DETAILED ACTION
This Final Office Action is in response to amendment filed on 10/08/2020.
Amended claims 1-10, 17-29 and 31-34 filed on 10/08/2020 are being considered on the merits. Claims 13-15 have been cancelled. Claims 35-36 have been newly added. Claims 1-12, 16-29 and 31-36 remain pending in the application. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings filed on 06/19/2017 are accepted.

Examiner’s Note
Examiner contacted the applicant’s representative, Ms. Carol E. Thorstad-Forsyth, Reg. No. 56,455, on 01/12/2021 regarding examiner’s proposed amendments to independent claim 1, please see Interview summary and proposed amendments attached, which would overcome the USC 103 rejections in this office action, however, the examiner’s proposed amendments were declined by the applicant. 

Response to Amendment 
The amendment filed 10/08/2020 has been entered.
Applicant’s claims amendments have overcome the claims objections previously set forth in the Non-Final Office Action mailed on 07/16/2020.
 Applicant’s claims amendments have overcome the USC 112(b) rejections previously set forth in the Non-Final Office Action mailed on 07/16/2020.

Response to Arguments filed on 10/08/2020
Applicant, regarding amended claims 1 and 31 stated “Applicant believes that such a method is not taught by the cited references or the suggested combinations thereof. Thus, amended independent claim 1 is believed to be non-obvious in view of the cited references and the suggested combinations thereto, and in condition for allowance. Independent claim 31 is similar to claim 1, albeit different in some ways. Accordingly, claim 31 is also believed to be in condition or allowance at least for the same reasons as claim 1 discussed herein. Each of the dependent claims is allowable at least by virtue of its dependence on an allowable base claim.” 
Examiner respectfully disagrees. Examiner submits that Unnikrishnan-Veeraraghavan teaches the limitations recited in independent claims 1 and 31. Please see detailed rejection below.

Applicant's claim 17 amendments and arguments filed 10/08/2020 have been fully considered. Applicant’s arguments regarding prior art Xu are moot because the arguments do not apply in light of the newly introduced prior arts, Zhang et. al. (US .Please see rationale for rejection below.
Conclusion: Unnikrishnan-Veeraraghavan discloses the aforementioned limitations of independent claims 1 and 31 and Unnikrishnan-Zhang disclose the limitations of claim 17; and render the claims’ limitations obvious before the effective date of the claimed invention.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-6 and 9-10, 12 and 31-36 are rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan et. al. (US 20160094531 A1) (IDS), hereinafter Unnikrishnan in view of Veeraraghavan et. al. (US 20090320103 A1), hereinafter Veeraraghavan.

Regarding claim 1. (Currently Amended) Unnikrishnan teaches A method (Unnikrishnan [0003] “…the present disclosure comprises a device having a memory and a processor.”, [0004] “a computer-readable storage device, having instructions thereon, which when executed on a process cause the processor to execute a process.”, [0016] "FIG. 1 illustrates an overview of a system 100 that may be used to grant access to secured resources of a network...a network may be a distributed environment that includes resources shared by more than one client such as a cloud- computing environment."): 
receiving, by from a client device to access a resource(Unnikrishnan [0030] "Once an authentication component 104 (i.e. computing device) receives an access request from a client", [0025] "client 102 may issue an access request for access to network resource 110"); 
generating, by the computing device, an authentication challenge in response to the request (Unnikrishnan [0030] “Before generating a challenge to the client's access request, the authentication component 104 may check whether the client 102 has issued a response to a previous challenge”, [0031] "The authentication component generates an authentication challenge to authenticate a client for access to a secured resource"), 
issued from the computing device (Unnikrishnan [0031] “Parameters of the authentication challenge may vary…The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102”, [0033] “The authentication challenge is designed to be short lived and the authentication component 104 may also maintain state information in a manner that is opaque to the client 102, for example within an authentication session cookie or the encrypted context parameter of the challenge that ensures the challenge is short lived.”, where the data challenge opaque to the client may be authentication cookie included in the challenge as disclosed in [0054], where cookie corresponds to the initial token, where the authentication challenge was generated and issued by the authentication device, i.e. computing device), 
identification of one or more authentication services, and authentication parameters (Unnikrishnan [0030] “…the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol”, [0031] “The authentication component generates an authentication challenge to authenticate a client for access to a secured resource…The authentication challenge is presented in a flexible format that can be tailored to a specific type of authentication (or multiple types of authentication) (i.e. authentication service) …Parameters of the authentication challenge may vary, for example, depending on the application that the client 102 is running or the type of authentication the authentication protocol is determining. The challenge contains information about the requested enforcement criteria to aid the client 102 in determining an authentication credential being requested by the authentication component 104. The challenge includes information that would allow the client 102 to easily locate the authentication credential required to authenticate the client 102 such as data related to an issuer of an authentication credential as an example. The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102. This includes secured data that is opaque to the client 102 (e.g., encrypted data). Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below:”, [0032] , 
examiner asserts that the authentication component would identify a specific authentication protocol for the client device 102, and the authentication parameters/challenge-specific data would aid/allow the client to locate/identify/determine the authentication credentials, to authenticate the client device, where identifying the authentication credentials, flexible format that can be tailored to a specific type of authentication or multiple types of authentications, etc., correspond to knowledge of the authentication protocol and authentication service(s) required),

receiving, by[an updated token] from the client device in response to transmission of the authentication challenge to the client device (Unnikrishnan discloses in [0050] that after receiving challenge, Figure 2 (206) illustrates receiving the challenge response from client 102 to the authentication component 104, where the response includes Auth.Token as disclosed in the table in [0051] “The authentication component 104 evaluates the authentication response once it is received. The response may be evaluated based on rules established by the authentication protocol of the authentication component 104. The authentication component 104 evaluates the response to determine that the response is authentication protocol compliant, for example, determining whether the response includes protocol identification in the header or a user substring appended to the response.”), 
[the updated token generated by inclusion in the initial token of] an indication of authentication of a user of the client device to one or more authentication services, the authentication being accomplished with use of the at least one authentication protocol and the authentication parameters of the challenge response (Unnikrishnan discloses in [0050] that after receiving challenge, Figure 2 (206) illustrates the challenge response from client 102 to the authentication component 104, where the response includes Auth.Token, [0051] “The authentication component 104 evaluates the authentication response once it is received. The response may be evaluated based on rules established by the authentication protocol of the authentication component 104. The authentication component 104 evaluates the response to determine that the response is authentication protocol compliant, for example, determining whether the response includes protocol identification in the header or a user substring appended to the response.”, where the response indicates/includes identified protocol which is determined to be authentication protocol complaint by the authentication server, the challenge response further includes authentication parameters, e.g. nonce in table [0031] 1.1. “Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below: TABLE-US-00001 TABLE 1.1 Challenge field Value Nonce A unique value issued by the server in its challenge. The client is expected to return this value to the server in its signed response in order to perform authentication. The nonce is also persisted within the encrypted context parameter.”), and 
the indication being included in the initial token by the one or more authentication services as a part of a response to an authentication request from the client device made in response to the authentication challenge (Unnikrishnan discloses in [0031] that the authentication challenge is tailored to specific type of authentication or multiple authentications, corresponding to the authentication service, which the client has to address in its challenge response in order to be granted access, where the authentication server, as disclosed in [051], evaluates the response and determines that the response is authentication protocol is complaint, where the response include a cookie to be checked and evaluated as disclosed in Figure 2 (206) and [0051] ); and 
providing, by the computing device, the client device with access to the authentication of the user of the client device to one or more authentication services [as indicated by the updated token] (Unnikrishnan discloses in Figure 2 the validation process based on the challenge response (206) from the client based on the response which includes the identified protocol being compliant as disclosed in [0051], accordingly and subsequently provide access to resources as disclosed in [0060], where the response has to address “tailored to a specific type of authentication (or multiple types of authentication)”, corresponding to authentication services in order to perform authentication and subsequently the client be granted access to resources).
receiving from the client/computing device a challenge response (206) in response to transmission of the authentication challenge, where the response is illustrated in [0050] as “TABLE-US-00006 Authorization: PKeyAuth AuthToken="<signed JWT>", Context="<same value as in the challenge>", Version="1.0", however, Unnikrishnan does not explicitly disclose that the received from the client/computing device is an updated token.
Veeraraghavan from analogues field of invention discloses an updated token and  receiving, by from the client device in response to transmission of the authentication challenge to the client device (Veeraraghavan discloses in Figure 4 augmented/updated token (Figure 4 (314)) being received by the client/user, where such augmented/updated token (Figure 4 (400)) is further received by the RP-STS from the client/user/computing device, where the further  augmented/updated token (Figure 4 (316)) is eventually received from the client/user/computing device by the service 102, [0027] “The original token may contain sufficient claims, i.e. authentication and privileges, to satisfy the needs of the service 102, or it may not. A process known as claims augmentation can be used to provide any missing claims or to provide supplemental claims which will support authentication and/or authorization of the client. As part of the augmentation process an augmentation request 310 containing the original security token is sent to each claims provider 106 which is registered with the IP-STS 104. Each claims provider will add to the security token those claims which it can assert about the user.”, [0029] “The fully augmented security token is returned to the client 100 as a part of the authorization response 314 to authorization request 304.”, [0033] “The client 100 …supplies the security token generated by the IP-STS 104.”, where the service 102, i.e. computing device, eventually receives augmented token (316), i.e. updated tokens, in response to the authentication request/challenge (302) that identify which claims to be used for authentication and needed for the client (100) to acquire from the IP-STS and RP-STS domains in order for the client to be granted access as disclosed in [0024, 0029]).
the updated token generated by inclusion in the initial token of an indication of authentication of a user of the client device to one or more authentication services, authentication of the user of the client device to one or more authentication services as indicated by the updated token (Veeraraghavan discloses in [0027] “The original token (initial token) may contain sufficient claims, i.e. authentication and privileges, to satisfy the needs of the service 102, or it may not. A process known as claims augmentation can be used to provide any missing claims or to provide supplemental claims which will support authentication and/or authorization of the client”, where the augmentation to update the original token, corresponding to the initial token, indicates the authentication and authorization, i.e. authentication service, required by the client in nodes for the service 102 to grant access as disclosed in [0024, 0029]).
authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 2. (Currently Amended) Unnikrishnan-Veeraraghavan teaches The method of claim 1, further comprising saving the initial token-by the computing device (Unnikrishnan [0062] “An exemplary authentication component 104 protects authentication artifacts from being misused. As an example, the authentication component 104 may tie an authentication artifact to a client that the authentication artifact was initially issued to. In an example where a device of a client seeks access to multiple secured resources”, examiner asserts that protecting authentication artifacts, which stems from the initial cookies used by the authentication component 104 and connecting them to clients means that the authenticating component 104 is storing the artifacts which stems from the initial token)..  

Regarding claim 3. (Currently Amended) Unnikrishnan-Veeraraghavan teaches The method of claim 1, further comprising, by the computing device(Unnikrishnan [0030] “…the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol”, [0031] “The authentication component generates an authentication challenge to authenticate a client for access to a secured resource…The authentication challenge is presented in a flexible format that can be tailored to a specific type of authentication (i.e. authentication service) (or multiple types of authentication)…Parameters of the authentication challenge may vary, for example, depending on the application that the client 102 is running or the type of authentication the authentication protocol is determining. The challenge contains information about the requested enforcement criteria to aid the client 102 in determining an authentication credential being requested by the authentication component 104. The challenge includes information that would allow the client 102 to easily locate the authentication credential required to authenticate the client 102 such as data related to an issuer of an authentication credential as an example. The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102. This includes secured data that is opaque to the client 102 (e.g., encrypted data). Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below:”, [0032] , examiner asserts that the authentication component would identify a specific authentication protocol for the client device 102, and the authentication parameters/challenge-specific data would aid/allow the client to locate/identify/determine the authentication credentials, to authenticate the client device, where identifying the authentication credentials, etc., correspond to knowledge of the authentication protocol and service required).

Regarding claim 4. (Currently Amended) Unnikrishnan-Veeraraghavan teaches The method of claim 3, further comprising: 
Unnikrishnan does not explicitly and collectively disclose the remaining limitations. 
Veeraraghavan discloses upon receipt of the authentication challenge, transmitting, by the client (Veeraraghavan Figure 4, after receiving the auth. Request 302, i.e. authentication challenge, informing the client 100 which claims/privileges and authorizations are required, the client transmits authentication requests, including auth. Request 400, which comprises  the original token and additional claims provided by IP-STS104); 
receiving lient which comprises an assertion indicating a status of user authentication upon execution of the at least one authentication scheme (Veeraraghavan [0025-0027] Figure 4, illustrates receiving by the client, PR token, which indicates assertion that the client is authorized and privileged for a service, where the assertion of augmenting the original tokens with claim/privileges/authorization is performed upon authenticating one or more claim providers 106 with the client, i.e. executing authentication scheme with the client 100).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 5. (Currently Amended) Unnikrishnan-Veeraraghavan teaches The method according to claim 4, further comprising: determining, by the client [updated token], whether all authentication schemes included in the identified authentication protocol have been executed (Unnikrishnan [0059] “After update of the data opaque to the client/authentication session cookie, the client 102 or the authentication component 104 may require additional levels of authentication. For example, in a case where a device authentication was performed during an initial authentication  challenge, a user authentication of the client 102 may still need to be performed (or alternatively another form of authentication such as service or process authentication etc., may need be performed).”); and 
(Unnikrishnan [0021] “…security authorization may include but are not limited to an authentication artifact (e.g. an authentication cookie, single sign-on token, etc.), an access token, a cryptographic hash of data, a cryptographic signature of data or a certificate. The client 102 may present the security authorization to a network resource (i.e. transmitting token) to be granted access to the network resource.”, [0068] “Once the authentication component evaluates the response the challenge, flow proceeds to operation 310 where the client receives a validation result from the authentication component. The validation result may include an authentication artifact if the client is authenticated by the authentication component.”, [0069] “312 where the client attempts to access another resource using an issued authentication artifact.”), 
Unnikrishnan discloses in [0021] The client 102 may present the security authorization to a network resource (i.e. transmitting authorization) to be granted access to the network resource, however, Unnikrishnan does not explicitly disclose updated token and  transmitting the updated token to the resource service. Emphasis in italic.
Veeraraghavan discloses upon determining that all authentication schemes included in the identified authentication protocol have been executed, transmitting the updated token to the computing device (Veeraraghavan discloses in [0033-0034] Figure 4 (316) “This token is then presented 316 to the service which verifies the token and provides service 318 as described above.”, where the transmitting is performed upon authenticating with all the appropriate claims that have been identified in the request as disclosed in [0024]) 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 6. (Currently Amended) Unnikrishnan-Veeraraghavan teaches The method of claim 5,
While Unnikrishnan discloses the aforementioned limitations, including authentication protocols, however Unnikrishnan does not explicitly disclose updated token.
further comprising, by the computing device (Veeraraghavan further discloses in Figure 4 and [0025, 0033-0034] the updated/augmented token received from one or more claim providers 106 and 202 in Figure 4 which enable clients accessing services as discussed above in claim 1., where [0024] “this original request, or subsequent interaction with the service, may identify which claim or claims could be used for authentication. The client 100 sends authentication request 304 to the IP-STS 104 asking that a security token be generated containing appropriate claims.”, where the appropriate claims required for authentication is required for granting access has to be asserted in the augmented token, where the authentication protocol is referred to the authentication protocol required for each claim provider in order to issue the claim to the client).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 9. (Currently Amended) Unnikrishnan-Veeraraghavan The method of claim 6, further comprising, by the computing device [updated token] is within a threshold time limit; and granting the request for accessing the resource upon determining that the timestamp is within the threshold time limit (Unnikrishnan [0054-0055] “As examples of parameters that the authentication component 104 validates in the Context parameter or authentication session cookie, the authentication component 104 may include evaluation such as: Check whether the challenge has expired including validation of the timestamp”, where the challenge includes the artifact (e.g., single sign-on cookie or authentication token), which correspond to the token, examiner asserts that setting a timestamp and expiration time correspond to setting a threshold at which the timestamp expires, and validation of the artifact and timestamp for authentication means that access would only be allowed if the timestamp hasn’t expired).
Unnikrishnan does not disclose updated token.
Veeraraghavan discloses the concept of updated token as discussed above in claim 1. Rationale and motivation in claim 1 applies.

Regarding claim 10. (Currently Amended) The method of claim 5, further comprising upon determining that all authentication schemes included in the identified authentication protocol have not been executed, [transmitting the updated token to a given ] (Unnikrishnan [0059] “After update of the data opaque to the client/authentication session cookie, the client 102 or the authentication component 104 may require additional levels of authentication. For example, in a case where a device authentication was performed during an initial authentication challenge, a user authentication of the client 102 may still need to be performed (or alternatively another form of authentication (i.e. second authentication service) such as service or process authentication etc., may need be performed). In this instance, flow proceeds to operation 210 where an additional authentication request is sent by the client 102 and received at the authentication component 104…the client 102 may present the authentication artifact along with the authentication request to an authentication component that originally issued the authentication artifact.”, examiner notes that the “authentication artifact along with the authentication request to an authentication component that originally issued the authentication artifact”).
Unnikrishnan does not explicitly disclose the remaining limitation. Emphasis in italic
Veeraraghavan discloses upon determining that all authentication schemes included in the identified authentication protocol have not been executed, transmitting the updated token to a second authentication service (Veeraraghavan discloses in [0033-034] and figure 4 (400) transmitting augmented token to claim provider 202 in order to enable client access to service in second domain, where the Veeraraghavan discloses in [0024] identifying “appropriate claims” for accessing the service, and Figure 4 illustrates the claim providers 106 and 202 are required to authenticate with the client and update/augment the token accordingly, in order for the client to be granted access to service, where the different claim providers are providing authentication services, examiner asserts that the client is aware that 106 has not provided all the claims/privileges/authorizations identified in [0024], therefore the client seek another claim providers 202 as authentication service to authenticate with the client and to be indicated in the augmented/updated token)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 12. (Previously Presented) Unnikrishnan-Veeraraghavan teaches The method of claim 1, wherein the request comprises user information identifying the user (Unnikrishnan discloses in [0059] that the request may include “a user authentication of the client 102 …authentication request including identifying that the client 102 provided an authentication artifact proving that the client 102 has already been authenticated.”, where a request identifying that a client provides authentication artifacts establishing that the client is authenticated, corresponds to user information).  

Regarding claim 31. (Currently Amended) Unnikrishnan teaches A (Unnikrishnan [0003] “…the present disclosure comprises a device having a memory and a processor.”, [0004] “a computer-readable storage device, having instructions thereon, which when executed on a process cause the processor to execute a process.”, [0016] "FIG. 1 illustrates an overview of a system 100 that may be used to grant access to secured resources of a network...a network may be a distributed environment that includes resources shared by more than one client such as a cloud- computing environment.") wherein the programming instructions comprise instructions to: 
receivea request from a client device to access a resource(Unnikrishnan [0030] "Once an authentication component 104 (i.e. computing device) receives an access request from a client", [0025] "client 102 may issue an access request for access to network resource 110")
generate an authentication challenge in response to the request- (Unnikrishnan [0030] “Before generating a challenge to the client's access request, the authentication component 104 may check whether the client 102 has issued a response to a previous challenge”, [0031] "The authentication component generates an authentication challenge to authenticate a client for access to a secured resource"), 
issued from the computing device (Unnikrishnan [0031] “Parameters of the authentication challenge may vary…The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102”, [0033] “The authentication challenge is designed to be short lived and the authentication component 104 may also maintain state information in a manner that is opaque to the client 102, for example within an authentication session cookie or the encrypted context parameter of the challenge that ensures the challenge is short lived.”, where the data challenge opaque to the client may be authentication cookie included in the challenge as disclosed in [0054], where cookie corresponds to the initial token, where the authentication challenge was generated and issued by the authentication device, i.e. computing device), 
identification of one or more authentication services, and authentication parameters (Unnikrishnan [0030] “…the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol”, [0031] “The authentication component generates an authentication challenge to authenticate a client for access to a secured resource…The authentication challenge is presented in a flexible format that can be tailored to a specific type of authentication (or multiple types of authentication) (i.e. authentication service) …Parameters of the authentication challenge may vary, for example, depending on the application that the client 102 is running or the type of authentication the authentication protocol is determining. The challenge contains information about the requested enforcement criteria to aid the client 102 in determining an authentication credential being requested by the authentication component 104. The challenge includes information that would allow the client 102 to easily locate the authentication credential required to authenticate the client 102 such as data related to an issuer of an authentication credential as an example. The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102. This includes secured data that is opaque to the client 102 (e.g., encrypted data). Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below:”, [0032] , 
examiner asserts that the authentication component would identify a specific authentication protocol for the client device 102, and the authentication parameters/challenge-specific data would aid/allow the client to locate/identify/determine the authentication credentials, to authenticate the client device, where identifying the authentication credentials, flexible format that can be tailored to a specific type of authentication or multiple types of authentications, etc., correspond to knowledge of the authentication protocol and authentication service(s) required)
receive [updated token] from the client device in response to transmission of the authentication challenge to the client device (Unnikrishnan discloses in [0050] that after receiving challenge, Figure 2 (206) illustrates receiving the challenge response from client 102 to the authentication component 104, where the response includes Auth.Token as disclosed in the table in [0051] “The authentication component 104 evaluates the authentication response once it is received. The response may be evaluated based on rules established by the authentication protocol of the authentication component 104. The authentication component 104 evaluates the response to determine that the response is authentication protocol compliant, for example, determining whether the response includes protocol identification in the header or a user substring appended to the response.”), 
[the updated token generated by inclusion in the initial token] of an indication of authentication of a user of the client device to the one or more authentication services, the authentication being accomplished with use of the at least one authentication protocol and the authentication parameters of the challenge response (Unnikrishnan discloses in [0050] that after receiving challenge, Figure 2 (206) illustrates the challenge response from client 102 to the authentication component 104, where the response includes Auth.Token, [0051] “The authentication component 104 evaluates the authentication response once it is received. The response may be evaluated based on rules established by the authentication protocol of the authentication component 104. The authentication component 104 evaluates the response to determine that the response is authentication protocol compliant, for example, determining whether the response includes protocol identification in the header or a user substring appended to the response.”, where the response indicates/includes identified protocol which is determined to be authentication protocol complaint by the authentication server, the challenge response further includes authentication parameters, e.g. nonce in table [0031] 1.1. “Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below: TABLE-US-00001 TABLE 1.1 Challenge field Value Nonce A unique value issued by the server in its challenge. The client is expected to return this value to the server in its signed response in order to perform authentication. The nonce is also persisted within the encrypted context parameter.”), and 
the indication being included in the initial token by the one or more authentication services as part of a response to an authentication request from the client device made in response to the authentication challenge (Unnikrishnan discloses in [0031] that the authentication challenge is tailored to specific type of authentication or multiple authentications, corresponding to the authentication service, which the client has to address in its challenge response in order to be granted access, where the authentication server, as disclosed in [051], evaluates the response and determines that the response is authentication protocol is complaint, where the response include a cookie to be checked and evaluated as disclosed in Figure 2 (206) and [0051] ); and 
provide the client authentication of the user of the client device to the one or more authentication services [as indicated by the updated token](Unnikrishnan discloses in Figure 2 the validation process based on the challenge response (206) from the client based on the response which includes the identified protocol being compliant as disclosed in [0051], accordingly and subsequently provide access to resources as disclosed in [0060], where the response has to address “tailored to a specific type of authentication (or multiple types of authentication)”, corresponding to authentication services in order to perform authentication and subsequently the client be granted access to resources).
While Unnikrishnan discloses in [0058] updating opaque data/authentication session cookie for client to use for subsequent access, which suppresses the process of performing an authentication challenge on the client, Unnikrishnan further discloses receiving from the client/computing device a challenge response (206) in response to transmission of the authentication challenge, where the response is illustrated in [0050] as “TABLE-US-00006 Authorization: PKeyAuth AuthToken="<signed JWT>", Context="<same value as in the challenge>", Version="1.0", however, Unnikrishnan does not explicitly disclose that the received from the client/computing device is an updated token.
Veeraraghavan from analogues field of invention disclose receive from the computing device an updated token from the client device in response to transmission of the authentication challenge to the client device (Veeraraghavan discloses in Figure 4 augmented/updated token (Figure 4 (314)) being received by the client/user, where such augmented/updated token (Figure 4 (400)) is further received by the RP-STS from the client/user/computing device, where the further  augmented/updated token (Figure 4 (316)) is eventually received from the client/user/computing device by the service 102, [0027] “The original token may contain sufficient claims, i.e. authentication and privileges, to satisfy the needs of the service 102, or it may not. A process known as claims augmentation can be used to provide any missing claims or to provide supplemental claims which will support authentication and/or authorization of the client. As part of the augmentation process an augmentation request 310 containing the original security token is sent to each claims provider 106 which is registered with the IP-STS 104. Each claims provider will add to the security token those claims which it can assert about the user.”, [0029] “The fully augmented security token is returned to the client 100 as a part of the authorization response 314 to authorization request 304.”, [0033] “The client 100 …supplies the security token generated by the IP-STS 104.”, where the service 102, i.e. computing device, eventually receives augmented token (316), i.e. updated tokens, in response to the authentication request/challenge (302) that identify which claims to be used for authentication and needed for the client (100) to acquire from the IP-STS and RP-STS domains in order for the client to be granted access as disclosed in [0024, 0029]).
the updated token generated by inclusion in the initial token] of an indication of authentication of a user of the client device to the one or more authentication services, authentication of the user of the client device to the one or more authentication services as indicated by the updated token (Veeraraghavan discloses in [0027] “The original token (initial token) may contain sufficient claims, i.e. authentication and privileges, to satisfy the needs of the service 102, or it may not. A process known as claims augmentation can be used to provide any missing claims or to provide supplemental claims which will support authentication and/or authorization of the client”, where the augmentation to update the original token, corresponding to the initial token, indicates the authentication and authorization, i.e. authentication service, required by the client in nodes for the service 102 to grant access as disclosed in [0024, 0029]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 32. (Currently Amended) The 
wherein the programming instructions further comprise instructions to cause the client device
Unnikrishnan does not explicitly and collectively disclose the remaining limitations. 
 transmitthat comprises the initial token (Veeraraghavan Figure 4, after receiving the auth. Request 302, i.e. authentication challenge, informing the client 100 which claims/privileges and authorizations are required, the client transmits authentication requests, including auth. Request 400, which comprises  the original token and additional claims provided by IP-STS104); 
receive the[[an]] updated tokenthat comprises an assertion indicating a status of user authentication upon execution of the at least one authentication scheme (Veeraraghavan [0025-0027] Figure 4, illustrates receiving by the client, PR token, which indicates assertion that the client is authorized and privileged for a service, where the assertion of augmenting the original tokens with claim/privileges/authorization is performed upon authenticating one or more claim providers 106 with the client, i.e. executing authentication scheme with the client 100).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).
  
Regarding claim 33. (Currently Amended) Unnikrishnan-Veeraraghavan teaches The client 
determine, upon receipt of the [updated token], whether all authentication schemes included in the identified authentication protocol have been executed (Unnikrishnan [0059] “After update of the data opaque to the client/authentication session cookie, the client 102 or the authentication component 104 may require additional levels of authentication. For example, in a case where a device authentication was performed during an initial authentication  challenge, a user authentication of the client 102 may still need to be performed (or alternatively another form of authentication such as service or process authentication etc., may need be performed).”); and 
upon determining that all authentication schemes included in the identified authentication protocol have been executed, [transmit the updated token to the processor (Unnikrishnan [0021] “…security authorization may include but are not limited to an authentication artifact (e.g. an authentication cookie, single sign-on token, etc.), an access token, a cryptographic hash of data, a cryptographic signature of data or a certificate. The client 102 may present the security authorization to a network resource (i.e. transmitting token) to be granted access to the network resource.”, [0068] “Once the authentication component evaluates the response the challenge, flow proceeds to operation 310 where the client receives a validation result from the authentication component. The validation result may include an authentication artifact if the client is authenticated by the authentication component.”, [0069] “312 where the client attempts to access another resource using an issued authentication artifact.”).  
Unnikrishnan discloses in [0021] The client 102 may present the security authorization to a network resource (i.e. transmitting authorization) to be granted access to the network resource, however, Unnikrishnan does not explicitly disclose updated token and  transmitting the updated token to the resource service. Emphasis in italic.
processor (Veeraraghavan discloses in [0033-0034] Figure 4 (316) “This token is then presented 316 to the service which verifies the token and provides service 318 as described above.”, where the transmitting is performed upon authenticating with all the appropriate claims that have been identified in the request as disclosed in [0024]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 34. (Currently Amended) Unnikrishnan-Veeraraghavan teaches The [updated token] satisfy the identified authentication protocol (Unnikrishnan [0069] “operation 312 where the client attempts to access another resource using an issued authentication artifact…When both the client and the authentication artifact are validated, flow may proceed to operation 314 where the client is granted access to the secured resource.”). 
Unnikrishnan does not disclose updated token
Veeraraghavan discloses the updated token as discussed above in claim 32. Rationale and motivation of claim 32 applies.

Regarding claim 35. (New) Unnikrishnan-Veeraraghavan teaches The method according to claim 1, 
Unnikrishnan does not disclose the remaining limitations.
Veeraraghavan discloses wherein the initial token includes information specifying performance of an execution of the at least one authentication protocol by the one or more authentication services (Veeraraghavan discloses in [0027-0029] and Figure 4 augmenting the original/initial token by a number of claim providers attesting to the user’s authenticity, such that the original/initial token will include claims, i.e. authentication and/or authorization of the client indicating that the client has been authenticated via an authentication protocol/scheme e.g. [0025] (i.e. password, biometric scan, magnetic card swipe, etc.)).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 36. (New) Unnikrishnan-Veeraraghavan teaches The method according to claim 1, 
Unnikrishnan teaches in e.g. [0031] authenticating device presenting to the client a challenge indicating the required type of authentications and protocols to be performed, in response the client provide a response which is evaluated to determine whether it indicates that the response is authentication protocol compliant. Therefore, Unnikrishnan discloses the indication comprises assertion indicating compliance, i.e. the client has utilized the required protocol and scheme to authenticate. However, Unnikrishnan does not disclose that the indication is in the context of the updated token.
 Veeraraghavan teaches wherein the indication comprises an assertion indicating a status of user authentication upon execution of at least one authentication scheme (Veeraraghavan discloses in e.g. [0025, 0027] Figure 4 the updated token 406 comprises the original token augmented with claims/privileges indicating that the client has been authenticated with the claim providers 106 and 202, such that when the client transmit 316 the augmented token to the service, the service is able to evaluate that the authentication has been performed between the client the claim providers 106 and 202, [0025] “the user will interact with the claims provider 106 to supply the required criteria (i.e. password, biometric scan, magnetic card swipe, etc.). Once the user has supplied the proper information, the claims provider 106 will generate and populate a security token containing the claims which the selected claims provider 106 can assert about the user.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Claim 7-8 is rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan-Veeraraghavan and further in view of Orozco et. al. (US 9935934 B1), hereinafter Orozco.

Regarding claim 7. (Currently Amended) Unnikrishnan-Veeraraghavan teaches The method of claim 6, further comprising, 
Unnikrishnan-Veeraraghavan does not disclose that such token are discarded after access is granted.
Orozco from analogues field of invention teaches by the computing device(Orozco Col. 9 line 35-45 “upon the expiration time threshold being satisfied (e.g., the time or time period for which the third-party resource access token can be used to access the third-party resource, has been reached or met), the third-party resource access token is removed from the token repository.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Orozco to discard tokens from the resource service after granting access, with the motivation of enhancing security, protection and controlling authorization access to resources by setting a threshold time allowed for when the access token is available and then removed, as recognized by (Orozco Col. 9 line 35-45).

 Regarding claim 8. (Currently Amended) Unnikrishnan-Veeraraghavan teaches The method of claim 6, further comprising, 
Unnikrishnan-Veeraraghavan does not disclose that such token are discarded after access is granted.
Orozco from analogues field of invention teaches by the computing device(Orozco Col. 9 line 35-45 “upon the expiration time threshold being satisfied (e.g., the time or time period for which the third-party resource access token can be used to access the third-party resource, has been reached or met), the third-party resource access token is removed from the token repository.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Orozco to discard tokens from the resource service after granting access, removed, as recognized by (Orozco Col. 9 line 35-45).
  
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan-Veeraraghavan and further in view of McMurtry et. al. (US 20160191528 A1), hereinafter McMurtry.

Regarding claim 11. (Previously Presented) Unnikrishnan-Veeraraghavan teaches The method of claim 1, 
Unnikrishnan discloses initial token and Veeraraghavan discloses the original token, which eventually is augmented/updated with authorization indicating authentication of the client with claim providers, however, Unnikrishnan-Veeraraghavan does not explicitly teach the remaining limitations.
McMurtry from analogues field of invention teaches wherein the initial token comprises an initial assertion indicating successful authentication of one or more authentication credentials included in the access request (McMurtry discloses in [0054] Figure 5 the access request (512) to resources protected resources interfaced by web service, web service response to the client 102 as shown in Figure 5 (514), indicating that it considered the user credentials and additional credentials and authentication may be required as disclosed in [0030-0032] and Figure 2 (204-208). Examiner notes that Figure 2 (204) is the first initial authentication to determine whether additional credentials/authentication is required, if so, then proceed to step Figure (204)  by sending a response to the client as shown in [0054] Figure 5 (514) directing the client to the authentication service to completed authentication, [0032] discloses “quality of the credentials already included with the request…”. Examiner asserts that the sending a response from the web service Figure 5 (514) directing the client in Figure 5 (102) to the authentication service (108) seeking additional authentication correspond to initial token indicating success of initial credentials.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of McMurtry to utilize authentication of initial credentials and authentication, with the motivation of enhancing security and controlling access to web services and protection of resources, as recognized by (McMurtry, [0005, 0030-0032]).

13. (Canceled). 4 113830089Application No. 15/626,881Docket No.: ID1282US2(161095.00025) Amendment dated: October 8, 2020 Reply to Non-Final Office Action dated July 16, 2020  

14. (Canceled).  

15. (Canceled).  

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan-Veeraraghavan and further in view of Zhu et. al. (US 20180227288 A1), hereinafter Zhu.

Regarding claim 16. (Original) Unnikrishnan-Veeraraghavan teaches The method of claim 1, 
While Unnikrishnan-Veeraraghavan teaches the aforementioned limitations and further teaches accessing secured network resources (Unnikrishnan Figure 1, Abstract), however, Unnikrishnan-Veeraraghavan does not disclose that one example of secured/protected resources include self-service password reset service.
Zhu from analogues field of intentioned teaches wherein the resource is a self-service password reset service (Zhu [0015] and Figure 2 user requesting “a password reset service”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan-Veeraraghavan to incorporate the teaching of Zhu to utilize password reset service, with the motivation of resetting passwords by users to enhance security and mitigate breaches, as recognized by (Zhu [0001, 0005]).

 Claim 17-19 and 27-29 are rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan in view of Zhang et. al. (US 20150334099 A1), hereinafter Zhang.
 
Regarding claim 17. (Currently Amended) A (Unnikrishnan [0003] “…the present disclosure comprises a device having a memory and a processor.”, [0004] “a computer-readable storage device, having instructions thereon, which when executed on a process cause the processor to execute a process.”, [0016] "FIG. 1 illustrates an overview of a system 100 that may be used to grant access to secured resources of a network...a network may be a distributed environment that includes resources shared by more than one client such as a cloud- computing environment.", examiner notes that authentication component 104 corresponding to a service for authentication), 
wherein the programming instructions comprise instructions to: 
receive, from a computing device associated with a user, an access request to access a resource associated with a[[the]] resource service (Unnikrishnan [0030] "Once an authentication component 104 receives an access request from a client (i.e. computing device)", [0025] :" client 102 may issue an access request for access to network resource 110"); 
determine context information corresponding to the access request (Unnikrishnan [0030] "…component 104 by inspecting a user string or header of the access request.", "user string or header" corresponds to "context information"); 
[assign an authentication level to the access request based on at least one contextual element of the context information, the at least one contextual element comprising a current operational state of the computing device or resource] 

[use the authentication level to] identify an authentication protocol to authenticate the user, wherein the authentication protocol comprises at least one authentication scheme (Unnikrishnan [0029] “…the client 102 may append a user agent string or special data string in the access request to indicate that it is able to authenticate using the authentication protocol, for example receive challenges issued by an authentication protocol...the client 102 may also specify the version of the authentication protocol supported by it in its access request to the authentication component 104.”, where the authentication component uses the information in the string indicating a corresponding authentication protocol, Unnikrishnan further discloses [0030] "the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol.”, [0054] “…the authentication component 104 may apply policy rules set by the authentication protocol or administrator to the data included in or with the authentication challenge.”); 
generate an authentication challenge (Unnikrishnan [0031] "The authentication component generates an authentication challenge to authenticate a client for access to a secured resource"), 
wherein the authentication challenge comprises an initial token and authentication parameters corresponding to the identified authentication protocol (Unnikrishnan [0031] “Parameters of the authentication challenge may vary…The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102”, [0033] “[0033] The authentication challenge is designed to be short lived and the authentication component 104 may also maintain state information in a manner that is opaque to the client 102, for example within an authentication session cookie or the encrypted context parameter of the challenge that ensures the challenge is short lived.”, where the data challenge opaque to the client may be authentication cookie included in the challenge as disclosed in [0054], where cookie corresponds to the initial token); and 
transmit the authentication challenge to the computing device (Unnikrishnan [0025] “…the client 102 was authenticated by a challenge issued by the authentication component 104").  
While Unnikrishnan discloses the aforementioned limitations, where Unnikrishnan discloses in [0019] As examples, the authentication component 104 may perform complex authentication where one or more levels of authentication are enforced using multiple pieces of enforcement criteria, however, Unnikrishnan does not disclose the authentication level assigned to the user at the time of the request.
Zhang from analogues field of invention teaches assign an authentication level to the access request based on at least one contextual element of the context information, the at least one contextual element comprising a current operational state of the computing device or resource (Zhang Figure 5 discloses [0070] “a customer enters a selected service channel when user device 401 sends a service request with a previously created authentication token 404 at block 501…The recommended authenticators are used to increase the authentication level (i.e. assigning authentication level) with respect to the contained authentication level in the authentication token at block 503…the service channel continues to challenge user device 401 with one or more additional authenticators at block 505 until the target authentication level is reached for the selected service channel at block 504.”, [0071] “At block 506, authentication hub 405 creates or updates authentication token 404 with the attained authentication level from blocks 504 and 505. The selected service channel then uses the attained authentication level to access one or more protected resources…the customer may request an account inquiry through the customer's desktop computer, requiring a medium level of authentication. However, if the customer were requesting a money transfer, the required level of authentication may be higher since money may be transferred from the customer's account”, where the authentication level is assigned to the access request based on the contextual information of the request, where the request comprises information pertaining to the operational state of the resource, e.g. whether to perform account inquiry or performing money transfer, furthermore, user device attributes are disclosed as part of the request as disclosed in [0090], which can also be construed as contextual information),
use the authentication level to] identify an authentication protocol to authenticate the user (Zhang Figure 6 illustrates the authentication levels and their corresponding authentication protocols as disclosed in [0073]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Zhang to utilize the feature of authentication level as disclosed above, with 

Regarding claim 18. (Currently Amended) Unnikrishnan-Zhang teaches The (Unnikrishnan [0062] “An exemplary authentication component 104 protects authentication artifacts from being misused. As an example, the authentication component 104 may tie an authentication artifact to a client that the authentication artifact was initially issued to. In an example where a device of a client seeks access to multiple secured resources”, examiner asserts that protecting authentication artifacts, which stems from the initial cookies used by the authentication component 104 and connecting them to clients means that the authenticating component 104 is storing the artifacts which stems from the initial token).

Regarding claim 19. (Currently Amended) Unnikrishnan-Zhang teaches The (Unnikrishnan [0030] “…the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol”, [0031] “The authentication component generates an authentication challenge to authenticate a client for access to a secured resource…The authentication challenge is presented in a flexible format that can be tailored to a specific type of authentication (i.e. authentication service) (or multiple types of authentication)…Parameters of the authentication challenge may vary, for example, depending on the application that the client 102 is running or the type of authentication the authentication protocol is determining. The challenge contains information about the requested enforcement criteria to aid the client 102 in determining an authentication credential being requested by the authentication component 104. The challenge includes information that would allow the client 102 to easily locate the authentication credential required to authenticate the client 102 such as data related to an issuer of an authentication credential as an example. The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102. This includes secured data that is opaque to the client 102 (e.g., encrypted data). Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below:”, [0032] , examiner asserts that the authentication component would identify a specific authentication protocol for the client device 102, and the authentication parameters/challenge-specific data would aid/allow the client to locate/identify/determine the authentication credentials to authenticate the client device, where identifying the authentication credentials, etc., correspond to knowledge of the authentication protocol and service required).
  
Regarding claim 27. (Currently Amended) Unnikrishnan-Zhang teaches The (Unnikrishnan discloses in [0059] that the request may include “a user authentication of the client 102 …authentication request including identifying that the client 102 provided an authentication artifact proving that the client 102 has already been authenticated.”, where a request identifying that a client provides authentication artifacts establishing that the client is authenticated, corresponds to user information, examiner asserts that for the authentication component to authenticate and validate the user, indicates knowledge of the user from the request and determining whether the client has already been authenticated).  

Regarding claim 28. (Currently Amended) Unnikrishnan-Zhang teaches The [based on the user information] (Unnikrishnan discloses in [0030] context information in terms of user string or header of the access request).  
Unnikrishnan does not disclose based on the user information
Zhang discloses context information based on the user information (Zhang discloses in [0064] the authentication of the request is based on information collected about the customer/user, i.e. user information, [0064] “Who the customer is: facial and/or voice characteristics; fingerprint characteristics of the user What the customer knows:…”  )
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Zhang to utilize the feature of authentication level as disclosed above, with the motivation of enhancing security and protect access to resources based on the type of requests, as recognized by (Zhang [0071]).

Regarding claim 29. (Currently Amended) Unnikrishnan-Zhang teaches The 
Unnikrishnan does not disclose the below limitation.
wherein the context information comprises one or more of the following: one or more characteristics of the user, one or more characteristics of the resource (Zhang [0067] whether the request is associated with context information that comprises resources for account enquiry or money transfer, etc.), or one or more characteristics of the computing device (Zhang user device attributes are disclosed as part of the request as disclosed in [0090], which can also be construed as contextual information).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Zhang to utilize the feature of authentication level as disclosed above, with .

Claims 20-22 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan-Zhang and further in view of Veeraraghavan.

Regarding claim 20. (Currently Amended) Unnikrishnan-Zhang teaches The 
Unnikrishnan-Zhang does not explicitly and collectively disclose the remaining limitations. 
Veeraraghavan from analogues field of invention discloses 
wherein the programming instructions further comprise instructions to cause the computing device 
transmit that comprises the initial token (Veeraraghavan Figure 4, after receiving the auth. Request 302, i.e. authentication challenge, informing the client 100 which claims/privileges and authorizations are required, the client transmits authentication requests, including auth. Request 400, which comprises the original token and additional claims provided by IP-STS104); 
receive that comprises an assertion indicating a status of user authentication upon (Veeraraghavan [0025-0027] Figure 4, illustrates receiving by the client, PR token, which indicates assertion that the client is authorized and privileged for a service, where the assertion of augmenting the original tokens with claim/privileges/authorization is performed upon authenticating one or more claim providers 106 with the client, i.e. executing authentication scheme with the client 100).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 21. (Currently Amended) Unnikrishnan-Zhang-Veeraraghavan teaches The 
determine, upon receipt of the [updated token], whether all authentication schemes included in the identified authentication protocol have been executed (Unnikrishnan [0059] “After update of the data opaque to the client/authentication session cookie, the client 102 or the authentication component 104 may require additional levels of authentication. For example, in a case where a device authentication was performed during an initial authentication  challenge, a user authentication of the client 102 may still need to be performed (or alternatively another form of authentication such as service or process authentication etc., may need be performed).”); and 
upon determining that all authentication schemes included in the identified authentication protocol have been executed (Unnikrishnan [0021] “…security authorization may include but are not limited to an authentication artifact (e.g. an authentication cookie, single sign-on token, etc.), an access token, a cryptographic hash of data, a cryptographic signature of data or a certificate. The client 102 may present the security authorization to a network resource (i.e. transmitting token) to be granted access to the network resource.”, [0068] “Once the authentication component evaluates the response the challenge, flow proceeds to operation 310 where the client receives a validation result from the authentication component. The validation result may include an authentication artifact if the client is authenticated by the authentication component.”, [0069] “312 where the client attempts to access another resource using an issued authentication artifact.”), 
Zhang disclose updating the authentication token, updated token with the achieved authentication level, however, Unnikrishnan-Zhang does not explicitly and collectively disclose the remaining limitations. 
Veeraraghavan teaches upon determining that all authentication schemes included in the identified authentication protocol have been executed, transmit the (Veeraraghavan discloses in [0033-0034] Figure 4 (316) “This token is then presented 316 to the service which verifies the token and provides service 318 as described above.”, where the transmitting is performed upon authenticating with all the appropriate claims that have been identified in the request as disclosed in [0024]).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 22. (Currently Amended) Unnikrishnan-Zhang-Veeraraghavan The [updated token] satisfy the identified authentication protocol (Unnikrishnan [0069] “operation 312 where the client attempts to access another resource using an issued authentication artifact…When both the client and the authentication artifact are validated, flow may proceed to operation 314 where the client is granted access to the secured resource.”).

Veeraraghavan discloses the updated token as discussed above in claim 21. Rationale and motivation applies.

Regarding claim 25. (Currently Amended) Unnikrishnan-Zhang-Veeraraghavan The [updated token] is within a threshold time limit; and grant the access request for accessing the resource upon determining that the timestamp is within the threshold time limit (Unnikrishnan [0054-0055] “As examples of parameters that the authentication component 104 validates in the Context parameter or authentication session cookie, the authentication component 104 may include evaluation such as: Check whether the challenge has expired including validation of the timestamp”, where the challenge includes the artifact (e.g., single sign-on cookie or authentication token), which correspond to the token, examiner asserts that setting a timestamp and expiration time correspond to setting a threshold at which the timestamp expires, and validation of the artifact and timestamp for authentication means that access would only be allowed if the timestamp hasn’t expired).  
Unnikrishnan does not disclose updated token.
Veeraraghavan discloses the concept of updated token as discussed above in claim 22. Rationale and motivation in claim 22 applies.

Claims 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan-Zhang-Veeraraghavan and further in view of Orozco et. al. (US 9935934 B1), hereinafter Orozco.

Regarding claim 23. (Currently Amended) Unnikrishnan-Zhang-Veeraraghavan teaches The 
While Unnikrishnan-Zhang-Veeraraghavan teaches initial and updated token as disclosed in the rationales of claim 20 and 22 above, however, Unnikrishnan-Zhang-Veeraraghavan does not disclose that such token are discarded after access is granted.
Orozco from analogues field of invention teaches wherein the programming instructions further comprise instructions to cause the processor to discard the updated token upon granting the access request for accessing the resource (Orozco Col. 9 line 35-45 “upon the expiration time threshold being satisfied (e.g., the time or time period for which the third-party resource access token can be used to access the third-party resource, has been reached or met), the third-party resource access token is removed from the token repository.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan-Zhang-Veeraraghavan to incorporate the teaching of Orozco to discard tokens from the resource service after granting access, with the motivation of enhancing security, protection and controlling authorization access to resources by setting a threshold time allowed for when the access token is available and then removed, as recognized by (Orozco Col. 9 line 35-45).

Regarding claim 24. (Currently Amended) Unnikrishnan-Zhang-Veeraraghavan teaches The 
While Unnikrishnan-Zhang-Veeraraghavan teaches initial and updated token as disclosed in the rationales of claim 20 and 22 above, however, Unnikrishnan-Zhang-Veeraraghavan does not disclose that such token are discarded after access is granted.
Orozco from analogues field of invention teaches wherein the programming instructions further comprise instructions to cause the processor to discard the initial token upon granting the access request for accessing the resource (Orozco Col. 9 line 35-45 “upon the expiration time threshold being satisfied (e.g., the time or time period for which the third-party resource access token can be used to access the third-party resource, has been reached or met), the third-party resource access token is removed from the token repository.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan-Zhang-Veeraraghavan to incorporate the teaching of Orozco to discard tokens from the resource service after granting access, with the motivation of enhancing security, protection and controlling authorization access to resources by setting a threshold time allowed for when the access token is available and then removed, as recognized by (Orozco Col. 9 line 35-45).

Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan-Zhang and further in view of McMurtry.
 
Regarding claim 26. (Currently Amended) Unnikrishnan-Zhang teaches The 
While Unnikrishnan discloses [0021, 0062] “If the client 102 is authenticated, the authentication component 104 may issue a security authorization to the client 102 to allow access to a secured network resource such as network resource 112. Examples of a security authorization may include but are not limited to an authentication artifact (e.g. an authentication cookie, single sign-on token, etc.), an access token, a cryptographic hash of data, a cryptographic signature of data or a certificate. The client 102 may present the security authorization to a network resource to be granted access to the network resource.”, where the authentication artifact (authentication token/cookie) stems from initial cookie/token, however, Unnikrishnan does not disclose wherein the initial token comprises an initial assertion indicating successful authentication of one or more authentication credentials included in the access request, emphasis in bold.
McMurtry discloses wherein the initial token comprises an initial assertion indicating successful authentication of one or more authentication credentials included in the access request (McMurtry discloses in [0054] Figure 5 the access request (512) to resources protected resources interfaced by web service, web service response to the client 102 as shown in Figure 5 (514), indicating that it considered the user credentials and additional credentials and authentication may be required as disclosed in [0030-0032] and Figure 2 (204-208). Examiner notes that Figure 2 (204) is the first initial authentication to determine whether additional credentials/authentication is required, if so, then proceed to step Figure (204) by sending a response to the client as shown in [0054] Figure 5 (514) directing the client to the authentication service to completed authentication, [0032] discloses “quality of the credentials already included with the request…”. Examiner asserts that the sending a response from the web service Figure 5 (514) directing the client in Figure 5 (102) to the authentication service (108) seeking additional authentication correspond to initial token indicating success of initial credentials.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of McMurtry to utilize authentication of initial credentials and authentication, with the motivation of enhancing security and controlling access to web services and protection of resources, as recognized by (McMurtry, [0005, 0030-0032]).
 
30. (Canceled).

	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BASSAM A NOAMAN whose telephone number is (571)272-2705.  The examiner can normally be reached on Monday-Friday 8:30 AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  






/BASSAM A NOAMAN/           Examiner, Art Unit 2497                                                                                                                                                                                             /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497