to as a client of the identity and access management system 100. Client device 120 may be various types of devices including, but not limited to, a mobile phone, a tablet, a desktop computer, and the like.

The servers may include a single sign-on (SSO) system 162 and a session management system 163. The browser 140 may also be referred to as a browser application. The server may also include an authentication system 164 that may be used to authenticate the user. After the user enters his credential information, the user may be authenticated. The server may also include an authorization system 165. The authorization system 165 may authorize the user and allow the authenticated user to access the application.

The access management server 160 may be, for example, an Identity Access Management (IAM) server or an Oracle Access Management (OAM) server. The access management server 160 may be a computer including a processor and a memory. The access management server 160 may be used to perform access management. Throughout the description, the access management server may also be referred to as an authentication server or server. The server 160 may store an application to be used for login. An application for determining whether a user may log into an application may be referred to as a login application, a server application, an authentication application, an Access Manager (AM) application, or an Identity Access Management (IAM) application.

The server includes the capability to provide secure access to protected resources within the computing environment. In certain embodiments, the server includes the ability to provide single sign-on (SSO) authentication for users accessing protected resources. SSO authentication can refer to session and user authentication services provided by a server that allow a user to access multiple resources managed and/or protected by the server using one set of login credentials (e.g., username and password) without the user having to re-enter the login credentials each time to access the respective protected resource. In some examples, the protected resources may include applications, documents, files, web pages, web content, computing resources in the IAM system.

The identity and access management system 100 can be implemented by one or more computing systems executing computer-readable instructions (e.g., code, programs) to implement a server. As depicted in fig. 1, the server includes various subsystems including a single sign-on (SSO) system 162 and a session management system 163. Portions of the data or information used or generated by the server as part of its processing may be stored in persistent storage, such as a data store 161 that is communicatively coupled to the server, possibly via one or more communication networks. For example, the data store 161 may store information related to SSO sessions established by servers for users accessing protected resources, user credential information related to users, and the like. The systems and subsystems depicted in fig. 1 may be implemented using software (e.g., code, instructions, programs) executed by one or more processing units (e.g., processors, cores), hardware, or a combination thereof of a computing system. The software may be stored on a non-transitory storage medium (e.g., on a memory device).

Client device 120 may include a browser 140. Browser 140 may be a web browser for accessing information on the internet. Browser 140 may include a memory space associated with browser 140. For example, browser 140 may include browser application storage space 143, IndexDB App A141, IndexDB App B144, and IndexDB IAM 142. IndexedDB App a141 may store information about a first application and IndexedDB App B may store information about a second application. The IndexedDB IAM142 may store information about an access management server. IndexEDDB may also be referred to as IndexEDDB. Indexedbs are JavaScript Application Programming Interfaces (APIs) provided by web browsers for managing databases of objects. JavaScript may also be referred to in this disclosure as JavaScript code. As shown in FIG. 1, browser IndexDB App A141, browser IndexDB App B144, and browser IndexDB IAM142 are stored locally on the user's client device. There is a separate indexedb for each application and for the server, since indexedb is domain specific. JavaScript in a first domain will not have access to resources stored in the indexedb for a website of another domain.

In an example embodiment, a user may use a User Interface (UI) for an application, which may be a Graphical User Interface (GUI), to request access for the application to a protected resource (e.g., a first application) stored on target resource system 170 by entering a Uniform Resource Locator (URL) or other data identifying the requested resource. Thus, in some embodiments, the server determines whether the user is authorized to access the second application and whether the second application is an SSO-enabled resource. As used herein, an SSO-enabled resource refers to a resource for which SSO processing can be enabled to provide user access to the resource.

If the user is authorized to access the second application and the second application is an SSO-enabled resource, the server, upon determining that the user session is active and still valid, performs SSO authentication to enable the user to access the protected resource. In some cases, the server may maintain a single SSO session to provide the user with access to multiple resources after authentication.

In some examples, the multiple resources may represent different applications as described above. In other examples, multiple resources may represent different websites within the same application, different web pages from the same website, and so on.

The browser 140 may use a Web Crypto API. The Web Crypto API is an interface that can perform cryptographic operations in Web applications. The Web Crypto API is an interface that can improve security of a Web application by allowing the Web application to perform an encryption function.

Method for logging in to a first application-token public key

Fig. 2 illustrates a sequence diagram of a method 200 for logging into a first application, according to some example embodiments. In the example shown in fig. 2, the public key is a token.

As shown in FIG. 2, at step 210, a user 110 may request access to a first application. The first application may also be referred to as application a or apa. A user requests access to a first application using a browser. The steps shown in fig. 2 may also be referred to as calls, system calls, requests, or web requests between elements of the identity and access management system 100. As discussed above, the access management server may also be referred to as an IAM server, OAM server, or server. In addition, the server may include an application for performing login. The application may be referred to as a login application, an OAM application, an IAM application, or an authentication application. The login application may be a cloud infrastructure login application.

At step 211, the browser 140 on the client device sends a request (e.g., a GET request) to the first application 150 to obtain access to the first application 150. In particular, an application such as a browser application will send a request. A GET request may be used to request data from a specified source. The GET request uses hypertext transfer protocol (HTTP) to enable communication between the client and the server.

At step 212, the first application 150 returns JavaScript to the browser 140. The returned JavaScript may include code that runs as a script embedded in the page returned by the first application, which generates a key pair and persists the key pair in the indexedb. The JavaScript may check if there is a valid JWT on the browser's indexedb.

At step 213, the browser 140 checks whether there is a valid JSON Web Token (JWT) using JavaScript from the first application 150. The JWT is a signed JWT with the public key embedded in the JWT. JWT is a document with a public key from the client. JWT is a JSON format certificate. The JWT token is a secure method of client authentication. The JWT document is signed by an authentication server. The authentication server can sign the JWT document using any login mechanism for verifying the public key. The browser may store session information. Thus, a web session may be created without storing data on the authentication server.

At step 214, if it is determined that there is no valid JWT, the browser 130 generates a first key pair (e.g., [ Ab, Av ]) and stores the generated first key pair in the browser IndexDB App A141. Specifically, an application on the browser generates a first key pair. In an example, Ab represents the public key of the first pair of keys and Av represents the private key. The private key remains in the client-side browser and never leaves the browser. For example, the private key may be stored in IndexDB App A141. The private key is not extractable and can only be used for signing through the browser. In addition, only the domain for the first application (application a) has access to the first key pair Ab and Av.

The public key is available to the public and can be sent to anyone. However, the private key cannot be sent anywhere. The public key may be sent outside the browser, such as to a server or system that will verify the password. The IAM server that authenticates the password may then associate that key for the session.

The private key Av is in the domain for the first application a and the private key Bv is in the domain for the second application B. Application B cannot access private key Av and application a cannot access private key Bv. I.e. if they are in different domains, one application cannot access the private key of another application. The token for application a is different from the token for application B in that each application is in a different domain and therefore has a different private key that is not accessible to other applications.

Thus, nothing can be hijacked. For example, when cookies are used, the cookie itself is often sent with the request. In an example embodiment, the private key is not sent with the request. The private key does not leave the browser storage space. The browser maintains the key so that it is not retrievable. It is stored in a manner that cannot be read. The browser can sign the request using the private key, but the browser does not send the private key itself.

For purposes of clarity and ease of understanding, key pairs are referred to as first, second, and third key pairs throughout the description. The first key pair is called [ Ab, Av ] because it corresponds to the first application, application a. The second key pair is called Sb, Sv because it corresponds to the key pair for the server. The third key pair is called [ Bb, Bv ] because it corresponds to the second application, application B. The key pair is generated by the browser 140.

A non-extractable private key (e.g., Av) is stored in the browser storage space and is used to create a jail unbreakable login session. The private key itself is not sent out of the browser's storage space. Furthermore, the private key stored on the client side is not extractable. The browser sandbox provides a guaranteed mechanism for preventing the extraction of private keys. The private key is stored in a manner that cannot be read. The browser signs using the private key, e.g. a digital signature or a call to the access management server.

This creates a unbreakable login session that cannot be phished or stolen and cannot be used to attack the user. Since the private key cannot be extracted from the browser of the client. Thus, a signature using the private key may be requested, but the private key itself cannot be obtained or extracted. The signature for the private key may be obtained using a module called the Web Crypto API in JavaScript.

The public key may be stored on the access management server or the public key may be stored on the client side. If the public key is stored on the server, the server stores the public key locally. For example, the public key may be stored in a data store or database of the server. The public key is associated with the session for the user. When public key information is desired, it can be identified and looked up in the server's data store.

Alternatively, the public key may be stored on the client side. For example, the public key may be stored on a memory space associated with the browser.

Fig. 16 illustrates key storage in IndexedDb according to some example embodiments. As shown in fig. 16, the key is stored in IndexedDb. Fig. 16 is an example of a key stored in IndexedDb of application a.

At step 215, the browser sends a request (e.g., a GET request) to server 160, the request including the first public key (e.g., Ab) of the first key pair. The request is to authorize a public key.

At step 216, the JavaScript is returned to the browser. The server associates the public key from the browser with the session. As shown in fig. 1, the session information may be stored in a data store 161 of the server 160. The server 160 may then notify the browser 140 that the user is authenticated.

At step 217, the browser 140 generates and stores a second key pair (e.g., [ Sb, Sv ]) for the server. The second key pair is stored in the browser IndexedDB IAM 142. The second key pair is located in the domain of the login application or the server application. The second public key Sb and the second private key Sv may also be referred to as a server private key and a server public key.

At step 218, the user enters their credentials via the browser 140. For example, the user enters their username and password for the first application. If the user enters the correct credential information, the user may be authenticated.

At step 219, browser 140 sends a request to server 160 to authorize user 110 to log into the first application. Successful authentication (e.g., credential information is correct) is passed to the server 160. The browser 140 sends the credential information (e.g., username and password) to the server 160 along with the public key. The POST method may be used to send information to the server 160. The POST may be used to send data to the server to create and/or update information in the server. The data sent to the server through the POST is stored in the request body of the HTTP request.

The server receives the username and password and checks if the information is correct. The session information includes session information such as a validity period (e.g., such as 12 hours or one day) of the session.

At this point, the browser has created a public-private key pair and has sent the public key to the identity management application along with the login credentials so that the login application can authenticate the session. The login application will check if it is a valid session. A login application associated with the server takes the digital signature and the public key and verifies the digital signature. The login application will also check if the time stamp of the signed material is correct. Upon successful verification of the digital signature, the server will authenticate the call.

At step 220, the login application will create a JWT signed by its own private key (Sv). This JWT is created for the maintenance session and contains Sv, Sb inside it. Server 160 sends signed JWT (SJWT [ Sb ]) including public key Sb to browser 140. Thus, the JWT contains Sb, and the JWT including Sb is sent back to the browser. The SJWT Sb, which is the first JWT created in fig. 2, is created to maintain a session with the server.

At step 221, the browser will store the signed JWT including the public key Sb. Signed JWT (SJWT [ Sb ]) including public key Sb may be stored in browser IndexedDB IAM 142.

Fig. 17 illustrates a JWT stored in IndexedDb according to some example embodiments. As shown in fig. 17, the key is stored in IndexedDb. FIG. 17 is an example of a JWT stored in IndexedDb IAM.

At step 222, the browser will sign the request using the server's private key Sv together with the first application's (Ab) public key and send this request to the login application. This refresh call is performed to obtain the JSON Web Token (JWT) that contains the Ab inside. Thus, another JWT containing Ab was obtained.

The request to access the first application is authenticated by using the public key. The public key is used to verify the digital signature. The signature is generated on the client device using a private key. The browser can use this private key to sign any content that is to be sent to the login application.

At step 223, server 160 sends AJWT [ Ab ] to browser 140. At this point, when the user successfully logs into application A, the AJWT returns to the browser. The SJWT [ Sb ] sent in step 222 exchanges AJWT [ Ab ] in a secure exchange.

At step 224, the browser can access the first application using the signed security token for the first application. The browser makes a call to application a using the signed JWT. The request is signed by the private key of application a. The browser sends a JWT corresponding to the application a private key signed by the server. Since the JWT is signed by the private key of the server (e.g., IAM server), this JWT can be verified by the server. Thus, the first application may ask the server whether the JWT can be trusted.

If the server authorizes the signed request, then the user is now logged in. After successful login, the first application will store the public key associated with the session.

The application believes that the public key it uses to verify the request is the public key associated with the original authentication session. This can be done by placing the public key in a certificate signed by a server that it knows it can trust. In the above example, the public key is placed in a certificate signed by the server. However, an alternative embodiment includes storing the public key in a server of the database, which will be described in more detail below with reference to fig. 18 and 19.

In the described example, the login application signs the JWT using its own cryptography for return to the client device. Thus, the login application does not have to look up in the database and the public key is sent with the request. The client sends the JWT with each request along with the public key embedded in the JWT, so the application does not need to look up the public key in the database. The public key is in the request and the login application knows that it can trust the information, since the JWT is signed by the server itself. Instead of storing the public key in the database, there is a token that stores the public key in a trusted manner so that it is sent back to the browser, and it sends that token each time, so the application does not have to look up the public key in the database.

Thus, a session is created using asymmetric cryptography. Asymmetric cryptography for creating a session may be applied when a user attempts to log into an application or applications. Additionally, the example embodiments are described with respect to single sign-on sessions, however, asymmetric passwords may be applied to situations other than single sign-on sessions.

In the single sign-on case, the user does not need to enter their credentials for each application they access. The user can log into the second application without entering their credentials.

In another example embodiment for storing the first key pair information, the public key may be stored on the browser side instead of the authentication server side. Thus, instead of requiring the authentication server to perform a verification of the second session, the browser may verify the second session based on information from the first session using a signature verification mechanism or decryption mechanism that may be used locally at the browser. Thus, millions of sessions can be stored without looking up key information in the server's database. That is, the example embodiments allow for tracking login sessions without any server-side state, while excluding man-in-the-middle attacks and session hijacking attacks.

Fig. 3 illustrates a flow chart of a method 300 for logging into a first application according to another example embodiment.

As shown in fig. 3, at step 301, a user wants to log in to a first application (e.g., apa). At step 302, the application on the browser checks whether there is an active session. If there is an active session, then at step 303, the user interface for the browser may indicate that the user has logged into the application.

At step 304, if there is no active session, the application in the browser may create and store a first key pair. For example, the first key pair may be [ Ab, Av ]. Ab denotes the public key for the session and Av denotes the private key for the session.

At step 305, the browser is redirected to the authentication server with Ab as the public key in the request.

At step 306, the authentication server returns JavaScript which checks whether a valid authentication JWT exists in indexedb. A valid authenticated JWT may be indicated as SJWT.

If it is determined at step 306 that there is a valid authenticated JWT in IndexDB, the method proceeds to step 310.

At step 310, the browser sends a request to get application AJWT with Ab in it in exchange for SJWT. This request is signed by Sv.

At step 311, the authentication server returns the application jwt (ajwt) with Ab therein. That is, the authentication server returns AJWT [ Ab ] and redirects the user to the first application.

At step 312, the application in the browser stores the AJWT for accessing the resource.

At step 313, the user is now logged in.

If it is determined at step 306 that there is no valid authentication JWT, the authentication server returns JavaScript to create and store a second key pair (e.g., [ Sb, Sv ]) at step 307.

At step 308, the user is prompted to enter their credential information. The user enters their credentials and sends a request with the second public key (Sb) and the first public key (Ab).

At step 309, the authentication server verifies the credentials and creates a SJWT with the second public key (Sb) therein.

The method then proceeds to steps 310, 311, 312 and 313, as described above.

After the user logs into the first application, the user may log into a second application, which is in a different domain than the first application, without having to re-enter their credential information.

Method for logging in to second application-token public key

Since the second application (application B) and the first application (application a) are in different domains, authorization to access the applications needs to be performed for each application. That is, access application B requires authorization and access application a requires separate authorization.

The token for application a cannot be used for application B because the private key required by application B is in the domain of application B and the initial token contains only the public key of application a. Scripts that make calls to application B cannot access the private keys stored in the domain of application a, even if they are located on the client side.

In the past, if a session was to be established with a second application, the user established the session directly with the second application. In an example embodiment, single sign-on is used to allow the user to access the second application without requiring the user to perform a second authorization for the second application. The example embodiments use a second key pair (Sb, Sv) with SJWT [ Sb ] to generate different tokens for application a and application B, thereby supporting single sign-on.

Since application a and application B are in different domains, accessing each application will require a different token. One token contains the public key for the session of application a and the other token contains the public key for the session of application B. However, since the example embodiments allow for single sign-on, the second token may be obtained without asking the user for credentials again. The user does not need to re-enter their credential information.

The server token, SJWT, located in the domain of the server is used to access both applications. After the authentication is complete and there is a token for the server's domain (SJWT), other tokens may be requested for other applications in other domains. Although the second application is described, the method may be performed for a third application, a fourth application, and the like.

To log in to the second application, the browser 140 will use the second private key (Sv) generated in step 217 of fig. 2. The browser will sign the material associated with the request to access the second application 155. For example, the request may include a current timestamp or username. An asymmetric digital signature is created using a private key. The server private key is not extractable and is created with the initial authentication request upon accessing the first application. The browser uses the private key from a memory space located in the browser to sign the request. That is, the private key is not extractable, but can be used by the browser's API to sign requests.

If a session has been established with the server, the browser will authenticate the session with the second application using the server private key it has stored. The browser may send a request along with the public key for the second application and the login application will sign the request, thereby authorizing access to the second application. The browser may send the signed information to the second application, and the second application will authenticate the session and allow access to the second application.

When a request (e.g., a web request) is made to a second application, the request is signed using a private key for the second application. The request also includes AJWT. Av (private key of application a) will sign the request and the authorization header will have AJWT [ Ab ]. When authorization is evaluated, the signature created by signing with Av will be verified with Ab. The second application may verify that the token came from the server, extract the public key therefrom, and use the token to verify the signature from the browser. The session with the second application will then be authenticated.

Fig. 4 illustrates a sequence diagram of a method 400 for logging into a second application, according to some example embodiments. The steps shown in fig. 4 occur after the steps in fig. 3 are performed and the user has successfully logged into the first application (application a). An example embodiment of logging a user into a second application is performed after the user has logged into a first application. In the example shown in fig. 4, the public key is a token.

At step 410, the user 110 wants to access a second application 155 (e.g., AppB). At this point, the user has logged into the first application (AppA), and a private key for the first session is created and stored in the memory space for the browser 140. For example, the private key may be stored in the storage space IndexedDB IAM 142. That is, the sequence shown in fig. 2 has been executed before the sequence shown in fig. 4 is executed, and the user has logged in to the first application. The user now wants to access a second application (e.g., AppB) that is different from the first application (e.g., AppA).

At step 411, the browser 140 sends a request to the second application 155. The request is to access the second application 155. The request may be, for example, a GET request.

At step 412, the second application (application B) sends JavaScript back to the browser. The second application 155 can return JavaScript that will be used to check if a valid JWT exists.

In an example embodiment, JavaScript code may be used for authentication. Thus, the key is used to sign timely data. For example, the timely data may include, for example, a timestamp and a name representing the user. The data is cryptographically signed so that the generated signature can be verified using the public key as proof that only the person in possession of the private key of the browser certificate can make that signature. The browser will take the signature and send it along with the request for data from the server. The signature may be located in the HTTP header to ensure secure transmission.

At step 413, JavaScript is used to check if there is a valid JWT. The JavaScript code for the second application 155 will identify whether there is a generated key pair and whether it is available in local storage space. The JWT will have a timestamp to show whether it is valid for the session. At step 413, the browser 140 checks whether there is a valid JWT using JavaScript that the browser 140 receives from the second application 155.

At step 414, if it is determined at step 413 that there is no valid JWT for the second application (application B), the browser will generate a third public-private key pair (Bb and Bv). In the third key pair, Bb is the public key and Bv is the private key. The private key Bv is not sent to the second application 155 or the server 160. Instead, the private key remains stored locally at the browser 140, such as in the browser IndexedDB App B144. The private key Bv is used to sign the request.

At step 415, the public key Bb is sent to the server application. The browser 140 sends a request to the authentication server 160 that includes a public key for authorizing access to the second application 155. The request may be a GET request. The request sent to the second application 155 includes the public key (Bb) generated by the browser at step 414.

At step 416, the server application will send back another JavaScript to check if there is a valid SJWT.

At step 417, JavaScript is used to determine if there is a valid server token (SJWT). It is determined whether there is a valid authentication server, jwt, (sjwt).

At step 418, if it is determined that there are valid server tokens SJWT, the browser may determine that they are in the domain of the login application. If there is a valid authentication server JWT, then at step 418 JWT is obtained and signed with the second private key (Sv) generated in step 217 of FIG. 2.

At step 419, the browser sends the SJWT with Bb to the server application as a result of determining that there is a valid SJWT. The browser 140 sends the signed JWT, including the second public key (Sb) and the third public key (Bb). The request with the request body containing SJWT [ Sb ] and Bb is signed with Sv and sent to the IAM server. This may be denoted sign (Sv, { SJWT [ Sb ], Bb }).

At step 420, the server creates a new JWT with the public key [ Bb ] embedded in the JWT. The browser receives the token for application B in exchange for SJWT. The browser receives the token BJWT [ Bb ] in exchange for SJWT. Application B trusts JWT signed by the server. At this point, there is a BJWT containing Bb and it will be sent back to the browser.

At step 421, the browser makes a call to application B using application B private key. The browser sends the JWT corresponding to the application B private key signed by the server. Application B will check with the server to determine the authenticity of this token, since the server signs the token with the server's own private key. The user can log into and access application B without any kind of credential authentication.

As disclosed in an example embodiment, a public key is associated with a login session and a digital signature including a private key is verified using the public key. The server will check, for example, the time stamp information of the signed material to ensure that the material was most recently signed. Upon successful verification of that digital signature, authentication is invoked.

In both example embodiments of logging into the first application and logging into the second application, the private key of the first key pair is stored only on the browser side.

The token for the session of application a includes the public key for application a. The token for the session of application B includes the public key for application B. Since the private key for application B is in the domain of application B and the private key for application a is in the domain of application a, a separate token is generated for each application. The script that calls application B cannot access application a's private key. The script that calls application a cannot access application B's private key. Thus, each application has its own public token in order to obtain a private token.

User interface

Fig. 5 illustrates a user interface 500 displaying information for accessing a first application, according to some example embodiments.

As shown in fig. 5, the current "name" 511, "tenant name" 512, and "public key ID" 513 information are blank. When the user selects the login button 514, the user will be directed to the interface shown in FIG. 6.

Fig. 6 illustrates a user interface 600 for entering cloud tenant information, according to some example embodiments. The user interface shown in fig. 6 may correspond to an application located on a browser.

Example embodiments are directed to cloud computing systems. Thus, there may be multiple tenants in a cloud computing environment. Thus, as shown in fig. 6, the customer enters his tenant information in order to log into the cloud computing environment. The computing system may be a cloud infrastructure system that includes a multi-tenant environment. A multi-tenant environment may include an environment in which a server provides services for multiple tenants or customers.

As shown in user interface 600, the user has provided tenant information and prompted the user to log into the cloud computing environment.

After entering the tenant information, the user may select the continue button 620. The tenant then logs into the cloud computing environment as shown in figure 7.

Fig. 7 illustrates a user interface 700 that directs a user to log into a particular infrastructure, according to some example embodiments.

The user may choose to login with their credentials by selecting link 720 to login with their credentials.

Fig. 8 illustrates a user interface 800 for entering credential information, according to some example embodiments.

As shown in fig. 8, the user is prompted to enter a username 810 and password 820. After the user enters their username and password and selects the login button 830, the server processes the request.

Fig. 8 may correspond to step 218 of fig. 2, during which the user enters their credential information in order to access the first application. The user enters their credential information, such as a username 710 and password 711, and then the user logs into the system.

Fig. 9 illustrates a user interface 900 displayed when processing a request according to some example embodiments.

Fig. 10 illustrates a user interface 1000 displaying complete information for accessing a first application, according to some example embodiments. After the user enters their credential information in fig. 8 and processes the request as shown in fig. 9, the user will be directed to the page for the first application. As shown in fig. 10, the "name", "tenant name", and "public key ID" information is now complete. After processing the request, a user interface is displayed on the user interface that displays complete information for accessing the first application, as shown in fig. 9.

When the user desires to access the second application, a user interface for logging into the second application is displayed.

FIG. 11 illustrates a user interface displaying information for accessing a second application, according to some example embodiments.

As shown in fig. 11, the information for accessing the second application is incomplete. In the past, in order for a user to access a second application, the user would perform a separate authorization process for the second application. That is, the user will perform steps similar to those shown in FIGS. 6-9, but for the second application. However, instead of requiring the user to re-enter credential information, the information for accessing the second application is automatically populated when the user selects the login button 1114.

The user does not have to re-enter credential information. Information generated when authorization to access the first application is obtained is used to access the second application. Specifically, SJWT [ Sb ] is used to obtain BJWT [ Bb ].

Fig. 12 illustrates a user interface displaying complete information for accessing a second application, according to some example embodiments. As shown in fig. 12, the information for accessing the second application is completed. When the user selects the login button 1114 in FIG. 11, the user does not have to enter additional information and the system automatically directs the user to the interface shown in FIG. 12.

Although login is described for two applications, the token SJWT may be used to authenticate a user for multiple applications. For example, a user may log into three or four applications without entering their credential information. Instead of requiring a re-entry of credential information, a SJWT is used.

Method for logging in to a first application-server database

Fig. 18 illustrates a sequence diagram of a method for logging into a first application using a server database, according to some example embodiments. In the example shown in FIG. 18, the public key is not a token, and the public key is maintained in a database for the server. Since the public key is stored in the database, the public key can be looked up in the database.

Fig. 18 includes similar elements to fig. 2, however, fig. 18 includes a server database 180 (e.g., IAM database). The server database may be configured to store the public key.

As shown in fig. 18, user 110 may request access to a first application at step 1810. The first application may also be referred to as application a or apa. The steps shown in fig. 18 may also be referred to as calls, system calls, requests, or network requests between elements of the identity and access management system 100. As discussed above, the access management server may also be referred to as an IAM server, OAM server, or server. In addition, the server may include an application for performing login. The application may be referred to as a login application, an OAM application, an IAM application, or an authentication application. The login application may be a cloud infrastructure login application.

At step 1811, the browser 140 on the client device sends a request (e.g., a GET request) to the first application 150 to obtain access to the first application 150. In particular, an application such as a browser application will send a request. A GET request may be used to request data from a specified source. The GET request uses hypertext transfer protocol (HTTP) to enable communication between the client and the server.

At step 1812, the first application 150 returns a check to the browser 140 whether there is valid JWT's JavaScript. The returned JavaScript may include code that runs as a script embedded in the page returned by the first application, generates a key pair, and persists the key pair in the indexedb.

At step 1813, the browser 140 checks whether there is a valid JSON Web Token (JWT) using JavaScript from the first application 150. The JWT is a signed JWT with the public key embedded in the JWT. JWT is a document with a public key from the client. JWT is a JSON format certificate. The JWT token is a secure method of client authentication. The JWT document is signed by an authentication server. The authentication server can sign the JWT document using any login mechanism for verifying the public key. The browser may store session information. Thus, a web session may be created without storing data on the authentication server.

At step 1814, if it is determined that there is no valid JWT, the browser 130 generates a first key pair (e.g., [ Ab, Av ]) and stores the generated first key pair in the browser IndexDB App A141.

This is verified by the client application by checking if there is a valid JWT. If there is no valid JWT, then the JavaScript generates and stores a public-private key pair in the browser IndexedDb.

Specifically, an application on the browser generates a first key pair. In an example, Ab represents the public key of the first key pair and Av represents the private key. The private key is left in the browser of the client and never leaves the browser. For example, the private key may be stored in IndexDB App A141. The private key is not extractable and can only be used for signing through the browser. In addition, only the domain for the first application (application a) has access to the first key pair Ab and Av.

The public key is available to the public and can be sent to anyone. However, the private key cannot be sent anywhere. The public key may be sent outside the browser, such as to a server or system that will verify the password. The server that verifies the password may then associate that key for the session.

The public key may be stored on the access management server or the public key may be stored on the client side. In the example shown in fig. 18, the public key is stored in the database of the access management server. When the public key is stored on the server, the server stores the public key locally. For example, the public key may be stored in a data store or database of the server. The public key is associated with the session for the user. When public key information is desired, it can be identified and looked up in the server's data store.

At step 1815, the browser sends a request (e.g., a GET request) to server 160 that includes the first public key (e.g., Ab) of the first key pair. The request is to authorize a public key. The JavaScript then redirects the user's browser to the IAM server with the public key [ Ab ] generated in steps 1812, 1813 and 1814.

At step 1816, the server returns LoginView and JavaScript. The IAM server responds with JavaScript that generates the public-private key pair Sb and Sv. These keys will be used to maintain single sign-on sessions with the IAM. The IAM server may present the login screen to the user via the LoginView control.

At step 1817, the browser 140 generates and stores a second key pair (e.g., [ Sb, Sv ]) for the server. The second key pair is stored in the browser IndexDB IAM142 of the user's browser. The second key pair is located in the domain of the login application or the server application. The second public key Sb and the second private key Sv may also be referred to as a server private key and a server public key.

At step 1818, the user enters their credentials via the browser 140. For example, the user enters their username and password for the first application. A username and password may be entered on the login screen. Form submission will also submit Sb and Ab.

At step 1819, browser 140 sends a request to server 160 to authorize user 110 to log into the first application. The browser 140 sends the credential information (e.g., username and password) to the server 160 along with the public key. The POST method may be used to send information to the server 160. The POST may be used to send data to the server to create and/or update information in the server. The data sent to the server through the POST is stored in the request body of the HTTP request.

The server receives the username and password and checks if the information is correct. If it is correct, the authentication is successful and the server stores the public key in a database representing the session. The session information includes session information such as a validity period (e.g., such as 12 hours or one day) of the session.

At step 1820, the IAM server creates a token SJWT with identifier "abc" and stores the token SJWT in a table, the key being "abc" and the value being Sb. The SJWT is sent back to the browser to be stored in IndexedDb for use in future sessions.

At step 1821, the browser will store the token SJWT with identifier "abc". The token SJWT is stored in a table, the key is "abc" and the value is Sb. The SJWT is stored in IndexedDb for future sessions.

At step 1822, the browser issues a signed request to the IAM to refresh the endpoint. The request is signed by Sv and the authorization header has SJWT [ id ═ abc ].

At step 1823, the IAM server retrieves the id from the SJWT. In this example, id ═ abc. id denotes an identifier. The server obtains the public key for the key "abc" from the database. This is used to match the signature of the API call. If the signature is valid, the IAM server creates an AJWT with id ═ xyz' and stores it in the IAM database.

At step 1824, the AJWT is returned to the browser. At step 1824, the server 160 sends AJWT [ id ═ xyz ] to the browser 140. At this point, AJWT is returned to the browser because the user has successfully logged into application A.

At step 1825, the user is directed to application a with AJWT [ id ═ xyz' ] to make any signed calls, and verification proceeds similarly to how signature verification is done with the refresh endpoint.

At step 1825, the browser can access the first application using the signed security token for the first application. The browser makes a call to application a using the signed JWT. The request is signed by the private key of application a. The browser sends a JWT corresponding to the application a private key signed by the server. Since the JWT is signed by the private key of the server (e.g., IAM server), this JWT can be verified by the server. Thus, the first application may ask the server whether the JWT can be trusted.

In the examples shown in fig. 18 and 19, a signed version of the ID is used. See, for example, steps 1820, 1821, and 1822 of FIG. 18, and steps 1917, 1918, and 1919 of FIG. 19. I.e. using SJWT. However, in other example embodiments, a signed version of the ID may not be used. I.e., SJWT cannot be used. Instead, the ID (e.g., ID-abc) may be used directly. The server authenticates the user by ensuring that the signature matches a public key stored in a server database (e.g., an IAM database).

In the described example, a signature may be used instead of a cookie, whether or not the signed key is persistent in the IAM database, or whether the signed key is held by the client in its SJWT/certificate that is resent for each request.

Method for logging in to a second application-server database

In the single sign-on case, the user does not need to enter their credentials for each application they access. The user can log into the second application without entering credentials.

The public key for application a cannot be used for application B because the private key required by application B is in the domain of application B and the initial token contains only the public key of application a. Scripts that make calls to application B cannot access the private keys stored in the domain of application a, even if they are located on the client side.

Since application a and application B are located in different domains, accessing each application will require a different public key. A public key for the session of application a and another public key for the session of application B. However, since the example embodiments allow for single sign-on, the second public key may be obtained without asking the user for credentials again. The user does not need to re-enter their credential information.

To log in to the second application, the browser 140 will use the second private key (Sv) generated in step 1817 of fig. 18. The browser will sign the material associated with the request to access the second application 155. For example, the request may include a current timestamp or username. An asymmetric digital signature is created using a private key. The server private key is not extractable and is created with the initial authentication request upon accessing the first application. The browser uses the private key from a memory space located in the browser to sign the request. That is, the private key is not extractable, but can be used by the browser's API to sign requests.

Fig. 19 illustrates a sequence diagram of a method 1900 for logging into a second application using a server database, according to some example embodiments. In the example shown in fig. 19, the public key is not a token, but is maintained on the server.

Fig. 19 is similar to fig. 4, however, fig. 19 includes a server database 180 (e.g., IAM database). The server database may be configured to store the public key.

The steps shown in fig. 19 occur after the steps in fig. 18 are performed and the user has successfully logged into the first application (application a). An example embodiment of logging a user into a second application is performed after the user has logged into a first application.

At step 1910, user 110 wants to access second application 155 (e.g., App B). At this point, the user has logged into the first application (AppA), and a private key for the first session is created and stored in the memory space for the browser 140. For example, the private key may be stored in the storage space IndexedDB IAM 142. That is, the sequence shown in fig. 18 has been executed before the sequence shown in fig. 19 is executed, and the user has logged in to the first application. The user now wants to access a second application (e.g., App B) that is different from the first application (e.g., App a).

At step 1911, browser 140 sends the request to second application 155. The request is to access the second application 155. The request may be, for example, a GET request.

At step 1912, the second application (app B) sends JavaScript back to the browser. The second application 155 can return JavaScript that will be used to check if a valid JWT exists.

In an example embodiment, JavaScript code may be used for authentication. Thus, instead of only sending cookies as disclosed in the prior art, the key is used to sign just-in-time data. For example, the timely data may include, for example, a timestamp and a name representing the user. The data is cryptographically signed so that the generated signature can be verified using the public key as proof that only the person in possession of the private key of the browser certificate can make that signature. The browser will take the signature and send it along with the request for data from the server. The signature may be located in the HTTP header to ensure secure transmission.

At step 1913, JavaScript is used to check if there is a valid JWT. The application returns JavaScript to the browser to check if there is a valid session. The session is verified by the client application checking if there is a valid JWT. If there is no valid JWT, then the JavaScript generates and stores a public-private key pair in the browser IndexedDb.

The JavaScript code for the second application 155 will identify whether there is a generated key pair and whether it is available in local storage space. The JWT will have a timestamp showing whether it is valid for the session. At step 1913, the browser 140 checks whether there is a valid JWT using JavaScript that the browser 140 receives from the second application 155.

At step 1914, if it is determined at step 1913 that there is no valid JWT for the second application (application B), the browser will generate a third public-private key pair (Bb and Bv). In the third key pair, Bb is the public key and Bv is the private key. The private key Bv is not sent to the second application 155 or the server 160. Instead, the private key remains stored locally at the browser 140, such as in the browser IndexedDB App B144. The private key Bv is used to sign the request.

At step 1915, public key Bb is sent to the server application. The browser 140 sends a request to the authentication server 160 that includes a public key for authorizing access to the second application 155. The request may be a GET request. The request sent to the second application 155 includes the public key (Bb) generated by the browser at step 1914. The JavaScript then redirects the user's browser to the IAM server with the public key [ Bb ] generated in steps 1912, 1913 and 1914.

At step 1916, the server application will send back another JavaScript to check if there is a valid JWT.

At step 1917, JavaScript is used to determine if a valid server token (SJWT) exists. Determining if there is a valid authentication server, jwt, (SJWT) IAM server, returns to check if there is JavaScript for SJWT.

At step 1918, if it is determined that there is a valid server token, SJWT, then the browser may determine that they are in the domain of the login application. If there is a valid authentication server, JWT, then at step 1918 the JWT is obtained and signed with the second private key (Sv) generated in step 1817 of FIG. 18. If there is a SJWT, then it can be used to make a signed call to the IAM to get a BJWT.

At step 1919, the browser sends a signed request to the IAM using the refresh endpoint, since it is determined that there is a valid SJWT. The request is signed by Sv and the authorization header has SJWT [ id ═ abc ].

At step 1920, the IAM server retrieves the id from the SJWT and obtains the public key for the key "abc" from the database. This is used to match the signature of the API call. If the signature is valid, then the IAM creates a BJWT with id ═ pqr', and stores Bb for the key "pqr" in the IAM database.

At step 1921, BJWT is returned to the browser and the user is directed to application B with BJWT [ id ═ pqr' ] to make any signed calls. Verification proceeds similarly to how signature verification is done with a refresh endpoint.

As disclosed in an example embodiment, a public key stored in a database is used to verify a public key stored in a server database and associated with a login session and a digital signature including a private key. The server will check, for example, the time stamp information of the signed material to ensure that the material was most recently signed. Upon successful verification of that digital signature, authentication is invoked.

In both example embodiments of logging in to the first application and logging in to the second application, the private key of the first key pair is stored only on the browser side.

A separate public key is obtained for each application because the private key for application B is in the domain of application B and the private key for application a is in the domain of application a. The script that calls application B cannot access application a's private key. The script that calls application a cannot access application B's private key. Thus, each application has its own public key in order to obtain a private token.

Computer system

Fig. 13, 14, and 15 illustrate exemplary hardware and/or software configurations used in various embodiments.

Fig. 13 illustrates a simplified diagram of a distributed system for implementing some example embodiments. In the illustrated embodiment, the distributed system 1300 includes one or more client computing devices 1302, 1304, 1306, and 1308 configured to execute and operate client applications, such as web browsers, proprietary clients (e.g., Oracle Forms), and the like, over one or more networks 1310. A server 1312 may be communicatively coupled to remote client computing devices 1302, 1304, 1306 and 1308 via a network 1310.

In various embodiments, the server 1312 may be adapted to run one or more services or software applications, such as services and applications that provide code and/or data for performing efficient application configuration patching for applications executing at the server 1312 or another server. In some embodiments, the server 1312 may also provide other services or software applications that may include non-virtual and virtual environments. In some embodiments, these services may be provided to users of client computing devices 1302, 1304, 1306, and/or 1308 as web-based or cloud services or under a software as a service (SaaS) model. A user operating client computing devices 1302, 1304, 1306 and/or 1308, in turn, can interact with server 1312 using one or more client applications to take advantage of the services provided by these components.

In the configuration depicted in fig. 13, the software components 1318, 1320, and 1322 of the system 1300 are shown as being implemented on the server 1312. As one example, one or more of the components (e.g., software component 1318) may be a configuration patch module or a binary patch module as discussed throughout this application.

In other embodiments, one or more components of system 1300 and/or services provided by such components may also be implemented by one or more of client computing devices 1302, 1304, 1306 and/or 1308. A user operating the client computing device may then utilize one or more client applications to use the services provided by these components. These components may be implemented in hardware, firmware, software, or a combination thereof. It should be understood that a variety of different system configurations are possible, which may differ from distributed system 1300. Thus, the embodiment shown in FIG. 13 is one example, not limiting, of a distributed system for implementing the embodiment system.

Client computing devices 1302, 1304, 1306, and/or 1308 may include various types of computing systems. For example, the client computing devices may include portable handheld devices (e.g.,a cellular phone,Computing tablet, Personal Digital Assistant (PDA)) or wearable device (e.g., Google)Head mounted display) that operates a display device such as Microsoft WindowsSuch as iOS, Windows Phone, Android, BlackBerry, Palm OS, and/or various mobile operating systems. The device may support various applications, such as various internet-related applications, e-mail, Short Message Service (SMS) applications, and may use various other communication protocols. The client computing device may also include a general purpose personal computer, running various versions, as an exampleMicrosoft 、Apple And/or a personal computer and/or a laptop computer of a Linux operating system. The client computing devices may be running any of a variety of businessesOr UNIX-like operating systems (including but not limited to various GNU/Linux operating systems such as the Google Chrome OS). The client computing devices may also include electronic devices (such as thin client computers, internet-enabled gaming systems (e.g., with or without) capable of providing network(s) 1310 communicationsMicrosoft of gesture input deviceGame consoles) and/or personal messaging devices).

Although the distributed system 1300 in fig. 13 is shown with four client computing devices, any number of client computing devices may be supported. Other devices (e.g., devices with sensors, etc.) may interact with the server 1312.

Communication network(s) 1310 in distributed system 1300 may be any type of network that may support data communication using any of a variety of available protocols, including but not limited to TCP/IP (transmission control protocol/internet protocol), SNA (system network architecture), IPX (internet packet exchange), AppleTalk, etc. By way of example only, network(s) 1310 may be a Local Area Network (LAN), an Ethernet-based network, a token ring, a Wide Area Network (WAN), the Internet, a virtual network, a Virtual Private Network (VPN), an intranet, an extranet, a Public Switched Telephone Network (PSTN), Infrared (R) ((R))IR) networks, wireless networks (e.g., in any Institute of Electrical and Electronics Engineers (IEEE)802.11 protocol suite, With reference to FIGS,And/or any other network operating under a wireless protocol) and/or any combination of these and/or other networks.

The server 1312 may be comprised of one or more general purpose computers, special purpose server computers (including, by way of example, a PC (personal computer) server, a web server, or the like,Servers, midrange servers, mainframe computers, rack-mounted servers, etc.), server farms, server clusters, or any other suitable arrangement and/or combination. The server 1312 may include one or more virtual machines running a virtual operating system, or other computing architecture involving virtualization. One or more flexible logical storage pools may be virtualized to maintain virtual storage for the servers. The virtual network may be controlled by the server 1312 using software-defined networking. In various embodiments, the server 1312 may be adapted to run one or more services or software applications described in the foregoing disclosure.

The server 1312 can run an operating system that includes any of the operating systems discussed above, as well as any commercially available server operating system. The server 1312 can also run any of a variety of additional server applications and/or intermediate tier applications, including an HTTP (HyperText transfer protocol) server, an FTP (File transfer protocol) server, a CGI (common gateway interface) server, a Web site, and a Web site, a client, a server, a client, a server, a network, a client, a server, a network, a server, a client, a network, a server, a network, a server, a network, a server, a network, a server, a network, a,Servers, database servers, etc. Exemplary database servers include, but are not limited to, database servers commercially available from Oracle, Microsoft, Sybase, IBM (International Business machines), and the like.

Distributed system 1300 may also include one or more databases 1314 and 1316. These databases may provide mechanisms for storing information such as user interaction information, usage pattern information, adaptation rule information, and other information used by example embodiments. Databases 1314 and 1316 may reside in various locations. For example, one or more of the databases 1314 and 1316 may reside on non-transitory storage media local to (and/or resident in) the server 1312. Alternatively, the databases 1314 and 1316 may be remote from the server 1312 and in communication with the server 1312 via a network-based or dedicated connection. In one set of embodiments, databases 1314 and 1316 may reside in a Storage Area Network (SAN). Similarly, any necessary files for performing the functions attributed to the server 1312 can be stored locally on the server 1312 and/or remotely, as appropriate. In one set of embodiments, databases 1314 and 1316 may include a relational database, such as the database provided by Oracle, adapted to store, update, and retrieve data in response to SQL-formatted commands. Databases 1314 and 1316, however, may provide relational databases, object-oriented databases, object-relational databases, NoSQL databases, and the like, and may or may not be SQL-based. For example, databases 1314 and/or 1316 may be Oracle databases, PostgreSQL, Microsoft SQL Server, MySQL, MemSQL, Memcached, Redis, MongoDB, BigTable, Cassandra, DB2, Solr, and the like.

In some embodiments, code and/or data for performing efficient application configuration patching may be provided as a service via a cloud environment. Fig. 14 is a simplified block diagram of one or more components of a system environment 1400 in which a service may be provided as a cloud service, according to some embodiments of the present disclosure. In the embodiment illustrated in FIG. 14, system environment 1400 includes one or more client computing devices 1404, 1406, and 1408, which a user may use to interact with a cloud infrastructure system 1402 that provides cloud services. Further, in some embodiments, the "client" computing devices 1404, 1406, 1408 may actually be server computers that act as clients in a client-server relationship, where the servers may provide application configuration patching services. Cloud infrastructure system 1402 can include one or more computers and/or servers, which can include those described above with respect to server 1312.

It should be appreciated that the cloud infrastructure system 1402 depicted in fig. 14 may have other components than those depicted. Additionally, the embodiment shown in fig. 14 is one example of a cloud infrastructure system in which example embodiments may be incorporated. In some other embodiments, cloud infrastructure system 1402 may have more or fewer components than shown in the figure, may combine two or more components, or may have a different configuration or arrangement of components.

Client computing devices 1404, 1406, and 1408 may be similar devices to those described above for 1302, 1304, 1306, and 1308. Client computing devices 1404, 1406, and 1408 may be configured to operate client applications, such as a web browser, a proprietary client application (e.g., Oracle Forms), or some other application, which may be used by users of the client computing devices to interact with cloud infrastructure system 1402 to use services provided by cloud infrastructure system 1402. Although exemplary system environment 1400 is shown with three client computing devices, any number of client computing devices may be supported. Other devices (such as devices with sensors, etc.) may interact with cloud infrastructure system 1402.

Communication network(s) 1310 may facilitate communication and data exchange between clients 1404, 1406, and 1408 and cloud infrastructure system 1402. Each network may be any type of network that may support data communications using any of a variety of commercially available protocols, including those described above for communication network(s) 1310.

In certain embodiments, the services provided by cloud infrastructure system 1402 may include a large number of services made available to users of the cloud infrastructure system on demand. In addition to services related to providing code and/or data to perform efficient application configuration patching operations, various other services may be provided, including but not limited to online data storage and backup solutions, Web-based email services, hosted office suites and document collaboration services, database processing, managed technical support services, and so forth. The services provided by the cloud infrastructure system can be dynamically expanded to meet the needs of its users.

In certain embodiments, the specific instantiation of a service provided by cloud infrastructure system 1402 may be referred to herein as a "service instance. In general, any service made available to a user from a cloud service provider's system via a communication network (such as the internet) is referred to as a "cloud service". Typically, in a public cloud environment, the servers and systems that make up the cloud service provider system are distinct from the customer's own local servers and systems. For example, a cloud service provider's system may host an application, and a user may order and use the application on demand over a communication network, such as the internet.

In some examples, services in a computer network cloud infrastructure may include protected computer network access to storage, hosted databases, hosted web servers, software applications, or other services provided to users by cloud providers, or as otherwise known in the art. For example, the service may include password-protected access to remote storage on the cloud over the internet. As another example, a service may include a hosted relational database based on web services and a scripting language middleware engine for private use by networked developers. As another example, the service may include access to an email software application hosted on a website of the cloud provider.

In certain embodiments, cloud infrastructure system 1402 may include application suites, middleware, and database services products that are delivered to consumers in a self-service, subscription-based, elastically extensible, reliable, highly available, and secure manner. An example of such a Cloud infrastructure system is the Oracle Public Cloud (Oracle Public Cloud) provided by the present assignee.

Cloud infrastructure system 1402 may also provide computing and analysis services related to "big data". The term "big data" is used generally to refer to an extremely large set of data that can be stored and manipulated by analysts and researchers to visualize large amounts of data, detect trends, and/or otherwise interact with data. Such large data and related applications may be hosted and/or manipulated by the infrastructure system on many levels and different scales. Tens, hundreds, or thousands of processors linked in parallel may act on such data to render it or simulate an external force on the data or the content it represents. These data sets may relate to structured data, such as data organized in a database or otherwise according to a structured model, and/or unstructured data (e.g., emails, images, data blobs (binary large objects), web pages, complex event processing). By taking advantage of the ability of embodiments to relatively quickly focus more (or less) computing resources on a target, the cloud infrastructure system may be better used to perform tasks on large data sets based on demand from a business, government agency, research organization, private individual, a group of like-minded individuals or organizations, or other entity.

In various embodiments, cloud infrastructure system 1402 may be adapted to automatically provision, manage, and track a customer's subscription to services provided by cloud infrastructure system 1402. Cloud infrastructure system 1402 can provide cloud services via different deployment models. For example, the service may be provided under a public cloud model, where cloud infrastructure system 1402 is owned by an organization that sells cloud services (e.g., owned by Oracle corporation) and makes the service available to the general public or a different industrial enterprise. As another example, the services may be provided under a private cloud model, where cloud infrastructure system 1402 operates only for a single organization and may provide services for one or more entities within the organization. Cloud services may also be provided under a community cloud model, where cloud infrastructure system 1402 and the services provided by cloud infrastructure system 1402 are shared by several organizations in a related community. The cloud services may also be provided under a hybrid cloud model, which is a combination of two or more different models.

In some embodiments, the services provided by the cloud infrastructure system 1402 may include one or more services provided under a software as a service (SaaS) category, a platform as a service (PaaS) category, an infrastructure as a service (IaaS) category, or other categories of services including hybrid services. A customer, via a subscription order, may order one or more services provided by cloud infrastructure system 1402. Cloud infrastructure system 1402 then performs processing to provide the services in the customer's subscription order.

In some embodiments, the services provided by cloud infrastructure system 1402 may include, but are not limited to, application services, platform services, and infrastructure services. In some examples, application services may be provided by a cloud infrastructure system via a SaaS platform. The SaaS platform may be configured to provide cloud services belonging to the SaaS category. For example, the SaaS platform may provide the ability to build and deliver on-demand application suites on an integrated development and deployment platform. The SaaS platform may manage and control the underlying software and infrastructure used to provide the SaaS services. By utilizing the services provided by the SaaS platform, consumers can utilize applications executing on the cloud infrastructure system. The consumer can obtain the application service without the consumer separately purchasing licenses and support. Various different SaaS services may be provided. Examples include, but are not limited to, services that provide solutions for sales performance management, enterprise integration, and business flexibility for large organizations.

In some embodiments, platform services may be provided by the cloud infrastructure system 1402 via a PaaS platform. The PaaS platform may be configured to provide cloud services belonging to the PaaS category. Examples of platform services may include, but are not limited to, services that enable organizations (such as Oracle) to integrate existing applications on a shared common architecture, and the ability to build new applications with shared services provided by the platform. The PaaS platform may manage and control the underlying software and infrastructure used to provide PaaS services. A consumer may obtain PaaS services provided by cloud infrastructure system 1402 without requiring the consumer to purchase separate licenses and support. Examples of platform services include, but are not limited to, Oracle Java Cloud Service (JCS), Oracle database cloud service (DBCS), and others.

By leveraging the services provided by the PaaS platform, consumers can employ programming languages and tools supported by the cloud infrastructure system and also control the deployed services. In some embodiments, the platform services provided by the cloud infrastructure system may include database cloud services, Middleware cloud services (e.g., OracleFusion Middleware services), and Java cloud services. In one embodiment, the database cloud service may support a shared service deployment model that enables an organization to aggregate database resources and provide database as a service (DaaS) to consumers in the form of a database cloud. The middleware cloud service may provide a platform for consumers to develop and deploy various business applications, and the Java cloud service may provide a platform for consumers to deploy Java applications in a cloud infrastructure system.

Various infrastructure services may be provided by an IaaS platform in a cloud infrastructure system. Infrastructure services facilitate management and control of underlying computing resources, such as storage, networks, and other basic computing resources, for consumers to utilize services provided by SaaS platforms and PaaS platforms.

In certain embodiments, cloud infrastructure system 1402 may also include infrastructure resources 1430 for providing resources used to provide various services to consumers of the cloud infrastructure system. In one embodiment, the infrastructure resources 1430 may include a pre-integrated and optimized combination of hardware (such as servers, storage, and networking resources) that perform services provided by PaaS platforms and SaaS platforms, as well as other resources.

In some embodiments, resources in cloud infrastructure system 1402 may be shared by multiple users and dynamically reallocated as needed. In addition, resources can be allocated to users in different time zones. For example, cloud infrastructure system 1402 may enable a first set of users within a first time zone to utilize resources of the cloud infrastructure system for a specified number of hours, and then enable re-allocation of the same resources to another set of users located in a different time zone, thereby maximizing utilization of the resources.

In certain embodiments, multiple internal shared services 1432 may be provided that are shared by different components or modules of cloud infrastructure system 1402 to enable provisioning of services by cloud infrastructure system 1402. These internal sharing services may include, but are not limited to, security and identity services, integration services, enterprise repository services, enterprise manager services, virus scanning and whitelisting services, high availability, backup and restore services, services for enabling cloud support, email services, notification services, file transfer services, and the like.

In certain embodiments, the cloud infrastructure system 1402 may provide integrated management of cloud services (e.g., SaaS, PaaS, and IaaS services) in the cloud infrastructure system. In one embodiment, cloud management functionality may include the ability to provision, manage, and track subscriptions of consumers received by cloud infrastructure system 1402, and the like.

In one embodiment, as depicted in fig. 14, cloud management functionality may be provided by one or more modules, such as an order management module 1420, an order orchestration module 1422, an order provisioning module 1424, an order management and monitoring module 1426, and an identity management module 1428. These modules may include or may be provided using one or more computers and/or servers, which may be general purpose computers, special purpose server computers, server farms, server clusters, or any other suitable arrangement and/or combination.

In an exemplary operation, at 1434, a customer using a client device, such as client device 1404, 1406, or 1408, may interact with cloud infrastructure system 1402 by requesting one or more services provided by cloud infrastructure system 1402 and placing an order for a subscription to the one or more services provided by cloud infrastructure system 1402. In some embodiments, the consumer may access a cloud User Interface (UI) such as cloud UI 1412, cloud UI 1414, and/or cloud UI1416 and place a subscription order via these UIs. The order information received by cloud infrastructure system 1402 in response to a customer placing an order may include information identifying the customer and one or more services provided by cloud infrastructure system 1402 to which the customer intends to subscribe.

At 1436, the order information received from the customer may be stored in order database 1418. If this is a new order, a new record may be created for the order. In one embodiment, order database 1418 may be one of several databases operated by cloud infrastructure system 1418 and operated in conjunction with other system elements.

At 1438, the order information may be forwarded to the order management module 1420, and the order management module 1420 may be configured to perform billing and accounting functions related to the order, such as validating the order and, when validated, booking the order.

At 1440, information about the order may be communicated to the order orchestration module 1422, the order orchestration module 1422 configured to orchestrate the provision of services and resources for the order placed by the customer. In some cases, the order orchestration module 1422 may use the services of the order provisioning module 1424 for provisioning. In certain embodiments, the order orchestration module 1422 enables management of the business processes associated with each order, and applies business logic to determine whether the order should continue to be provisioned.

As shown in the embodiment depicted in fig. 14, at step 1442, upon receiving a newly subscribed order, the order orchestration module 1422 sends a request to the order provisioning module 1424 to allocate resources and configure the resources needed to fulfill the order. The order provisioning module 1424 enables the allocation of resources for services ordered by the customer. The order provisioning module 1424 provides a level of abstraction between the cloud services provided by the cloud infrastructure system 1400 and the physical implementation layers used to provision the resources for providing the requested services. This enables the order orchestration module 1422 to be isolated from implementation details, such as whether services and resources are actually provisioned in real-time, or pre-provisioned and allocated/assigned upon request.

At 1444, once the services and resources are provisioned, a notification may be sent to the subscribed consumer indicating that the requested service is now ready for use. In some cases, information (e.g., a link) may be sent to the consumer that enables the consumer to begin using the requested service.

At 1446, the customer's subscription orders may be managed and tracked by the order management and monitoring module 1426. In some cases, order management and monitoring module 1426 may be configured to collect usage statistics regarding the customer's use of subscribed services. For example, statistics may be collected for the amount of storage used, the amount of data transferred, the number of users, and the amount of system startup time and system shutdown time, among others.

In certain embodiments, cloud infrastructure system 1400 may include an identity management module 1428 configured to provide identity services, such as access management and authorization services in cloud infrastructure system 1400. In some embodiments, identity management module 1428 may control information about consumers who wish to utilize services provided by cloud infrastructure system 1402. Such information may include information that authenticates the identity of the consumers and information that describes actions that those consumers are authorized to perform with respect to various system resources (e.g., files, directories, applications, communication ports, memory segments, etc.). The identity management module 1428 may also include descriptive information about each consumer and management of how and by whom the descriptive information is accessed and modified.

Fig. 15 illustrates an exemplary computer system 1500 that may be used to implement certain components according to some example embodiments. In some embodiments, computer system 1500 may be used to implement any of the various servers and computer systems described above. As shown in fig. 15, computer system 1500 includes various subsystems, including a processing unit 1504 that communicates with a number of peripheral subsystems via a bus subsystem 1502. These peripheral subsystems may include a processing acceleration unit 1506, an I/O subsystem 1508, a storage subsystem 1518, and a communication subsystem 1524. The storage subsystem 1518 may include a tangible computer readable storage medium 1522 and a system memory 1510.

Bus subsystem 1502 provides a mechanism for the various components and subsystems of computer system 1500 to communicate with one another as desired. Although bus subsystem 1502 is shown schematically as a single bus, alternative embodiments of the bus subsystem may utilize multiple buses. The bus subsystem 1502 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. For example, such architectures can include an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an enhanced ISA (eisa) bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus, which can be implemented as a Mezzanine bus manufactured according to the IEEE P1386.1 standard, or the like.

Processing subsystem 1504 controls the operation of computer system 1500 and may include one or more processing units 1532, 1534, and so forth. The processing unit may include one or more processors, including single-core or multi-core processors, one or more cores of a processor, or a combination thereof. In some embodiments, processing subsystems 1504 may include one or more special-purpose coprocessors, such as a Graphics Processor (GPU), a Digital Signal Processor (DSP), or the like. In some embodiments, some or all of the processing units of processing subsystem 1504 may be implemented with custom circuitry, such as an Application Specific Integrated Circuit (ASIC) or a Field Programmable Gate Array (FPGA).

In some embodiments, the processing units in processing subsystem 1504 may execute instructions stored in system memory 1510 or on computer-readable storage medium 1522. In various embodiments, the processing unit may execute various programs or code instructions and may maintain multiple concurrently executing programs or processes. At any given time, some or all of the program code to be executed can reside in the system memory 1510 and/or on computer-readable storage media 1522, potentially included on one or more storage devices. With appropriate programming, the processing subsystem 1504 may provide the various functions described above for performing efficient application configuration patching operations.

In some embodiments, a processing acceleration unit 1506 may be provided for performing customized processing or for offloading some of the processing performed by processing subsystem 1504 in order to accelerate the overall processing performed by computer system 1500.

I/O subsystem 1508 may include devices and machines for inputting information to computer system 1500 and/or for outputting information from or via computer system 1500And (5) preparing. In general, use of the term "input device" is intended to include all possible types of devices and mechanisms for inputting information to computer system 1500. User interface input devices may include, for example, a keyboard, a pointing device such as a mouse or trackball, a touch pad or screen incorporated into the display, a scroll wheel, a click wheel, a dial, buttons, switches, a keypad, an audio input device with voice command recognition system, a microphone, and other types of input devices. The user interface input device may also include a user interface such as Microsoft Windows (R) for enabling a user to control and interact with the input deviceMotion sensing and/or gesture recognition device for a motion sensor, Microsoft360 game controller, a device providing an interface for receiving input using gestures and spoken commands. The user interface input device may also include an eye gesture recognition device, such as to detect eye activity from the user (e.g., "blinks" when taking pictures and/or making menu selections) and translate eye gestures into input devices (e.g., Google)) Input of GoogleA blink detector. In addition, the user interface input devices may include devices that enable a user to interact with a speech recognition system (e.g.,navigator) an interactive voice recognition sensing device.

Other examples of user interface input devices include, but are not limited to, three-dimensional (3D) mice, joysticks or pointers, game pads and graphics tablets, and audio/video devices such as speakers, digital cameras, digital video cameras, portable media players, webcams, image scanners, fingerprint scanners, barcode readers, 3D scanners, 3D printers, laser rangefinders, and eye gaze tracking devices. Further, the user interface input device may comprise, for example, a medical imaging input device, such as a computed tomography, magnetic resonance imaging, positional emission tomography, medical ultrasound examination device. User interface input devices may also include, for example, audio input devices such as MIDI keyboards, digital musical instruments, and the like.

The user interface output devices may include a display subsystem, indicator lights, or a non-visual display such as an audio output device. The display subsystem may be a Cathode Ray Tube (CRT), a flat panel device such as one that utilizes a Liquid Crystal Display (LCD) or a plasma display, a projection device, a touch screen, or the like. In general, use of the term "output device" is intended to include all possible types of devices and mechanisms for outputting information from computer system 1500 to a user or other computer. For example, user interface output devices may include, but are not limited to, various display devices that visually convey text, graphics, and audio/video information, such as monitors, printers, speakers, headphones, car navigation systems, plotters, voice output devices, and modems.

Storage subsystem 1518 provides a repository or data store for storing information used by computer system 1500. Storage subsystem 1518 provides a tangible, non-transitory computer-readable storage medium for storing the basic programming and data structures that provide the functionality of some embodiments. Software (programs, code modules, instructions) that when executed by processing subsystem 1504 provide the functionality described above may be stored in storage subsystem 1518. The software may be executed by one or more processing units of processing subsystem 1504. Storage subsystem 1518 may also provide a repository for storing data used in accordance with example embodiments.

Storage subsystem 1518 may include one or more non-transitory memory devices, including volatile and non-volatile memory devices. As shown in fig. 15, the storage subsystem 1518 includes a system memory 1510 and computer-readable storage media 1522. The system memory 1510 may include a number of memories including a volatile main Random Access Memory (RAM) for storing instructions and data during program execution and a non-volatile Read Only Memory (ROM) or flash memory in which fixed instructions are stored. In some implementations, a basic input/output system (BIOS), containing the basic routines that help to transfer information between elements within computer system 1500, such as during start-up, may be stored in ROM. RAM typically contains data and/or program modules that are currently operated on and executed by processing subsystem 1504. In some implementations, the system memory 1510 may include a plurality of different types of memory, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM).

By way of example, and not limitation, as depicted in fig. 15, system memory 1510 may store application programs 1512, which may include client applications, Web browsers, middle tier applications, a relational database management system (RDBMS), and the like, program data 1514, and operating system 1516. By way of example, the operating system 1516 may include various versions of Microsoft WindowsAppleAnd/or Linux operating system, various commercial productsOr UNIX-like operating systems (including but not limited to various GNU/Linux operating systems, Google)OS, etc.) and/or a compound such as iOS,Phone、OS、10OS anda mobile operating system of the OS operating system.

The computer-readable storage medium 1522 may store programming and data structures that provide the functionality of some embodiments. Software (programs, code modules, instructions) that, when executed by processing subsystem 1504, cause the processor to provide the functionality described above may be stored in storage subsystem 1518. By way of example, the computer-readable storage medium 1522 may include non-volatile memory, such as a hard disk drive, a magnetic disk drive, such as a CD ROM, DVD, Blu-Optical disc drives for (blu-ray) discs or other optical media. The computer-readable storage medium 1522 may include but is not limited to,drives, flash memory cards, Universal Serial Bus (USB) flash drives, Secure Digital (SD) cards, DVD disks, digital video tapes, and the like. The computer-readable storage medium 1522 may also include non-volatile memory based Solid State Drives (SSDs) (such as flash memory based SSDs, enterprise flash drives, solid state ROMs, etc.), volatile memory based SSDs (such as solid state RAM, dynamic RAM, static RAM, DRAM based SSDs, magnetoresistive RAM (mram) SSDs), and hybrid SSDs that use a combination of DRAM based and flash memory based SSDs. Computer readable media 1522 may provide storage of computer readable instructions, data structures, program modules and other data for computer system 1500.

In certain embodiments, the storage subsystem 1500 may also include a computer-readable storage media reader 1520, which may be further connected to a computer-readable storage medium 1522. Optionally, together with and in combination with system memory 1510, computer-readable storage media 1522 may comprehensively represent remote, local, fixed, and/or removable storage devices plus storage media for storing computer-readable information.

In some embodiments, computer system 1500 may provide support for executing one or more virtual machines. Computer system 1500 may execute programs, such as a hypervisor, to facilitate configuration and management of virtual machines. Each virtual machine may be allocated memory, compute (e.g., processor, kernel), I/O, and networking resources. Each virtual machine typically runs its own operating system, which may be the same or different from the operating systems executed by the other virtual machines executed by computer system 1500. Accordingly, multiple operating systems can potentially be run concurrently by computer system 1500. Each virtual machine typically runs independently of the other virtual machines.

The communication subsystem 1524 provides an interface to other computer systems and networks. The communication subsystem 1524 serves as an interface for receiving data from and sending data to the other systems of the computer system 1500. For example, communication subsystem 1524 may enable computer system 1500 to establish a communication channel to one or more client devices via the internet for receiving information from the client devices and transmitting information to the client devices.

The communication subsystem 1524 may support both wired and/or wireless communication protocols. For example, in certain embodiments, the communication subsystem 1524 may include Radio Frequency (RF) transceiver components, Global Positioning System (GPS) receiver components, and/or other components for accessing wireless voice and/or data networks (e.g., using cellular telephone technology, advanced data network technologies such as 3G, 4G, or EDGE (enhanced data rates for global evolution), WiFi (IEEE802.11 family of standards), or other mobile communication technologies, or any combination thereof).

The communication subsystem 1524 may receive and transmit data in a variety of forms. For example, in some embodiments, the communication subsystem 1524 may receive input communications in the form of structured and/or unstructured data feeds 1526, event streams 1528, event updates 1530, and the like. For example, the communication subsystem 1524 may be configured to be in real-timeFrom users of a social media network and/orFeeding,Updates, other communication services such as web feeds of Rich Site Summary (RSS) feeds receive (or send) data feeds 1526, and/or real-time updates from one or more third-party information sources.

In some embodiments, the communication subsystem 1524 may be configured to receive data without an explicit end that may be continuous or unbounded in nature in the form of a continuous data stream, which may include an event stream 1528 of real-time events and/or event updates 1530. Examples of applications that generate continuous data may include, for example, sensor data applications, financial tickers, network performance measurement tools (e.g., network monitoring and traffic management applications), click stream analysis tools, automotive traffic monitoring, and so forth.

The communication subsystem 1524 may also be configured to output structured and/or unstructured data feeds 1526, event streams 1528, event updates 1530, etc. to one or more databases, which may be in communication with one or more streaming data source computers coupled to the computer system 1500.

Computer system 1500 may be one of various types, including a hand-portable device (e.g.,a cellular phone,Computing tablet, PDA), wearable device (e.g., Google)Head mounted display), personal computer, workstation, mainframe, kiosk, server rack, or any other data processing system.

Due to the ever-changing nature of computers and networks, the description of computer system 1500 depicted in FIG. 15 is intended only as a specific example. Many other configurations are possible with more or fewer components than the system depicted in fig. 15. There may be other ways and/or methods to implement the various embodiments.

While specific example embodiments have been described, various modifications, alterations, alternative constructions, and equivalents are also encompassed within the scope of the example embodiments. The example embodiments are not limited to operating within certain specific data processing environments, but may operate freely within multiple data processing environments. Further, although embodiments have been described using a particular series of transactions and steps, example embodiments are not limited to the series of transactions and steps described. Various features and aspects of the above-described embodiments may be used alone or in combination.

Additionally, although embodiments have been described using a particular combination of hardware and software, it should be recognized that other combinations of hardware and software are also within the scope of the example embodiments. Embodiments may be implemented in hardware only, or in software only, or with a combination thereof. The various processes described herein may be implemented on the same processor or on different processors in any combination. Thus, where a component or module is described as being configured to perform certain operations, such configuration may be achieved, for example, by designing an electronic circuit to perform the operations, by programming a programmable electronic circuit (such as a microprocessor) to perform the operations, or any combination thereof. The processes may communicate using a variety of techniques, including but not limited to conventional techniques for inter-process communication (IPC), and different pairs of processes may use different techniques, or the same pair of processes may use different techniques at different times.

The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. It will, however, be evident that additions, subtractions, deletions, and other modifications and changes may be made thereto without departing from the broader spirit and scope as set forth in the claims. Thus, while specific example embodiments have been described, these embodiments are not intended to be limiting. Various modifications and equivalents are within the scope of the following claims.

51页详细技术资料下载

上一篇：一种医用注射器针头装配设备

下一篇：用于恢复网络关联信息的方法和装置

Browser login session via non-extractable asymmetric keys

相关技术

网友询问留言