公开(公告)号：US20180367306A1

公开(公告)日：2018-12-20

申请号：US15622834

申请日：2017-06-14

Applicant: eBay Inc.

Inventor： Anand Baldeodas Bahety ,  Nebojsa Pesic ,  Mallikarjuna Potta

IPC: H04L9/32 ,  H04L9/08 ,  H04L29/06 ,  G06Q30/06

Abstract: A system, method, and computer program product are provided for securing authorization tokens using client instance specific secrets. Tokens are valid for service requests only if time constraints and additional security constraints are met by additional information stored in the token in hashed form. A required comparison of a timestamp in a client service request header to the current server time limits the useful token life, e.g., to a few minutes. The service request header also includes data generated based on a secret previously assigned to a specific client instance. The secret may be generated by the server according to a public/private key scheme and sent to a particular client instance only once, e.g., during initial device registration. The secret may be omitted from service requests for public information. Service request headers may include device identifiers, so that service requests from known rogue clients may be ignored.

公开(公告)号：US10972273B2

公开(公告)日：2021-04-06

申请号：US15622834

申请日：2017-06-14

Applicant: eBay Inc.

Inventor： Anand Baldeodas Bahety ,  Nebojsa Pesic ,  Mallikarjuna Potta

IPC: H04L9/32 ,  G06Q20/40 ,  H04L29/06 ,  G06Q20/38 ,  G06Q30/06 ,  H04L9/08

Abstract: A system, method, and computer program product are provided for securing authorization tokens using client instance specific secrets. Tokens are valid for service requests only if time constraints and additional security constraints are met by additional information stored in the token in hashed form. A required comparison of a timestamp in a client service request header to the current server time limits the useful token life, e.g., to a few minutes. The service request header also includes data generated based on a secret previously assigned to a specific client instance. The secret may be generated by the server according to a public/private key scheme and sent to a particular client instance only once, e.g., during initial device registration. The secret may be omitted from service requests for public information. Service request headers may include device identifiers, so that service requests from known rogue clients may be ignored.

公开(公告)号：US11463258B2

公开(公告)日：2022-10-04

申请号：US16818312

申请日：2020-03-13

Applicant: eBay Inc.

Inventor： Anand Baldeodas Bahety

IPC: H04L9/32 ,  H04L9/30 ,  H04L9/40

Abstract: Technologies are shown for secure token refresh where a client receives a first access token from an authentication service, generates an asymmetric key pair, stores the first access token in association with a private key, and sends a public key to the authentication service. The service stores the public key in association with the first access token. The client sends a refresh token request to the service with the first access token. The service responds with a verification request with proof data. The client signs the proof data with the private key and sends the signed proof data to the service. The service verifies the signed proof data using the public key associated with the first access token, creates a second access token that is stored in association with the public key, and sends the second access token to the client, which stores it in association with the private key.

公开(公告)号：US11824992B2

公开(公告)日：2023-11-21

申请号：US17895305

申请日：2022-08-25

Applicant: eBay Inc.

Inventor： Anand Baldeodas Bahety

IPC: H04L9/32 ,  H04L9/30 ,  H04L9/40

CPC classification number: H04L9/3234 ,  H04L9/3073 ,  H04L9/3213 ,  H04L9/3247 ,  H04L63/08 ,  H04L63/083

Abstract: Technologies are shown for secure token refresh where a client receives a first access token from an authentication service, generates an asymmetric key pair, stores the first access token in association with a private key, and sends a public key to the authentication service. The service stores the public key in association with the first access token. The client sends a refresh token request to the service with the first access token. The service responds with a verification request with proof data. The client signs the proof data with the private key and sends the signed proof data to the service. The service verifies the signed proof data using the public key associated with the first access token, creates a second access token that is stored in association with the public key, and sends the second access token to the client, which stores it in association with the private key.