Search

US-12621283-B2 - Bookmarking support for federated login pages

US12621283B2US 12621283 B2US12621283 B2US 12621283B2US-12621283-B2

Abstract

Methods and systems for handling of invalid state parameters during authentication are described herein. A computing device may receive, from a web browser executing on a user device, first data. That data may comprise an indication of authentication of authentication credentials and a first state parameter. Based on that first state parameter being invalid, the computing device may generate a new state parameter and redirect the web browser to a web page associated with an identity provider application. The computing device may then receive, from the web browser, an indication of authentication of a cookie and the new state parameter. The computing device may provide, to the user device, access to one or more services.

Inventors

  • Thomas Kludy

Assignees

  • CITRIX SYSTEMS, INC.

Dates

Publication Date
20260505
Application Date
20220614

Claims (20)

  1. 1 . A computing device comprising: one or more processors and memory storing instructions that, when executed by the one or more processors, cause the computing device to: receive, from a web browser executing on a user device, first data comprising: an indication of authentication, by an identity provider application executing on a second computing device, of user authentication credentials, and a first state parameter that corresponds to a session between the computing device and the user device; and based on determining that the first state parameter is invalid: generate a new state parameter; redirect the web browser to a web page associated with the identity provider application by providing, to the web browser, a uniform resource locator (URL) associated with the identity provider application; receive, from the web browser, second data comprising: an indication of authentication, by the identity provider application, of a cookie corresponding to the user authentication credentials, and the new state parameter; and provide, to the user device and based on the second data, access to one or more services.
  2. 2 . The computing device of claim 1 , wherein the instructions, when executed by the one or more processors, cause the computing device to determine that the first state parameter is invalid by causing the computing device to: determine that the first state parameter is expired.
  3. 3 . The computing device of claim 1 , wherein the instructions, when executed by the one or more processors, cause the computing device to generate the new state parameter by causing the computing device to: provide the web browser a second cookie that comprises the new state parameter.
  4. 4 . The computing device of claim 1 , wherein the URL comprises a no retry indication that causes the identity provider application to generate an error when the cookie is invalid.
  5. 5 . The computing device of claim 1 , wherein the indication of the authentication of the user authentication credentials comprises a first authentication code, and wherein the indication of the authentication of the cookie comprises a second authentication code.
  6. 6 . The computing device of claim 1 , wherein the instructions, when executed by the one or more processors, further cause the computing device to: send, to the identity provider application, the indication of the authentication of the cookie; and receive, from the identity provider application, information corresponding to the user authentication credentials, wherein the instructions, when executed by the one or more processors, further cause the computing device to provide the access to the one or more services based on the information corresponding to the user authentication credentials.
  7. 7 . The computing device of claim 1 , wherein the instructions, when executed by the one or more processors, further cause the computing device to generate the new state parameter based on determining that the indication of the authentication of the user authentication credentials indicates that the user authentication credentials were successfully authenticated.
  8. 8 . A method comprising: receiving, by a computing device and from a web browser executing on a user device, first data comprising: an indication of authentication, by an identity provider application executing on a second computing device, of user authentication credentials, and a first state parameter that corresponds to a session between the computing device and the user device; and based on determining that the first state parameter is invalid: generating a new state parameter; redirecting the web browser to a web page associated with the identity provider application by providing, to the web browser, a uniform resource locator (URL) associated with the identity provider application; receiving, from the web browser, second data comprising: an indication of authentication, by the identity provider application, of a cookie corresponding to the user authentication credentials, and the new state parameter; and providing, to the user device and based on the second data, access to one or more services.
  9. 9 . The method of claim 8 , wherein the determining that the first state parameter is invalid comprises: determining that the first state parameter is expired.
  10. 10 . The method of claim 8 , wherein the generating the new state parameter comprises: providing the web browser a second cookie that comprises the new state parameter.
  11. 11 . The method of claim 8 , wherein the URL comprises a no retry indication that causes the identity provider application to generate an error ifwhen the cookie is invalid.
  12. 12 . The method of claim 8 , wherein the indication of the authentication of the user authentication credentials comprises a first authentication code, and wherein the indication of the authentication of the cookie comprises a second authentication code.
  13. 13 . The method of claim 8 , further comprising: sending, to the identity provider application, the indication of the authentication of the cookie; and receiving, from the identity provider application, information corresponding to the user authentication credentials, wherein providing the access to the one or more services is based on the information corresponding to the user authentication credentials.
  14. 14 . The method of claim 8 , wherein the generating the new state parameter is based on determining that the indication of the authentication of the user authentication credentials indicates that the user authentication credentials were successfully authenticated.
  15. 15 . One or more non-transitory computer-readable media storing instructions that, when executed by one or more processors of a computing device, cause the computing device to: receive, from a web browser executing on a user device, first data comprising: an indication of authentication, by an identity provider application executing on a second computing device, of user authentication credentials, and a first state parameter that corresponds to a session between the computing device and the user device; and based on determining that the first state parameter is invalid: generate a new state parameter; redirect the web browser to a web page associated with the identity provider application by providing, to the web browser, a uniform resource locator (URL) associated with the identity provider application; receive, from the web browser, second data comprising: an indication of authentication, by the identity provider application, of a cookie corresponding to the user authentication credentials, and the new state parameter; and provide, to the user device and based on the second data, access to one or more services.
  16. 16 . The one or more non-transitory computer-readable media of claim 15 , wherein the instructions, when executed by the one or more processors, cause the computing device to determine that the first state parameter is invalid by causing the computing device to: determine that the first state parameter is expired.
  17. 17 . The one or more non-transitory computer-readable media of claim 15 , wherein the instructions, when executed by the one or more processors, cause the computing device to generate the new state parameter by causing the computing device to: provide the web browser a second cookie that comprises the new state parameter.
  18. 18 . The one or more non-transitory computer-readable media of claim 15 , wherein the URL comprises a no retry indication that causes the identity provider application to generate an error when the cookie is invalid.
  19. 19 . The one or more non-transitory computer-readable media of claim 15 , wherein the indication of the authentication of the user authentication credentials comprises a first authentication code, and wherein the indication of the authentication of the cookie comprises a second authentication code.
  20. 20 . The one or more non-transitory computer-readable media of claim 15 , wherein the instructions, when executed by the one or more processors, further cause the computing device to: send, to the identity provider application, the indication of the authentication of the cookie; and receive, from the identity provider application, information corresponding to the user authentication credentials, wherein the instructions, when executed by the one or more processors, further cause the computing device to provide the access to the one or more services based on the information corresponding to the user authentication credentials.

Description

FIELD Aspects described herein generally relate to computer networking, computer authentication, federated authentication, and hardware and software related thereto. More specifically, one or more aspects describe herein provide for the handling of invalid state parameters in federated login environments. BACKGROUND A user may, using a web browser executing on a user device, log in to one or more services using a federated login procedure. In this manner, one system (e.g., an API provider) might delegate the task of handling authentication tasks to another system (e.g., a federated login server). For example, to access the one or more services on a first server and at a first domain, the user might be prompted to browse, using the web browser, to a federated login page on a different server and/or different domain. As part of that redirection process, the web browser might be provided (e.g., as part of the redirection Uniform Resource Locator (URL)) a state parameter, which might correspond to a session with the one or more services. At that federated login page, the user might enter authentication credentials and, upon successful authentication of those credentials, the user might be redirected back to the first server and the first domain. As part of that second redirection process, the one or more services on the first server and at the first domain might be provided both the state parameter and an indication that authentication was successful. In this manner, the one or more services on the first server and at the first domain may thereby learn that the user device was successfully authenticated, and the user device may be provided access to the one or more services as part of the session indicated by the state parameter. One flaw in the above process is that a user cannot bookmark the federated login page. For example, if the user were to bookmark a federated login page to make it easier for them to log in to the one or more services on the first server and at the first domain, then that bookmark may correspond to an invalid (e.g., expired) state parameter. In turn, if a user used the bookmark to access the federated login page and provide the credentials, the user would still be prevented from accessing the one or more services, as the state parameter is invalid. In practice, this might appear to the user as a variety of different errors. For example, the user might be informed that their username and/or password are invalid, even if the username and/or password are correct. SUMMARY The following presents a simplified summary of various aspects described herein. This summary is not an extensive overview, and is not intended to identify required or critical elements or to delineate the scope of the claims. The following summary merely presents some concepts in a simplified form as an introductory prelude to the more detailed description provided below. To overcome limitations in the prior art described above, and to overcome other limitations that will be apparent upon reading and understanding the present specification, aspects described herein are directed towards enabling bookmarking in federated login environments by configuring services to handle circumstances where a state parameter is invalid but where authentication credentials might otherwise be valid. As will be explained in further detail below, a computing device may receive, from a web browser executing on a user device, first data comprising an indication of authentication, by an identity provider application executing on a second computing device, of user authentication credentials; and a first state parameter that corresponds to a session between the computing device and the user device. That indication of authentication might comprise, for example, a first authentication code. The computing device may then take a number of steps based on determining that the first state parameter is invalid (e.g., determining that the first state parameter is expired). The computing device may generate a new state parameter. For example, the computing device may provide the web browser a second cookie that comprises the new state parameter. Generating the new state parameter may be based on determining that the indication of the authentication of the user authentication credentials indicates that the user authentication credentials were successfully authenticated. Then, the computing device may redirect the web browser to a web page associated with the identity provider application by providing, to the web browser, a uniform resource locator (URL) associated with the identity provider application. That URL may comprise a no retry indication that causes the identity provider application to generate an error if the cookie is invalid, as doing so ensures that an infinite loop is not formed. After, the computing device may receive, from the web browser, second data comprising an indication of authentication, by the identity provider application, of a cooki