US 11,695,561 B2
Decentralized authorization of user access requests in a multi-tenant distributed service architecture
Robert Charles Cannata, Jr., Hingham, MA (US); Arun Nadger, Cumberland, RI (US); Kelsey Sattler, Boston, MA (US); John Peter Chinnappan, Natick, MA (US); and Rohith Reddy Beravelli, New Hill, NC (US)
Assigned to FMR LLC, Boston, MA (US)
Filed by FMR LLC, Boston, MA (US)
Filed on Aug. 23, 2022, as Appl. No. 17/893,705.
Application 17/893,705 is a continuation in part of application No. 17/531,319, filed on Nov. 19, 2021, granted, now 11,431,513.
Prior Publication US 2023/0163967 A1, May 25, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/32 (2006.01); H04L 9/40 (2022.01); H04L 9/30 (2006.01)
CPC H04L 9/3213 (2013.01) [H04L 9/3073 (2013.01); H04L 9/3268 (2013.01); H04L 63/0281 (2013.01); H04L 63/20 (2013.01)] 24 Claims
OG exemplary drawing
 
1. A computer system for decentralized authorization of user access requests in a distributed service architecture, the system comprising:
a gateway node,
an authorization service node,
a key management service node,
a plurality of microservice containers each comprising a security proxy node, each microservice container associated with a different end user, and
a plurality of service endpoint nodes, each service endpoint node associated with a different end user;
wherein the gateway node:
generates a first signed and encrypted access token based upon a first user access request using the authorization service node and the key management service node, the first user access request received from a first remote computing device associated with a first end user and the first signed and encrypted access token comprising a identifier specific to the first end user;
generates a second signed and encrypted access token based upon a second user access request using the authorization service node and the key management service node, the second user access request received from a second remote computing device associated with a second end user and the second signed and encrypted access token comprising a identifier specific to the second end user;
transmits the first signed and encrypted access token, the first user access request, and a first security certificate received from the authorization service node to a security proxy node of a first one of the plurality of microservice containers that is associated with the first end user;
transmits the second signed and encrypted access token, the second user access request, and a second security certificate received from the authorization service node to a security proxy node of a second one of the plurality of microservice containers that is associated with the second end user; and
wherein the security proxy node of the first microservice container:
validates the first security certificate and the first signed and encrypted access token,
decrypts the first signed and encrypted access token using a first public key from the first security certificate,
determines authorization of the first end user to access a first service endpoint node based upon the decrypted first access token, and
transmits the first user access request to the first service endpoint node to provide the first remote computing device with access to one or more services specific to the first end user based upon the first user access request; and
wherein the security proxy node of the second microservice container:
validates the second security certificate and the second signed and encrypted access token,
decrypts the second signed and encrypted access token using a second public key from the second security certificate,
determines authorization of the second end user to access a second service endpoint node based upon the decrypted second access token, and
transmits the second user access request to the second service endpoint node to provide the second remote computing device with access to one or more services specific to the second end user based upon the second user access request.