Transparently using origin isolation to protect access tokens
Abstract
The disclosed technology teaches safely attaching an access token to a browser-based request from a first app loaded by a webpage, without exposing the token to malicious code loaded by the webpage, providing an identity proxy that transparently determines which network requests to relay and a secrets management proxy that provides access tokens transparently to the requests. The identity proxy intercepts an access request from the first app to the resource server and relays the request via the secrets management proxy, which forwards the request to the resource server with an access token, receives a response from the resource server and forwards the response to the identity proxy for return to the first app. The secrets management proxy is implemented in an iFrame that has isolated storage subject to a browser-enforced same origin policy that makes the isolated storage used by the iFrame inaccessible to malicious code on the webpage.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A computer-implemented method of safely attaching an access token to a browser-based request to a resource server, made on behalf of a first app loaded by a webpage, without exposing the access token to a malicious app loaded by the webpage with the first app, including:
providing an identity proxy and a secrets management proxy running in an iFrame on the browser that is running the first app, wherein
the identity proxy transparently determines which network requests to relay via the secrets management proxy; and
the secrets management proxy provides access token management services transparently to the request when communicating with the resource server, including providing access tokens with resource requests to the resource server;
the identity proxy intercepting an access request from the first app to the resource server, determining to reroute, and relaying the access request via the secrets management proxy; the secrets management proxy providing the access token management services on behalf of the request for interaction with the resource server and forwarding the request to the resource server with the access token attached; and the secrets management proxy receiving a response from the resource server and forwarding the response to the identity proxy for return to the first app, without providing the access token to the first app or the malicious app.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.