Abstract: In some implementations, after one or more users have each been granted a respective access token allowing access to a resource device, revocation data is received by the resource device. The revocation data indicates that the previously granted access to the resource device should be revoked. For example, the revocation data may indicate (i) a user, role, or permission level for which access is revoked and (ii) a duration that access to the resource device was allowed. After receiving the revocation data, the resource device receives token data derived from an access token that allows access to the resource device. The resource device determines that the access token relies on authorization of the user, role, or permission level indicated by the revocation data, and in response, the resource device denies access.

Abstract: In some implementations, after one or more users have each been granted a respective access token allowing access to a resource device, revocation data is received by the resource device. The revocation data indicates that the previously granted access to the resource device should be revoked. For example, the revocation data may indicate (i) a user, role, or permission level for which access is revoked and (ii) a duration that access to the resource device was allowed. After receiving the revocation data, the resource device receives token data derived from an access token that allows access to the resource device. The resource device determines that the access token relies on authorization of the user, role, or permission level indicated by the revocation data, and in response, the resource device denies access.

Abstract: The disclosed embodiments include computerized methods, systems, and devices, including computer programs encoded on a computer storage medium, for device authentication. For example, the resource device may generate and maintain master access tokens, which may be transmitted to a computing system. The computing system may receive, from a device of an owner of the resource device, data granting a client device limited access to the resource device in accordance with various access restrictions. The computing system may generate and provide to the client device a limited version of the master access token that specifies the access restrictions. The client device may present the local access token to the resource device over a direct wireless connection, and the resource device may verify the token and grant the requested access without communication with the computing system.

Abstract: The disclosed embodiments include computerized methods, systems, and devices, including computer programs encoded on a computer storage medium, for establishing secure wireless communications sessions involving low-power devices. A client device may discover a low-power resource device operating within a wireless network. Upon discovery, the client and resource devices may establish mutual randomness, and establish mutual possession of a shared cryptographic key. The resource device may, in some aspects, provide data proving its knowledge of an authentication tag of a local authentication token held confidentially by the client device. If the resource device proves its knowledge of the client device's authentication tag, the client and resource device may establish a secure communication session and generate session keys for subsequent communications.

Abstract: A method of controlling the sharing of data between entities that are in electronic communication with each other may include generating an authentication credential comprising an identifier for the target service and a unique signature, attenuating the authentication credential, and determining whether a client device is authorized to access the target service, and, only if so, providing the authentication credential to the client device. In an embodiment, the method may include receiving an access request from the client device, identifying that the authentication credential includes the unique signature and a third party caveat that is associated with a third party authentication service, in response to the identifying, determining whether the request also comprises a discharge credential for the third party caveat, and if the request includes the discharge credential, providing the client device with the requested service, otherwise denying the request.