1. Field of the Invention
This invention relates to internet identity authentication and more particularly to secure access across different Web applications.
2. Description of Related Art
As a result of the variety of the Web environment, users are able to register accounts in many Web applications to realize various functions. For example, a user may register for three Web applications with different functions, such as, blogging, using Web Album and Web Friend in order to realize the functions of editing posts, browsing photos, and browsing friends' information, by logging into these Web applications. Along with the increase in the number of registered Web applications and the popularization of user-centric identity authentication techniques, more and more users would like to use a third-party identity provider (IdP) to realize identity authentication uniformly in a plurality of Web applications. At the same time, Web application providers also would like to have integration of the plurality of Web applications by a third-party IdP to provide stronger functionality so as to attract more users.
The process of identity authentication using the IdP can be classified as identity authentication initiated from the IdP side and identity authentication initiated from the service provider side, i.e., from the Web application side. The process of identity authentication initiated from the IdP side mainly includes the following steps: a user accesses the IdP directly via a browser on the client side; the IdP requires the user to input a username and password; the ID (identity) manager in the IdP receives and checks the information inputted by the user; after checking, the IdP transfers the identity information to the identity proxy in the Web application via the browser, and thereby the Web application recognizes the user's identity and provides the desired resource.
The process of identity authentication initiated from the Web application side includes the following steps: a user accesses the required Web application via a browser on the client side; the Web application jumps to the IdP via the browser; the IdP requires the user to input the login information about identity and the ID manager therein receives and checks the login information; then the IdP returns the identity information to the identity proxy in the Web application via the browser after checking; and thereby the Web application recognizes the user's identity and provides the desired resource.
Through the above process, users can realize identity authentication in Web applications using the IdP, or identity sharing between the IdP and Web applications. However, the above mechanism does not support an access across different Web applications. If a user wants one Web application to access another Web application for him, e.g., wants the blog application to access the web album application to get his photos with the current login identity, the problem of how to realize secure access across different Web applications arises.
To solve the secure access problem across different Web applications, one solution is to transmit an SAML (Security Assertion Markup Language) token in the access request. In this process, the exchange and validation of the token is required. This increases the response time of Web applications and thus affects efficiency. In addition, the information related to users' identities is required to be inserted into the code of Web applications in this solution. This results in hidden security problems.
Another solution is a resource provider centric approach in which the resource provider defines a number of application interfaces to permit other applications to access its resources. However, different resource providers usually have their own special design and approaches. Therefore, this method cannot support universal cross-application access. Accordingly, a more safe and efficient way is needed to realize secure access across different Web applications.