Processing

Please wait...

Settings

Settings

Goto Application

1. WO2020112989 - SYSTEMS AND METHODS FOR SECURELY CALLING APIS ON AN API GATEWAY FROM APPLICATIONS NEEDING FIRST PARTY AUTHENTICATION

Note: Text based on automatic Optical Character Recognition processes. Please use the PDF version for legal matters

[ EN ]

CLAIMS

What is claimed is:

1. A method for securely calling APIs on an API gateway from computer applications that need first party authentication, comprising:

in an API gateway comprising at least one computer processor:

receiving, from a protected service, an authentication system token or an authentication system cookie identifier from an

authentication system, a first plurality of user identifying attributes, and a request to create an oAuth access token, the request originating with a first party computer application;

creating an attribute string comprising at least one of the first plurality of user identifying attributes and the authentication system token or the authentication system cookie identifier;

encrypting the attribute string with a private key, resulting in the oAuth access token;

sending the oAuth access token to the first party computer application;

receiving, from the first party computer application, a request to access a backend service, a second plurality of user identifying attributes, and the oAuth access token;

decrypting the oAuth access token with the private key;

validating the decrypted oAuth access token;

inserting the authentication system token or the authentication system cookie identifier into the request to access; and

communicating the request to access and the authentication system token or the authentication system cookie identifier to the backend service.

2. The method of claim 1, wherein the first plurality of user identifying attributes comprise at least one of a device mac id, a device manufacturer, a device geo-location, a device operating system, a device operating system version, a device IP address, a user profile id, and a user id.

3. The method of claim 1, further comprising:

setting an expiration for the oAuth access token.

4. The method of claim 3, wherein the step of validating the decrypted oAuth access token comprises verifying that the oAuth access token has not expired.

5. The method of claim 1, wherein the backend service comprises a micro service, a SOA service, a REST service, a SOAP service, monolith service, a standard routine, a standard function, a lambda function, or a procedure.

6. The method of claim 1, wherein a plurality of the user identifying attributes are concatenated in the attribute string in a random order.

7. The method of claim 1, wherein a plurality of the user identifying attributes are concatenated in the attribute string in a rotating order.

8. The method of claim 1, wherein the step of validating the decrypted oAuth access token comprises comparing the extracted values from the oAuth token to the second plurality of user identifying attributes.

9. The method of claim 1, wherein the backend service calls the authentication system to check if the authentication system token or the authentication system cookie identifier is valid, and further comprising: receiving an error from the backend system in response to the authentication system token or the authentication system cookie identifier being invalid; and

sending an access grant denied error to the first party computer application.

10. A system for securely calling APIs on an API gateway from computer applications that need first party authentication, comprising:

a first party computer application;

an authentication system;

a protected service;

an API gateway; and

a backend service;

wherein:

the authentication system authenticates a user logging in to the first party computer application;

the authentication system creates a session and returns session details to the first party computer application;

the protected service receives a request involving the backend service from the first party computer application and a first plurality of user identifying attributes;

the protected service calls the API gateway to create an oAuth access token and the first plurality of user identifying attributes;

the API gateway creates an attribute string comprising at least one of the first plurality of user identifying attributes and the authentication system token or the authentication system cookie identifier;

the API gateway encrypts the attribute string with a private key, resulting in the oAuth access token;

the API gateway sends the oAuth access token to the first party computer application;

the API gateway receives, from the first party computer application, a request to access the backend service, a second plurality of user identifying attributes, and the oAuth access token;

the API gateway decrypts the oAuth access token with the private key;

the API gateway validates the decrypted oAuth access token; the API gateway inserts the authentication system token or the authentication system cookie identifier into the request to access; and the API gateway communicates the request to access and the authentication system token or the authentication system cookie identifier to the backend service.

11. The system of claim 10, wherein the first plurality of user identifying attributes comprise at least one of a device mac id, a device manufacturer, a device geo-location, a device operating system, a device operating system version, a device IP address, a user profile id, and a user id.

12. The system of claim 10, wherein the API gateway sets an expiration for the oAuth access token.

13. The system of claim 12, wherein the API gateway validates the decrypted oAuth access token by verifying that the oAuth access token has not expired.

14. The system of claim 12, wherein the backend service comprises a micro service, a SOA service, a REST service, a SOAP service, monolith service, a standard routine, a standard function, a lambda function, or a procedure.

15. The system of claim 10, wherein a plurality of the user identifying attributes are concatenated in the attribute string in a random order.

16. The system of claim 10, wherein a plurality of the user identifying attributes are concatenated in the attribute string in a rotating order.

17. The system of claim 10, wherein the API gateway validates the decrypted oAuth access token by comparing the extracted values from the oAuth token to the second plurality of user identifying attributes.

18. The system of claim 10, wherein:

the backend service calls the authentication system to check if the authentication system token or the authentication system cookie identifier is valid;

the API gateway receives an error from the backend system in response to the authentication system token or the authentication system cookie identifier being invalid; and

the API gateway sends an access grant denied error to the first party computer application.