公开(公告)号：US11658983B2

公开(公告)日：2023-05-23

申请号：US16784802

申请日：2020-02-07

申请人： Microsoft Technology Licensing, LLC

发明人： Matthias Leibmann ,  Grigory V. Kaplin ,  Vikas Ahuja ,  Kapil Kumar Jain ,  Qinxiao Zhou ,  Ran Cheng

IPC分类号： H04L29/06 ,  H04L9/40

CPC分类号： H04L63/105 ,  H04L63/083

摘要： An authorization policy defines permissions that are exposed by a microservice. When a call is made to the microservice, it includes an access token. An application identifier uniquely identifying the calling application is extracted from the token. An access pattern, used by the calling application to obtain the access token and make the call to the microservice, is identified. Permissions that may be granted to the calling application are identified in the authorization policy based upon the application identifier and the access pattern that is identified. An authorization decision is made as to whether to authorize the call, based upon the granted permissions.

公开(公告)号：US11310059B2

公开(公告)日：2022-04-19

申请号：US16890654

申请日：2020-06-02

申请人： Microsoft Technology Licensing, LLC

发明人： Matthias Adam Leibmann ,  Victor Boctor ,  Grigory V. Kaplin ,  Liang Zou ,  Paranthaman Saravanan

IPC分类号： H04L9/32 ,  H04L9/08

摘要： Techniques of data authentication in a distributed computing system are disclosed herein. One example technique includes receiving a request for performing an operation along with a data package that includes a security token, a first digital signature of the security token generated using an ephemeral private key, and an ephemeral public key with a second digital signature generated using a master private key stored at a secure location. The example technique can also include initially validating the second digital signature using a public key corresponding to the master private key, and upon validating the second digital signature, validating the first digital signature of the security token using the ephemeral public key included in the data package. Upon validating that the first digital signature of the security token, the request can be authenticated, and the requested operation can be performed.

公开(公告)号：US11223488B2

公开(公告)日：2022-01-11

申请号：US16885423

申请日：2020-05-28

申请人： Microsoft Technology Licensing, LLC

发明人： Matthias Leibmann ,  Grigory V. Kaplin ,  Chun-Hung Lin

IPC分类号： H04L29/06 ,  H04L9/32 ,  H04L9/30

摘要： A routing plane includes an authentication packaging system that receives client authentication information, as part of a request from a requesting client that is to be routed to a target service. The authentication packaging system combines the authentication information with assertion information indicative of an assertion as to the identity of the routing plane, using an entropy, such as a signing key. The authentication package is attached to the request and is sent to the target service. The target service validates the authentication package based on the entropy and authenticates the routing plane based on the assertion information and performs authentication processing based on the authentication information.

公开(公告)号：US11968303B2

公开(公告)日：2024-04-23

申请号：US18166784

申请日：2023-02-09

申请人： Microsoft Technology Licensing, LLC

发明人： Paranthaman Saravanan ,  Marc Andrew Power ,  Yang Zhang ,  Matthias Adam Leibmann ,  Grigory V. Kaplin ,  Yi Zeng

IPC分类号： H04L9/32 ,  G06F16/245

CPC分类号： H04L9/3213 ,  G06F16/245 ,  H04L9/3268

摘要： Techniques of keyless authentication of computing services in distributed computing systems are disclosed herein. One example technique includes upon receiving a command to instantiate a computing service, transmitting a request to an authentication service for an identity assertion token corresponding to an application execution of which instantiates the computing service. The example technique can also include upon receiving the requested identity assertion token, storing the received identity assertion token in the container and modifying an entry of a configuration file in the container that allows the instantiated computing service to access the stored identity assertion token and authenticate to the authentication service using the identity assertion token.

公开(公告)号：US20210377044A1

公开(公告)日：2021-12-02

申请号：US16890654

申请日：2020-06-02

申请人： Microsoft Technology Licensing, LLC

发明人： Matthias Adam Leibmann ,  Victor Boctor ,  Grigory V. Kaplin ,  Liang Zou ,  Paranthaman Saravanan

IPC分类号： H04L9/32 ,  H04L9/08

摘要： Techniques of data authentication in a distributed computing system are disclosed herein. One example technique includes receiving a request for performing an operation along with a data package that includes a security token, a first digital signature of the security token generated using an ephemeral private key, and an ephemeral public key with a second digital signature generated using a master private key stored at a secure location. The example technique can also include initially validating the second digital signature using a public key corresponding to the master private key, and upon validating the second digital signature, validating the first digital signature of the security token using the ephemeral public key included in the data package. Upon validating that the first digital signature of the security token, the request can be authenticated, and the requested operation can be performed.

公开(公告)号：US11595220B2

公开(公告)日：2023-02-28

申请号：US17536522

申请日：2021-11-29

申请人： Microsoft Technology Licensing, LLC

发明人： Matthias Leibmann ,  Grigory V. Kaplin ,  Chun-Hung Lin

IPC分类号： H04L29/06 ,  H04L9/32 ,  H04L9/30

摘要： A routing plane includes an authentication packaging system that receives client authentication information, as part of a request from a requesting client that is to be routed to a target service. The authentication packaging system combines the authentication information with assertion information indicative of an assertion as to the identity of the routing plane, using an entropy, such as a signing key. The authentication package is attached to the request and is sent to the target service. The target service validates the authentication package based on the entropy and authenticates the routing plane based on the assertion information and performs authentication processing based on the authentication information.

公开(公告)号：US20210377055A1

公开(公告)日：2021-12-02

申请号：US16885423

申请日：2020-05-28

申请人： Microsoft Technology Licensing, LLC

发明人： Matthias Leibmann ,  Grigory V. Kaplin ,  Chun-Hung Lin

IPC分类号： H04L9/32 ,  H04L9/30

摘要： A routing plane includes an authentication packaging system that receives client authentication information, as part of a request from a requesting client that is to be routed to a target service. The authentication packaging system combines the authentication information with assertion information indicative of an assertion as to the identity of the routing plane, using an entropy, such as a signing key. The authentication package is attached to the request and is sent to the target service. The target service validates the authentication package based on the entropy and authenticates the routing plane based on the assertion information and performs authentication processing based on the authentication information.

公开(公告)号：US20180309759A1

公开(公告)日：2018-10-25

申请号：US15494679

申请日：2017-04-24

申请人： Microsoft Technology Licensing, LLC

发明人： Matthias Leibmann ,  Joel T. Hendrickson ,  Grigory V. Kaplin ,  Corneliu Manescu

IPC分类号： H04L29/06

CPC分类号： H04L63/10 ,  H04L63/0227 ,  H04L63/08 ,  H04W12/06 ,  H04W12/08

摘要： A computing system controls access between components. A token issuer issues an access token to a requesting component, that is requesting access to a requested service component, based at least in part on an access policy. The requesting component sends the token to the requested service component, which includes a token authentication module that validates the access token and authorizes the requesting component to access a requested service component, and receives the authorization to access the requested service component.

公开(公告)号：US11606208B2

公开(公告)日：2023-03-14

申请号：US16851286

申请日：2020-04-17

申请人： Microsoft Technology Licensing, LLC

发明人： Paranthaman Saravanan ,  Marc Andrew Power ,  Yang Zhang ,  Matthias Adam Leibmann ,  Grigory V. Kaplin ,  Yi Zeng

IPC分类号： H04L9/32 ,  G06F16/245

摘要： Techniques of keyless authentication of computing services in distributed computing systems are disclosed herein. One example technique includes upon receiving a command to instantiate a computing service, transmitting a request to an authentication service for an identity assertion token corresponding to an application execution of which instantiates the computing service. The example technique can also include upon receiving the requested identity assertion token, storing the received identity assertion token in the container and modifying an entry of a configuration file in the container that allows the instantiated computing service to access the stored identity assertion token and authenticate to the authentication service using the identity assertion token.

公开(公告)号：US20210328793A1

公开(公告)日：2021-10-21

申请号：US16851286

申请日：2020-04-17

申请人： Microsoft Technology Licensing, LLC

发明人： Paranthaman Saravanan ,  Marc Andrew Power ,  Yang Zhang ,  Matthias Adam Leibmann ,  Grigory V. Kaplin ,  Yi Zeng

IPC分类号： H04L9/32 ,  G06F16/245

摘要： Techniques of keyless authentication of computing services in distributed computing systems are disclosed herein. One example technique includes upon receiving a command to instantiate a computing service, transmitting a request to an authentication service for an identity assertion token corresponding to an application execution of which instantiates the computing service. The example technique can also include upon receiving the requested identity assertion token, storing the received identity assertion token in the container and modifying an entry of a configuration file in the container that allows the instantiated computing service to access the stored identity assertion token and authenticate to the authentication service using the identity assertion token.