Search

US-12627510-B2 - Encoding an authentication cookie with metadata

US12627510B2US 12627510 B2US12627510 B2US 12627510B2US-12627510-B2

Abstract

In some implementations, an authenticator device may receive, from a browser, a request to connect to a secure service, wherein the request includes login credentials associated with a user of the browser. The authenticator device may determine that the user is an authorized user to access the secure service based on the login credentials. The authenticator device may generate an authentication cookie for the browser, wherein the authentication cookie encodes metadata information associated with the user, and wherein the metadata information includes at least an indication of user attributes of the user. The authenticator device may transmit, to the browser device, the authentication cookie.

Inventors

  • Peyush Gupta
  • Raqib Hesaam JONES
  • Umesh Mangla
  • Dilip H. Sanghavi

Assignees

  • JUNIPER NETWORKS, INC.

Dates

Publication Date
20260512
Application Date
20231227

Claims (20)

  1. 1 . A method, comprising: receiving, at a first authenticator device and from a browser, a request to connect to a secure service, wherein the request includes login credentials associated with a user associated with the browser; determining, by the first authenticator device, that the user is an authorized user to access the secure service based on the login credentials; generating, by the first authenticator device, an authentication cookie for the browser, wherein the authentication cookie encodes metadata information associated with the user, and wherein the metadata information includes at least an indication of user attributes of the user; signing, by the first authenticator device, the authentication cookie using a private key issued by a root certificate authority; transmitting, by the first authenticator device and to the browser, the signed authentication cookie; receiving, at a second authenticator device and from the browser, another request to access the secure service, wherein the other request to access the secure service is marked with the authentication cookie issued by the first authenticator device; de-signing, by the second authenticator device, the signed authentication cookie using the private key issued by the root certificate authority; and determining, by the second authenticator device, that the user is an authorized user to access the secure service based on the user attributes obtained from the de-signed authentication cookie.
  2. 2 . The method of claim 1 , wherein generating the authentication cookie includes encrypting, by the first authenticator device, the authentication cookie using a symmetric key.
  3. 3 . The method of claim 2 , further comprising retrieving, by the first authenticator device and from a cloud-based key management service, the symmetric key.
  4. 4 . The method of claim 1 , further comprising receiving, by an intermediate certificate authority associated with the first authenticator device and from the root certificate authority, the private key.
  5. 5 . The method of claim 1 , further comprising receiving, by the first authenticator device and from an identity provider device, authorized user information, wherein determining that the user is the authorized user to access the secure service is further based on the authorized user information.
  6. 6 . The method of claim 1 , wherein generating the authentication cookie for the browser comprises encoding the authentication cookie with expiration information indicating an expiration time associated with the authentication cookie.
  7. 7 . The method of claim 1 , wherein the first authenticator device is associated with a first point of presence (POP) device, the second authenticator device is associated with a second POP device, and the first POP device and the second POP device are associated with a common identity provider device.
  8. 8 . A system, comprising: a secure service controller device; and multiple authenticator devices in communication with the secure service controller device, each of the multiple authenticator devices being associated with a corresponding point of presence (POP), wherein a first authenticator device, of the multiple authenticator devices, is to: receive, from a browser, a connection request to connect to a secure service, wherein the connection request includes login credentials associated with a user associated with the browser; determine that the user is an authorized user to connect to the secure service based on the login credentials; generate an authentication cookie for the browser, wherein the authentication cookie encodes metadata information associated with the user, and wherein the metadata information includes at least an indication of user attributes of the user; and sign the authentication cookie using a private key issued by a root certificate authority; transmit, to the browser, the signed authentication cookie, and wherein a second authenticator device, of the multiple authenticator devices, is to: receive, from the browser, an access request to access the secure service, wherein the access request is marked with the signed authentication cookie; de-sign the signed authentication cookie using the private key issued by the root certificate authority; determine that the user is an authorized user to access the secure service based on the user attributes obtained from the de-signed authentication cookie; and respond to the access request based on determining that the user is the authorized user to access the secure service.
  9. 9 . The system of claim 8 , wherein the first authenticator device, to generate the authentication cookie for the browser, is to encrypt the authentication cookie using a symmetric key, and wherein the second authenticator device, to determine that the user is the authorized user to access the secure service, is to decrypt the authentication cookie using the symmetric key.
  10. 10 . The system of claim 8 , wherein the first authenticator device is further to receive, by a first intermediate certificate authority associated with the first authenticator device and from the root certificate authority, the private key; and wherein the second authenticator device is further to receive, by a second intermediate certificate authority associated with the second authenticator device and from the root certificate authority, the private key.
  11. 11 . The system of claim 8 , wherein the first authenticator device is further to receive, from an identity provider device, authorized user information, wherein the first authenticator device, to determine that the user is the authorized user to connect to the secure service, is to determine that the user is the authorized user to connect to the secure service based on the authorized user information, wherein the second authenticator device is further to receive, from the identity provider device, the authorized user information, and wherein the second authenticator device, to determine that the user is the authorized user to access the secure service, is to determine that the user is the authorized user to access the secure service based on the authorized user information.
  12. 12 . The system of claim 8 , wherein the first authenticator device, to generate the authentication cookie for the browser, is to encode the authentication cookie with expiration information indicating an expiration time associated with the authentication cookie, and wherein the second authenticator device, to determine that the user is the authorized user to access the secure service, is to determine that the user is the authorized user to access the secure service based on the expiration information.
  13. 13 . The system of claim 8 , wherein the first authenticator device is associated with a first POP device, the second authenticator device is associated with a second POP device, and the first POP device and the second POP device are associated with a common identity provider device.
  14. 14 . An authenticator device, comprising: one or more memories; and one or more processors, coupled to the one or more memories, to: receive, at the authenticator device and from a browser, a request to connect to a secure service, wherein the request includes login credentials associated with a user associated with the browser; determine that the user is an authorized user to access the secure service based on the login credentials; generate an authentication cookie for the browser, wherein the authentication cookie encodes metadata information associated with the user, and wherein the metadata information includes at least an indication of user attributes of the user; sign the authentication cookie using a private key issued by a root certificate authority; transmit, to the browser, the signed authentication cookie; receive, at the authenticator device and from the browser, another request to access the secure service, wherein the other request to access the secure service corresponds to another user and is marked with another authentication cookie issued by another authenticator device; de-signing another signed authentication cookie corresponding to the other authenticator device, using the private key issued by the root certificate authority; and determine that the other user is an authorized user to access the secure service based on the user attributes obtained from the de-signed authentication cookie.
  15. 15 . The authenticator device of claim 14 , wherein the one or more processors, to generate the authentication cookie, are to encrypt, by the authenticator device, the authentication cookie using a symmetric key.
  16. 16 . The authenticator device of claim 15 , wherein the one or more processors are further to: retrieve, from a cloud-based key management service, the symmetric key.
  17. 17 . The authenticator device of claim 14 , wherein the one or more processors are further to: receive, from the root certificate authority, the private key.
  18. 18 . The authenticator device of claim 14 , wherein the one or more processors are further to: receive, from an identity provider device, authorized user information, wherein determining that the user is the authorized user to access the secure service is further based on the authorized user information.
  19. 19 . The authenticator device of claim 14 , wherein the one or more processors, to generate the authentication cookie for the browser, are to encode the authentication cookie with expiration information indicating an expiration time associated with the authentication cookie.
  20. 20 . The authenticator device of claim 14 , wherein the authenticator device is associated with a point of presence (POP) device.

Description

BACKGROUND In cloud-based services, ensuring robust and efficient user authentication remains a critical challenge. Certain authentication schemes rely on direct input from a user, such as input of a username and a password, which may be susceptible to security breaches and/or which may result in a poor user experience. In some examples, to offer a more streamlined user experience, a user may be provided with an authentication cookie after providing login credentials. The authentication cookie is a small piece of data sent from a server and stored within the user's browser. The authentication cookie may include information that verifies the user's identity and thus negates the need for repeated credential entries during an authenticated session and/or in subsequent sessions. In some examples, an authentication cookie may serve as a secure token, which the cloud-based service validates to grant access, thereby enhancing security and user experience. SUMMARY Some implementations described herein relate to a method. The method may include receiving, at an authenticator device and from a browser, a request to connect to a secure service, wherein the request includes login credentials associated with a user of the browser. The method may include determining, by the authenticator device, that the user is an authorized user to access the secure service based on the login credentials. The method may include generating, by the authenticator device, an authentication cookie for the browser, wherein the authentication cookie encodes metadata information associated with the user, and wherein the metadata information includes at least an indication of user attributes of the user. The method may include transmitting, by the authenticator device and to the browser, the authentication cookie. Some implementations described herein relate to a method. The method may include receiving, at an authenticator device and from a browser device, a request to access a secure service, wherein the request is marked with an authentication cookie issued by another authenticator device, wherein the authentication cookie includes metadata information associated with a user of the browser, and wherein the metadata information includes at least an indication of user attributes of the user. The method may include determining, by the authenticator device, that the user is an authorized user to access the secure service based on the user attributes. The method may include responding, by the authenticator device, to the request based on determining that the user is the authorized user. Some implementations described herein relate to a system. The system may include a secure service controller device and multiple authenticator devices in communication with the secure service controller device, with each of the multiple authenticator devices being associated with a corresponding point of presence. A first authenticator device, of the multiple authenticator devices, may be configured to receive, from a browser, a connection request to connect to a secure service, wherein the connection request includes login credentials associated with a user of the browser. The first authenticator device may be configured to determine that the user is an authorized user to connect to the secure service based on the login credentials. The first authenticator device may be configured to generate an authentication cookie for the browser, wherein the authentication cookie encodes metadata information associated with the user, and wherein the metadata information includes at least an indication of user attributes of the user. The first authenticator device may be configured to transmit, to the browser device, the authentication cookie. The second authenticator device, of the multiple authenticator devices, may be configured to receive, from the browser device, an access request to access the secure service, wherein the access request is marked with the authentication cookie. The second authenticator device may be configured to determine that the user is an authorized user to access the secure service based on the user attributes. The second authenticator device may be configured to respond to the access request based on determining that the user is the authorized user to access the secure service. BRIEF DESCRIPTION OF THE DRAWINGS FIGS. 1A-1C are diagrams of an examples associated with authenticating a user at multiple points of presence. FIGS. 2A-2D are diagrams of an examples associated with encoding an authentication cookie with metadata. FIG. 3 is a diagram of an example environment in which systems and/or methods described herein may be implemented. FIG. 4 is a diagram of example components of a device associated with encoding an authentication cookie with metadata. FIG. 5 is a diagram of example components of another device associated with encoding an authentication cookie with metadata. FIG. 6 is a flowchart of an example process associated with encoding an auth