Abstract: An HTML document includes a JavaScript element that manages CSRF token use. When the HTML document is rendered, the JavaScript element asynchronously requests a CSRF token from the server. In response, the server generates a JWT using a keyed HMAC algorithm. The resulting JWT, which functions as a CSRF token, is returned to the user where it is stored in a protected variable inside the JavaScript element. The CSRF token is therefore stateless and isn't stored in a server-side repository. When the user later requests access to a server resource, the CSRF token is included in such request. This may be accomplished by adding a hidden input field that includes the CSRF token to the submission that's transmitted to the server. If the server cannot validate the received token using the HMAC key that was originally used to generate the token, the request is considered unauthorized and is not processed.

Abstract: Techniques are disclosed for protecting the privacy and security of data associated with a web document. A web browser is configured to manipulate the URL, which contains an access token, of a preview web page document before the browser loads external resources (e.g., web page content) linked from the preview web page document. For example, the browser may change a current page URL containing the access token to another sacrificial URL that does not include the token. In addition, the browser will send the sacrificial URL, rather than the original URL, as a referrer to the various resources that provide the web page content, which prevents exposure of the access token to those resources while the web page content is loading. After the web page content is loaded into the browser, the current page URL of the browser is changed back to the original URL.

Abstract: Methods and systems for controlling access to content include an authentication process that provides for increased speed by reducing, or eliminating in some cases, steps in the authentication process. In particular, the systems and methods can encode content paths previously authenticated for a particular user into an authentication token. When the user attempts to access one of the top content paths, the systems and methods can verify the user based on the encoded authentication token rather than following a complete authentication process.

Abstract: Techniques are disclosed for providing copy/paste support for web conference content. Methods and systems allow copy/paste operations in web conference sessions with multimedia content based on data extracted from conference content transmitted during the web conference. The web conference can connect clients for live sharing of documents, audio, video, applications such as web applications, and web pages. In one embodiment, a conference application can receive content from a first client participating in the web conference. The conference application can extract data items from the content. The conference application can store the extracted data items. The conference application can also receive, from a second client participating in the web conference, a selection of a portion of the conference content.

Abstract: Methods and systems for authenticating users and assigning authenticated users to groups are provided. A method receives a user credential and email address. The method forwards an authentication request including the email address and credential to a remote authentication provider. Based in part on the presence of a full user name in a received response, the method determines that the user is authenticated. Another method extracts a domain name from a received email address of an authenticated user. In response to determining that the domain name is associated with a group, the method assigns the user to the group. A system includes memory with instructions for assigning an authenticated user to a group. The system receives the user's email address and extracts a domain name from the email address. In response to determining that the domain name is associated with a group, the system assigns the user to the group.

Abstract: Techniques for user collision detection and handling are described. According to various embodiments, a network resource provides content, services, and so forth, for consumption by authenticated users. To perform authentication tasks, the network resource leverages authentication services. Since a network resource may utilize multiple authentication services, collisions between users may occur. For instance, a user identifier for a user authenticated by one authentication service may match a user identifier for a different user authenticated by a different authentication service. Thus, techniques discussed herein are employed to detect such collisions and to handle the collisions such that users are differentiated from one another for authentication and resource access purposes.

Abstract: In various implementations, an embedded document receives untrusted content from a containing document, where the embedded document is in the containing document. In some cases, the untrusted content is received by the containing document from a server and is forwarded to the embedded document without rendering the untrusted content in the containing document. Instead, the untrusted content is rendered in the embedded document. A sandbox policy is enforced on the embedded document such that the rendered untrusted content is restricted from accessing data associated with the containing document. The untrusted content may comprise malicious code that when rendered executes an XXS attack that attempts to access the data associated with the containing document. However, because the untrusted content is rendered in the embedded document, the malicious code may be denied access to the data, thereby preventing the XSS attack from succeeding.

Abstract: Techniques for scoped access to user content are described. According to one or more embodiments, an access token is generated that includes an indication of a scope of permitted access to user content. The access token, for example, can specify scope by identifying a particular category and/or instance of content to which access is permitted. In at least some embodiments, a uniform resource identifier (URI) is used to specify the scope within the access token. When the access token is used to request user content, the URI can be mapped directly to a particularly category and/or instance of content. In at least some embodiments, direct mapping obviates the requirement for intermediate mapping and/or translation of the access token to identify requested user content.

Abstract: Embodiments of the present invention provide systems, methods, and computer storage media for facilitating efficient replication of hierarchical structures. In the regard, the number of nodes within a hierarchical structure to replicate is minimized such that the hierarchical structure is more efficiently replicated. Generally, to determine which nodes to replicate, node identifiers, such as hash values, that represent the content of the corresponding nodes can be utilized. In this manner, upon edits being made to content within a hierarchical structure, node identifiers can be updated to reflect the edited content. When a replication operation is initiated, the node identifiers for the current content existing on one computing device can be compared to the node identifiers associated with the previously replicated content on another computing device. The particular nodes to replicate can be based on any discrepancies between the corresponding node identifiers.

Abstract: Methods and systems for authenticating users and assigning authenticated users to groups are provided. A method receives a user credential and email address. The method forwards an authentication request including the email address and credential to a remote authentication provider. Based in part on the presence of a full user name in a received response, the method determines that the user is authenticated. Another method extracts a domain name from a received email address of an authenticated user. In response to determining that the domain name is associated with a group, the method assigns the user to the group. A system includes memory with instructions for assigning an authenticated user to a group. The system receives the user's email address and extracts a domain name from the email address. In response to determining that the domain name is associated with a group, the system assigns the user to the group.

Abstract: Embodiments of the present invention provide systems, methods, and computer storage media for facilitating user-centric identity management. In this regard, various aspects of identity management are designed to be more transparent to users to bolster user assurance with respect to “behind-the-scenes” procedures of identity management. Generally, indications of data flow between service providers, identity providers, and/or user devices can be provided to the user device for presentation to the user. As a result, visual representations of data flow, notifications of data flow, or the like, can be presented to the user to expose various aspects of identity management. In some embodiments, users may be able to control aspects of identity management, for example, by confirming or preventing data flow between providers.

Abstract: Systems and methods for augmenting web conference sessions with multimedia content based on text extracted from audio content transmitted during the web conference. In one embodiment, a conference application or other application can receive audio content from at least one client participating in a web conference. The web conference can connect multiple clients for live sharing of audio and video. The conference application can also extract at least one text item from the audio content. The conference application can also generate augmented electronic content by combining electronic content received via the web conference with additional electronic content based on the at least one text item. The conference application can also provide the augmented electronic content via the web conference.

Abstract: Techniques for scoped access to user content are described. According to one or more embodiments, an access token is generated that includes an indication of a scope of permitted access to user content. The access token, for example, can specify scope by identifying a particular category and/or instance of content to which access is permitted. In at least some embodiments, a uniform resource identifier (URI) is used to specify the scope within the access token. When the access token is used to request user content, the URI can be mapped directly to a particularly category and/or instance of content. In at least some embodiments, direct mapping obviates the requirement for intermediate mapping and/or translation of the access token to identify requested user content.

Abstract: Techniques for authentication for online content using an access token are described. According to various embodiments, online content (e.g., webpages and other types of web content) can be served across a variety of different online resources. According to one or more embodiments, an access token is leveraged to enable a user to authenticate with multiple different distributed content resources for access to online content, and without requiring the user to input authentication credentials for each of the content resources.

Abstract: Systems and methods for augmenting web conference sessions with multimedia content based on text extracted from audio content transmitted during the web conference. In one embodiment, a conference application or other application can receive audio content from at least one client participating in a web conference. The web conference can connect multiple clients for live sharing of audio and video. The conference application can also extract at least one text item from the audio content. The conference application can also generate augmented electronic content by combining electronic content received via the web conference with additional electronic content based on the at least one text item. The conference application can also provide the augmented electronic content via the web conference.

Abstract: Methods and systems for authenticating users and assigning authenticated users to groups are provided. A method receives a user credential and email address. The method forwards an authentication request including the email address and credential to a remote authentication provider. Based in part on the presence of a full user name in a received response, the method determines that the user is authenticated. Another method extracts a domain name from a received email address of an authenticated user. In response to determining that the domain name is associated with a group, the method assigns the user to the group. A system includes memory with instructions for assigning an authenticated user to a group. The system receives the user's email address and extracts a domain name from the email address. In response to determining that the domain name is associated with a group, the system assigns the user to the group.

Abstract: Techniques are disclosed for authenticated access to a protected resource. A third party application receives a request to access a protected resource, including a bearer token encoded in an HTTP Authorization request header field. The bearer token includes a client identification value that is encrypted and signed in a predefined syntax. The third party application determines whether the bearer token conforms to the predefined bearer token syntax, such as a JavaScript Object Notation Web Token syntax. If the bearer token conforms to the bearer token syntax, the client identification value is extracted from the bearer token. The client identification value is compared to a predefined list of authorized client identification values associated with the protected resource. If the client identification value matches any of the values on the list of authorized values, the bearer token is validated, which permits the third party application to access to the protected resource.

Abstract: In some embodiments, a first server system of a cloud service can receive a bearer token for accessing the cloud service. The bearer token can be generated based on authenticating a remote client in communication with the first server system. The first server system can determine that a resource of the cloud service is hosted by a second server system of the cloud service rather than the first server system. The resource can be identified using the bearer token. The first server system can provide the bearer token to the remote client along with redirect information for accessing the second server system. The second server system can in respond to receiving the bearer token from the remote client by establishing a session with the remote client. The remote client can access the resource via the session with the second server system.

Abstract: Techniques for user collision detection and handling are described. According to various embodiments, a network resource provides content, services, and so forth, for consumption by authenticated users. To perform authentication tasks, the network resource leverages authentication services. Since a network resource may utilize multiple authentication services, collisions between users may occur. For instance, a user identifier for a user authenticated by one authentication service may match a user identifier for a different user authenticated by a different authentication service. Thus, techniques discussed herein are employed to detect such collisions and to handle the collisions such that users are differentiated from one another for authentication and resource access purposes.

Abstract: Methods and systems for authenticating users and assigning authenticated users to groups are provided. A method receives a user credential and email address. The method forwards an authentication request including the email address and credential to a remote authentication provider. Based in part on the presence of a full user name in a received response, the method determines that the user is authenticated. Another method extracts a domain name from a received email address of an authenticated user. In response to determining that the domain name is associated with a group, the method assigns the user to the group. A system includes memory with instructions for assigning an authenticated user to a group. The system receives the user's email address and extracts a domain name from the email address. In response to determining that the domain name is associated with a group, the system assigns the user to the group.