白丝美女被狂躁免费视频网站,500av导航大全精品,yw.193.cnc爆乳尤物未满,97se亚洲综合色区,аⅴ天堂中文在线网官网

Method to monitor sensitive web embedded code authenticity

專利號(hào)
US11997079B2
公開(kāi)日期
2024-05-28
申請(qǐng)人
THALES DIS FRANCE SAS(FR Meudon)
發(fā)明人
Olivier Tesson; Patrick George; Sridhar Bhupathiraju; Anthony Ferrari
IPC分類
H04L9/40; H04L67/02
技術(shù)領(lǐng)域
broker,token,provider,end,brk,identity,front,contextual,user,script
地域: Meudon

摘要

Mechanism to enable an Identity Provider having an authorization gateway and an authentication interface to control the download and the execution of an authentication script component managed by a broker or by a service provider.

說(shuō)明書(shū)

1 2 3 4 5 6 7 8 9 10 11 12 13
FIELD OF THE INVENTION

The present invention relates to a method to control the download and the execution of an authentication script component managed by a broker or a service provider.

BACKGROUND OF THE INVENTION

In known infrastructures where authentication is required, identity providers distribute pre-defined web authentication methods to third parties, named brokers in the following. Such web authentication methods are implemented as scripts, typically ECMAScript such as JavaScript that are embedded in the broker login web page. The identity provider requires an authenticity check of these scripts since they implement the user authentication logic.

Known infrastructures implements more and more brokers. As defined in CIO essential guide “The history of cloud computing and what's coming next”, a broker is a software application that facilitates the distribution of work between different service providers. They are particularly used in the context of cloud infrastructure where they can be qualified as cloud broker or cloud agents.

Such brokers have various functions and evolve regularly in function of the needs of service providers and end-users.

For example, a broker is responsible for performing a search on behalf of end-users. Once such a research has been completed, the broker presents the customer with a short list of recommended cloud providers and the customer contacts the vendor(s) of choice to arrange service.

權(quán)利要求

1
The invention claimed is:1. A method to enable an Identity Provider having an authorization gateway and an authentication interface to verify authenticity of an authentication script component that is used by a user agent active in a web browser to issue authentication API calls and that is managed by a broker or by a service provider, said method comprising:for the broker, after reception of a request to get a web application login page from a user agent, requesting a pre-authorization at the Authorization Gateway with a broker identifier and contextual information relative to at least an end-user connection, receiving a random token in answer, requesting the creation of an authentication front end script on the basis of the random token at a front-end delivery, said front-end delivery being able to retrieve currently observed contextual information at the user agent, embedding the random token and the URL for the authentication front-end in the web application login page and sending the web application login page to the user agent,for the front-end delivery, while receiving a request for an authentication front end including the token from the broker, sending the token and the contextual information to the authorization gateway, and generating the authentication front end script embedding the token and the broker identifier, and providing the authentication front end script and the URL for the login page to the broker, and while receiving an authentication request to get the URL of the authentication front end with a token, provisioning the authentication front end to the user agent,for the authentication interface, while receiving, from the user-agent, calls for authentication including at least the broker identifier, the token and the currently observed contextual information, checking the currently observed contextual information, the broker identifier and the token, the authentication being positive if the currently observed contextual information and the broker identifier corresponds to the contextual information and broker identifier received in the pre-authorization request and if the token in the API call corresponds to the random token sent in answer to the pre-authorization request (PA), and processing the request in case of positive authentication.2. The method according to claim 1, comprising the additional step of, for the front-end delivery of the web application, once the Authentication front-end is downloaded to the publication URL in answer to the request to get the URL from the user agent, confirming to the Authorization Gateway that the AFE has been downloaded.3. The method according to claim 2, comprising the further step of, for the Authorization Gateway, updating a status flag for the authentication front-end a delivered status.4. The method according to claim 1, wherein the front-end delivery is in the broker trust boundaries.5. The method according to claim 1, wherein the front-end delivery is on the identity provider's core service back-end.6. The method according to claim 1, wherein the broker, when embedding the URL of the authentication front-end, also embeds integrity data in the web application login page to enable a sub resource integrity check.7. The method according to claim 6, comprising an additional step of, for the user agent, validating the authentication front-end integrity using a sub resource integrity check after reception of the authentication front-end.8. The method according to claim 2, wherein the front-end delivery is in the broker trust boundaries.9. The method according to claim 3, wherein the front-end delivery is in the broker trust boundaries.10. The method according to claim 2, wherein the front-end delivery is on the identity provider's core service back-end.11. The method according to claim 3, wherein the front-end delivery is on the identity provider's core service back-end.
微信群二維碼
意見(jiàn)反饋