1. Technical Field
This invention generally relates to computer systems, and more specifically relates to apparatus and methods for authenticating between computer programs.
2. Background Art
The widespread proliferation of computers in our modern society has prompted the development of computer networks that allow computers to communicate with each other. With the introduction of the personal computer (PC), computing became accessible to large numbers of people. Networks for personal computers were developed that allow individual users to communicate with each other. In this manner, a large number of computers may communicate with other computers on the network.
Many modern computing environments include a heterogeneous mix of programs that interact with each other to perform a wide variety of tasks. In fact, there may be multiple levels or tiers of programs. For example, a user may authentication to a first-tier program by entering a user ID and password. A program is a first-tier program when a user directly authenticates with it. Once the user is authenticated to the first-tier program, the user may request a service that is provided by a second-tier program that is accessed by the first-tier program. As a result, there must be some way for the user to authenticate with the second-tier program. Requiring the user to enter a user ID and password each time the user invokes a function or service provided by a next-tier program would become very annoying to the user.
Note that programs are not inherently first-tier, second-tier, etc. The tier level of the program depends on who invoked it and when it is invoked. To be a first-tier program, a program must have the ability to authenticate a user, such as by receiving a user ID and password from the user. To be a next-tier program, the program may receive a request from another program to perform some function that requires authentication. Thus, a program could be a first-tier program at one point in time when a user requests a service directly from the program, and may be a third-tier program at another time when a user authenticates directly with a first-tier program, which authenticates to a second-tier program, which authenticates with this program to perform some service or function.
A very simple multi-tiered system 200 as known in the art is shown in FIG. 2. A user 210 authenticates to a first-tier program 124A, typically be entering a user ID and password. When the user makes a request to the first-tier program 124A that requires the second-tier program 124B to perform a service or function, the user must be authenticated to the second-tier program 124B. There are many known ways for the user to authenticate to the second-tier program 124B, many of which are discussed in detail below. Once the user has authenticated to the second-tier program 124B, the next-tier program may perform the requested service or function for the user.
The known methods for a first-tier program to authenticate to a next-tier program all require secure passwords to be stored somewhere. Storing secure passwords adds significant overhead in administrating a computer network. Not only must the passwords be stored in a secure manner and location, they must also be periodically changed. For this reason, known authentication techniques that use secure passwords do not provide a desirable solution for multi-tiered computing environments. Without a way for one computer program to authenticate a user to another computer program without using secure keys that must be stored, shared and maintained over time, the computer industry will continue to suffer from inefficient ways of inter-program authentication in multi-tiered computing environments.