公开(公告)号：US20240356985A1

公开(公告)日：2024-10-24

申请号：US18762541

申请日：2024-07-02

申请人： Amazon Technologies, Inc.

发明人： Gokul Ramanan Subramanian ,  Sayantan Chakravorty ,  Dennis Tighe ,  Carlos Alessandro Chiconato ,  Damian Wylie

IPC分类号： H04L9/40

CPC分类号： H04L63/20 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/1483

摘要： A connection-based service impersonates request-based security for requests from clients that do not include credentials for the requests (e.g., data plane requests made via a connection-oriented security). A connection between a client and a connection-based service is established based on connection credentials that are based on security credentials from a request-based security service. The credentials are sent by a security component of the service to a local agent of the remote security service to be authenticated by the security service. An impersonation token is returned by the security service and cached by the local agent. Requests from the client to perform operations do not include credentials. For each request, the service passes an identifier for the client and the operation to a local authorization component that calls the agent for authorization of the requested operation. The agent uses the impersonation token to obtain authorization for the requested operation.

公开(公告)号：US12058176B1

公开(公告)日：2024-08-06

申请号：US17161491

申请日：2021-01-28

申请人： Amazon Technologies, Inc.

发明人： Gokul Ramanan Subramanian ,  Sayantan Chakravorty ,  Dennis Tighe ,  Carlos Alessandro Chiconato ,  Damian Wylie

IPC分类号： H04L29/06 ,  H04L9/40

CPC分类号： H04L63/20 ,  H04L63/0807 ,  H04L63/0876 ,  H04L63/1483

摘要： A connection-based service impersonates request-based security for requests from clients that do not include credentials for the requests (e.g., data plane requests made via a connection-oriented security). A connection between a client and a connection-based service is established based on connection credentials that are based on security credentials from a request-based security service. The credentials are sent by a security component of the service to a local agent of the remote security service to be authenticated by the security service. An impersonation token is returned by the security service and cached by the local agent. Requests from the client to perform operations do not include credentials. For each request, the service passes an identifier for the client and the operation to a local authorization component that calls the agent for authorization of the requested operation. The agent uses the impersonation token to obtain authorization for the requested operation.