1. Technical Field
This disclosure relates generally to application security and, in particular, to a method to automate the passing of client application credentials to a browser application that is launched by the client application to facilitate login to a target resource.
2. Background of the Related Art
Many non-browser-based client applications also have browser-based application counterparts or features. A common use case involves an end user working within the client application after having logged into and having authenticated to a server. The server presents the end user with information, such as a list of files identified as linked resources, and the end user desires to access one of those files. When the end user then selects a target resource, the client application automatically launches the browser-based application, such as a local web browser. Even though the end user is logged in to the server with credentials within the context of the client application, launching the local web browser likely requires the web application to re-authenticate the user before the user is permitted to access the linked resource. In particular, except with respect to anonymous or public documents, the launching of the browser by the client application usually results in presenting to the user a login form. After the user enters his or her credentials, the browser is redirected to the desired page. Because the web browser does not have access to the client application's credentials (e.g., cookies), there is no easy, legal way to pass those credentials to the browser process.
One approach to address this problem is for the user to simply leave his or her logged-in browser process running at all times. This is undesirable, as it consumes local resources, and it may present a security risk if the user is not present. Another approach would be to provide a special browser plug-in that communicates with the running client application to retrieve credentials and force them into the browser process when launched; this approach also is undesirable as it would require plug-ins to be written for all different browser types. Yet another approach would be to have the client host a browser control (e.g., a Web-Kit) inside its process to control the authentication cookies. This approach, however, is undesirable as it may prevent the user from being able to use his or her favorite installed browser. Finally, while Microsoft Windows single-sign on (SSO) solution can use the local user's Windows credentials when accessing secure domains with Internet Explorer, SSO support is required.
It would be desirable to be able to provide a technique for passing a client application's credentials to a browser that is launched by that application in a manner that does not require any special browser or browser plug-in, that does not require specific web server technology, and does not require SSO functionality. This disclosure provides such a solution.