Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 1/22/2021 have been fully considered but they are not persuasive. 
Applicant argues, “However, there is no teaching that the token handler 222 of Bhargava is a confidential client of the token/service provider 230”.  The examiner respectfully disagrees.  The client states in the application specification that a “confidential client” is required to be able to securely maintain a secret (para 3 of instant application).  Bhargava discloses server 220 which includes token handler 222.  Server 220 includes storage 224 and secure storage 226 (para 20, data store 224 includes secure storage 226. Secure storage 226 may be protected from unauthorized access to a greater degree than other data (e.g., business data) stored in data store 224).  Para 20 implies that both storage 224 and secure storage 226 have a degree of security with secure storage 226 having a greater degree of security.  It is clear that server 220 securely stores/maintains a secret.  
Applicant argues, “There is no teaching that the token handler 222 determines that the client is known to the token relay system prior to processing the requests.”  The examiner respectfully disagrees.  Paragraph 25 of Bhargava discloses a session is authenticated with an HTTP client (S310).  This would indicate that the identity of the client is verified.  Bhargava then proceeds to receive a request from the client for a valid token (S320).  “The request may specify the session user and the service to be accessed” (para 26).  Paragraph 27 then proceeds to determine whether a suitable token is stored on the server.  Looking at the example table provide in Figures 4-8, it is clear that there are defined users paired up with defined services.  For example. User, U123, can access services S1 and S2.  User, U123, is 
Applicant argues, “There is no indication that the token handler 222 verifies that the client is authorized to request the access token based on information in the received first request.”  The examiner respectfully disagrees.  Building on the argument above, by finding the user and the corresponding service, Bhargava is verifying that the user is authorized to request the access token. For example, user, U123 performs a request for service, S3.  U123 would be found to have two instances which are authorized, services S1 and S2.  Since service S3 is not a valid pairing with user U123, it is clear that the user does not have access (is not authorized) to access the service.   
Applicant argues, “There is no teaching that the token handler 222 verifies that the client application is authorized to request the token before sending a request for a valid token to the token/service provider 230.”  The examiner respectfully disagrees.  It is clear from the rebuttal arguments above that verification of the client’s authorization is performed.  Paragraph 28 of Bhargava further discloses that after steps S310-S330, “a new token for the requested service is requested from a token provider.”  

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –



Claim(s) 1-5, 7, 11-17 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Bhargava et al. (US 2017/0324749) hereafter Bhargava.
1. Bhargava discloses a method comprising: 
receiving, by a token relay system, a first request for an access token for enabling a client to access a resource, wherein the token relay system is a confidential client of a token issuer system (figs 2-3, S310-S320 and associated text; see also para 20); 
responsive to receiving the first request, determining, by the token relay system, that the client is known to the token relay system (para 25-27); 
verifying, by the token relay system, that the client is authorized to request the access token based on information in the received first request (para 25-27); 
responsive to verifying that the client is authorized to request the access token, transmitting, from the token relay system to a token issuer system, a second request requesting the access token on behalf of the client (figs 2-3, S330-S340 and associated text); 
receiving, by the token relay system from the token issuer system, an access token issued by the token issuer system in response to the second request (figs 2-3, S350 and associated text); and 
communicating, by the token relay system to the client, the access token received by the token relay system from the token issuer system, wherein the access token communicated to the client enables the client to access the resource (figs 2-3, S360-S370 and associated text).

2. Bhargava discloses the method of claim 1 wherein the client is a non-confidential client (figs 2-3 and corresponding text, client’s capabilities are not known, just that the user is authenticated therefore client device is not to be trusted (non-confidential)).

3. Bhargava discloses the method of claim 1 wherein the client is an application executed by a browser (para 12).

4. Bhargava discloses the method of claim 3 wherein the application is a JavaScript application (para 14-15).

5. Bhargava discloses the method of claim 1 further comprising, using, by the client, the access token to access the resource (figs 2-3, S370 and associated text).

7. Bhargava discloses the method of claim 1 wherein: the first request includes information identifying a scope for the access token; and the access token received by the token relay system from the token issuer system is for the scope identified in the first request (para 25, username/password are information identifying a scope; para 28, corresponding secret key indicates scope along with the received token; see also para 33).

11. Bhargava discloses the method of claim 1 wherein the first request is received by the token relay system as part of an authenticated user session (figs 2-3, S310-S320 and associated text).

12. Bhargava discloses the method of claim 1 wherein the token issuer system is a server configured to issue tokens according to OAuth standard (para 28; see also fig 2 and associated text).

Claims 13-17 are similar in scope to claims 1-5, 7, 11, 12 and are rejected under similar rationale.

.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhargava as applied to claim 5 above, and further in view of Bailey et al. (US 2019/0028512) hereafter Bailey.
6. Bhargava discloses the method of claim 5 but does not explicitly disclose wherein the resource is a REST resource.  However, in an analogous art, Bailey discloses open authorization claim scheme to secure resources including wherein the resource is a REST resource (fig 1 and corresponding text; para 17).  It would have been obvious to a person of ordinary skill in the art before the effective filing date to modify the implementation of Bhargava with the implementation of Bailey in order to reduce consumption of computing resources (para 1).

Claims 8-10, 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhargava as applied to claim 1 above, and further in view of Hay et al. (US 2011/0162072) hereafter Hay.
8. Bhargava discloses the method of claim 1 wherein the first request comprises: information identifying a scope for which the access token is requested (para 25, 28); information identifying an origin for the client (para 25, HTTP uses source address); and single sign-on information for a session during which the first request is generated by the client (para 25, 28).
Bhargava does not explicitly disclose an anti-CSRF (Cross Site Request Forgery) token. However, in an analogous art, Hay discloses vulnerability of computer software applications to attacks including an anti-CSRF (Cross Site Request Forgery) token (para 3). It would have been obvious to a person of ordinary skill in the art before the effective filing date to modify the implementation of Bhargava with the implementation of Hay in order to prevent cross-site request forgery and to test whether a website is adequately protected (para 2-4).

9. Bhargava and Hay disclose the method of claim 8 further comprising: performing by the token relay system prior to transmitting the second request to the token issuer system: validating, by the token relay system, the anti-CSRF token (Hay, para 3); and verifying, by the token relay system, that the client is allowed to request a token for the scope identified in the first request (figs 4-6, User:Service corresponding information must exist for the token request).

10. The method of claim 8 wherein the anti-CSRF token encodes an identifier identifying the client from whom the first request is received by the token relay system (Hay, para 2-4).

Claims 18-19 are similar in scope to claims 8-10 and are rejected under similar rationale.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES R TURCHEN whose telephone number is (571)270-1378.  The examiner can normally be reached on Monday-Friday: 7-3.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JAMES R TURCHEN/               Primary Examiner, Art Unit 2439