Technical Field
This disclosure relates to authenticated electronic communications, and more particularly to authentication of networked application programming interface (API) communications.
Description of the Related Art
Providers of resources (e.g., web applications, websites, data, files, database access, cloud computing, etc.) over a network (e.g., the Internet) typically keep track of user session ID information via session cookies or the like. For example, a website may send a cookie to a user's browser. Afterward, every time the user requests a new link from the website, the user's browser may send that cookie back to the website to authenticate that the same user is still browsing. In another example, token-based authentication (e.g., using a username and password) may be used for authenticated API access.
Unfortunately, some implementations of session cookie and token-based systems may be susceptible to so-called “session hijacking,” which is a type of man-in-the-middle (MITM) attack. Various types of session hijacking schemes are known in the art, and they pose a problem for organizations that rely on being able to reliably authenticate users.
Such attacks may occur, for example, in multi-tenant database systems, and system-wide solutions available to multiple tenants may be desired. Multi-tenant database systems allow users to access applications and/or data from a network source that, to the user, appears to be centralized, but might actually be distributed for backup, redundancy, and/or performance reasons. An example of a multi-tenant system is a computing system that is accessible to multiple independent parties to provide those parties with application execution and/or data storage. Where there is an appearance of centralization, each subscribing party (e.g., a “tenant”) can access the system to perform application functions, including manipulating that tenant's data. Each tenant may provide content to multiple users (e.g., customers or employees) within that tenant, and safeguarding user data is typically important in such systems.
With a multi-tenant system, the tenants have the advantage that they need not install software, maintain backups, move data to laptops to provide portability, etc. Rather, each tenant user need only be able to access the multi-tenant system to operate the applications and access that tenant's data. One such system usable for customer relationship management is the multi-tenant system accessible to salesforce.com subscribers. With such systems, a user need only have access to a user system with network connectivity, such as a desktop computer with Internet access and a browser or other HTTP client, or other suitable Internet client.
Techniques to securely authenticate user access to network resources are desired, in multi-tenant systems as well as various other types of systems.