US2023412596A1PendingUtilityA1

Transparently using origin isolation to protect access tokens

48
Assignee: FORGEROCK INCPriority: Sep 12, 2019Filed: Jun 26, 2023Published: Dec 21, 2023
Est. expirySep 12, 2039(~13.2 yrs left)· nominal 20-yr term from priority
Inventors:Jake Feasel
H04L 63/0884G06F 21/629H04L 67/2876G06F 9/54G06F 21/6218
48
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The disclosed technology teaches safely attaching an access token to a browser-based request from a first app loaded by a webpage, without exposing the token to malicious code loaded by the webpage, providing an identity proxy that transparently determines which network requests to relay and a secrets management proxy that provides access tokens transparently to the requests. The identity proxy intercepts an access request from the first app to the resource server and relays the request via the secrets management proxy, which forwards the request to the resource server with an access token, receives a response from the resource server and forwards the response to the identity proxy for return to the first app. The secrets management proxy is implemented in an iFrame that has isolated storage subject to a browser-enforced same origin policy that makes the isolated storage used by the iFrame inaccessible to malicious code on the webpage.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer-implemented method of safely attaching an access token to a browser-based request to a resource server, made on behalf of a first app loaded by a webpage, without exposing the access token to a malicious app loaded by the webpage with the first app, including:
 providing an identity proxy and a secrets management proxy running in an iFrame on the browser that is running the first app, wherein
 the identity proxy transparently determines which network requests to relay via the secrets management proxy; and 
 the secrets management proxy provides access token management services transparently to the request when communicating with the resource server, including providing access tokens with resource requests to the resource server; 
   the identity proxy intercepting an access request from the first app to the resource server, determining to reroute, and relaying the access request via the secrets management proxy;   the secrets management proxy providing the access token management services on behalf of the request for interaction with the resource server and forwarding the request to the resource server with the access token attached; and   the secrets management proxy receiving a response from the resource server and forwarding the response to the identity proxy for return to the first app, without providing the access token to the first app or the malicious app.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.