Search

EP-4449668-B1 - SERVICE TO SERVICE AUTHENTICATION IN COMPUTING SYSTEMS

EP4449668B1EP 4449668 B1EP4449668 B1EP 4449668B1EP-4449668-B1

Inventors

  • LIN, CHUN-HUNG
  • LEIBMANN, MATTHIAS

Dates

Publication Date
20260506
Application Date
20220919

Claims (12)

  1. A method of service to service authentication in a distributed computing system (100) having multiple servers (106) executing instructions to provide multiple platform services (152) interactable with client services (154), the method comprising: receiving, from a client service (154), a data package having (i) an access request (158) to a platform service (152) in the distributed computing system (100) and (ii) a security token (157) for authenticating the access request (158) to the platform service (152), wherein the data package is received by an authentication agent (160); and in response to receiving the data package having the access request (158) and the security token (157), analyzing, using the authentication agent (160), the received data package to identify a token type of the security token (157) and an authentication scheme indicated in the access request (158) for authenticating the access request (158); using a combination of the identified token type of the security token (157) and the authentication scheme indicated in the access request (158) as a key to locate a corresponding authentication pattern (159) in a mapping table (111); and identifying, in an authentication configuration (153) of the platform service (152), an authentication policy corresponding to the authentication pattern (159) to authenticate the received data package having the access request (158) and the security token (157); and applying, using the platform service (152), the identified authentication policy corresponding to the authentication pattern (159) to the received data package to authenticate the access request (158) based on the security token (157) and conditionally providing the client service (154) access to the platform service (152).
  2. The method of claim 1, wherein the authentication pattern is data that identifies an operating model associated with an authentication process.
  3. The method of claim 2, wherein the operating model includes identities of an initiator of an authentication process, a sequence of operations in the authentication process, or an objective or goal of the authentication process.
  4. The method of any of claims 1-3, further comprising: transmitting, from the client service (154), a token request and authentication credential to an authentication service in the distributed computing system (100); and upon authenticating the token request based on the authentication credential, issuing, from the authentication service, the security token (157) to the client service (154).
  5. The method of any of claims 1-3, further comprising: transmitting, from the client service (154), a token request (155) and authentication credential to an authentication service in the distributed computing system (100); upon authenticating the token request (155) based on the authentication credential, issuing, from the authentication service, the security token 157 to the client service (154); and generating the data package having the access request (158) to the platform service (152) and the security token (157) issued by the authentication service and transmitting the generated data package to the platform service (152).
  6. The method of any of claims 1-3, wherein analyzing the received data package includes: parsing a header of the authentication request to identify the authentication scheme supported by the client service (154); and parsing the security token (157) to identify the token type of the security token (157).
  7. The method of any of claims 1-3, wherein: the authentication configuration (153) of the platform service (152) includes code identifying multiple authentication policies and corresponding authentication patterns (159); and identifying the authentication policy includes scanning the code of the authentication configuration (153) to locate the authentication policy corresponding to the authentication pattern (159).
  8. The method of any of claims 1-3, further comprising: receiving data representing a new token type of an additional security token (157) to be used by the client service (154) for accessing the platform service (152); and in response to receiving the data, updating the mapping table (111) with a new entry having a combination of the new token type and the authentication scheme corresponding to the same authentication pattern (159) without modifying the authentication configuration (153) of the platform service (152).
  9. The method of any of claims 1-3, further comprising: receiving data representing a new authentication scheme supported by the client service (154) for accessing the platform service (152) with the same token type; and in response to receiving the data, updating the mapping table (111) with a new entry having a combination of the token type and the new authentication scheme corresponding to the same authentication pattern (159) without modifying the authentication configuration (153) of the platform service (152).
  10. The method of any of claims 1-3, wherein: receiving data representing an instruction to deprecate the token type; and in response to receiving the data representing the instruction, removing an entry in the mapping table (111) corresponding to the token type and the authentication scheme without modifying the authentication configuration (153) of the platform service (152).
  11. The method of any of claims 1-3, further comprising: receiving, from another client service (154), data representing a discovery request and another authentication pattern (159), the discovery request being for available token types and authentication schemes; and in response to receiving the data representing the discovery request and the another authentication pattern (159), querying the mapping table (111) for one or more entries corresponding to the authentication pattern (159); and transmitting the one or more entries identifying corresponding token types and authentication schemes to the another client service (154).
  12. A computing device in a distributed computing system (100) having multiple servers (106) individually executing instructions to provide platform services (152) interactable with client services (154), the computing device comprising: a processor; and a memory operatively coupled to the processor, the memory containing instructions executable by the processor to cause the computing device to perform a process according to one of claims 1-11.

Description

BACKGROUND Remote or "cloud" computing systems typically utilize large numbers of remote servers housed in datacenters to provide compute, storage, network, and other computing services. The remote servers can be interconnected by computer networks to form one or more computing clusters. Each remote server in the computing clusters can host one or more virtual machines ("VMs"), containers, virtual switches, virtual load balancers, and other virtualized functions. During operation, the virtualized functions can cooperate with one another to facilitate execution of applications and provide corresponding computing services to users. US20180367526A1 describes systems and methods for authenticating a user requesting access to a resource in a cloud-computing system. The methods comprise, by a resource service: receiving an access request for accessing a resource associated with the resource service from a computing device associated with a user, determining context information corresponding to the access request, and using the determined context information for identifying an authentication protocol for authenticating the user. The authentication protocol includes at least one authentication scheme. The methods further comprise generating an authentication challenge and transmitting the authentication challenge to the computing device. The authentication challenge includes an initial token and authentication parameters corresponding to the identified authentication protocol. SUMMARY The invention is set out in the appended set of claims. This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. In certain computing facilities, remote servers in cloud computing facilities can provide computing services to multiple subscribers or tenants via virtualization of compute, storage, network, or other suitable types of physical resources. For example, a server can execute suitable instructions to provide a hypervisor for managing multiple virtual machines hosted on the server. Each virtual machine can execute suitable applications to provide corresponding computing services to users. As such, users of tenants can share physical resources as computing services at the individual servers in cloud computing facilities. On the other hand, a single tenant can also consume resources from multiple servers, storage devices, or other suitable components of cloud computing facilities as a single computing service. To provide access to shared physical resources, certain computing facilities can organize computing services as platform services and client services that interact with one another to process user requests. For instance, a platform service can be an email exchange service that is configured to handle email reception, forwarding, synchronization, and other suitable operations. An example email exchange service is Outlook® service included in the Office 365 suite provided by Microsoft Corporation of Redmond, Washington. Upon authenticating a client service (e.g., an email client), the email exchange service can provide the client service access to content such as emails, calendar items, and attachments in corresponding mailboxes of a user. Computing facilities can also implement an authentication service (e.g., a token issuer) that is configured to facilitate authentication between client and platform services. For instance, an authentication service can be configured to receive an authentication request for a security token from a client service. In response, the authentication service can be configured to output a user interface for receiving authentication credentials such as passwords and answer to secret questions. Upon receiving the authentication credentials from, for instance, a user, the authentication service can validate the received authentication credentials according to a suitable authentication scheme. Upon successful validation of the authentication credentials, the authentication service can be configured to generate and issue a security token (or other suitable security articles) to the client service. The client service can then submit a request along with the received security token to the platform service (or other suitable computing services) to retrieve content or performing other suitable actions. Upon receiving the submitted request and security token, the platform service is configured to determine whether to grant access to the client service by applying an authentication policy to evaluate the request with the security token. To properly evaluate the request, the platform service typically includes code logic and configuration that recognize a token type of the security token and an authentication scheme associated with the requ