DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

 EXAMINER’S AMENDMENT
3.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Trampus Kurth (Reg. No: 64,891) on 03/10/2021. 

CLAIMS
4.	The application has been amended as follows: 

1.	(Currently Amended)  A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for providing selective access to resources, the machine-readable storage medium comprising instructions to cause the hardware processor to:
	receive, from an authorization server, an access token for accessing resources associated with a first resource server;
	provide the authorization server with the access token and a request to access the first resource server;

		the first resource server;
		the first set of permissions for accessing the first resource server;
		a second resource server; and
		a second set of permissions for accessing, by the first resource server, the second resource server, wherein the second set of permissions includes a permission that is different from the permissions included in the first set of permissions;
	provide the first resource server with a resource request for a resource, the resource request including the first token, wherein the resource request specifies a request for particular user data stored by the second resource server specified by the client topology; and
	generate the client topology based on permissions data received from an entity that manages the first resource server, the permissions data specifying, for each of a plurality of resource servers associated with the first resource server, server, permissions granted to the one other resource server.



3.	(Original)  The storage medium of claim 1, wherein the instructions further cause the hardware processor to:
	provide the authorization server with the client topology. 

4.	(Canceled)

5.	(Currently Amended)  The storage medium of claim [[4]] 1, wherein:
	the second set of permissions is an only set of permissions, specified by the client topology, for accessing the second resource server; and
	the client topology further specifies, as an only source associated with the second set of permissions, the first resource.

6.	(Currently Amended)  The storage medium of claim [[4]] 1, wherein the instructions further cause the hardware processor to:
	receive, from the first resource, the particular user data.

7.	(Canceled)  


	a hardware processor; and 
	a data storage device storing instructions that, when executed by the hardware processor, cause the hardware processor to: 
		receive, from a client application, a client request to access a first resource server, the client request including a client access token specifying, as a client audience, the client application;
	in response to receiving the client request, identify a first set of permissions for accessing, by the client application, the first resource server, the first set of permissions being specified by a client topology for the client application, the client topology specifying:
		the first resource server;
		the first set of permissions for accessing, by the client application, the first resource server;
		a second resource server; and
		a second set of permissions for accessing, by the first resource server, the second resource server, wherein the second set of permissions includes a permission that is different from permissions included in the first set of permissions; 
	provide the client application with a first access token, the first access token specifying the first set of permissions and, as a first audience, the first resource server; 

	in response to receiving the first resource request, provide the first resource server with a second access token, the second access token specifying the second set of permissions and, as a second audience, the second resource server; and
	generate the client topology based on permissions data received from an entity that manages the first resource server, the permissions data specifying, for each of a plurality of resource servers associated with the first resource server,  server, permissions granted to the one other resource server.

9.	(Previously Presented)  The computing device of claim 8, wherein the instructions further cause the processor to:
	receive, from the client application, the client topology.

10.	(Original)  The computing device of claim 8, wherein the instructions further cause the processor to:
	receive, from the client application, a client sub-topology, the client sub-topology specifying:
		the first resource server; and

	receive, from the first resource server, a first resource sub-topology, the first resource sub-topology specifying:
		the second resource server; and
		the second set of permissions; and
	generate the client topology using the client sub-topology and the first resource sub-topology.

11.	(Canceled)

12.	(Currently Amended)  A method for providing selective access to resources, implemented by a hardware processor, the method comprising:
	receiving, from a client device, i) a client request for user data, and ii) a first token specifying a first audience and a first set of permissions;
	providing an authorization server with a token request, the token request including i) the first token, and ii) a request to access a resource server;
	receiving, from the authorization server, a resource server token, the resource server token specifying a second audience and a second set of permissions, the second audience being the resource server, wherein the second set of permissions includes one permission that is different from permissions specified by the first set of permissions;
	providing the resource server with i) a resource request for the user data, and ii) the resource server token;

	providing the user data to the client device; 
generating a client topology based on permissions data received from an entity that manages the resource server, the permissions data specifying, for each of a plurality of resource servers associated with the resource server, server, permissions granted to the one other resource server; and
	providing the authorization server with a resource sub-topology that specifies, for each of the plurality of resource servers, a set of permissions for accessing the resource server, wherein the first set of permissions is specified by the resource sub-topology.

13.	(Canceled)

14.	(Canceled)

15.	(Currently Amended)  The method of claim 12, further comprising:
	providing a resource sub-topology to a client associated with the client device, the resource sub-topology specifying, for each of the plurality of resource servers, 
	wherein the first set of permissions is specified by the resource sub-topology.

Examiner’s Statement of Reasons for Allowance
5.	Claims 1-3, 5-6, 8-10, 12 and 15 are allowed. 
6.	The present invention is directed to: a method and system for providing selective access to resources. A computing device may: receive, from a client application, a request to access a first resource server, the request Including a client access token; identify a first set of permissions specified by a client topology, the client topology specifying; the first resource server; the first set of permissions for accessing, by the client application, the first resource server; a second resource server; and a second set of permissions for accessing, by the first resource server, the second resource server; provide the client application with a first access token specifying the first set of permissions and the first resource server; receive, from the first resource server, a request to access the second resource server, the request including the first access token; and provide the first resource server with a second access token specifying the second set of permissions.
The closest prior art, as previously recited, are Moore et al (“Moore,” US 20140101722) in view of Srinivasan et al (“Srinivasan,” US 20130086645) and further in view of Boydstun et al (“Boydstun,” US 7346930)
Moore et al is directed to: a secure content delivery or access method that may include coordination among three devices such as servers—a content management server, a delivery server, and an authorization server. A request for content may originate from an authorization server application, and may involve the application 
Srinivasan et al is directed to: a framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
Boydstun et al is directed to: a method for bridging requests for access to resources between requesters in a distributed network and an authenticator servicing 
For example, none of the cited prior art teaches or suggests the steps of independent claims 1, 7 and 16: receive, from the authorization server, a first token, the first token specifying a first set of permissions for accessing the first resource server and, as a first audience, the first resource server, the first set of permissions being specified by a client topology, the client topology specifying: the first resource server; the first set of permissions for accessing the first resource server; a second resource server; and a second set of permissions for accessing, by the first resource server, the second resource server, wherein the second set of permissions includes a permission that is different from the permissions included in the first set of permissions; provide the first resource server with a resource request for a resource, the resource request including the first token, wherein the resource request specifies a request for particular user data stored by the second resource server specified by the client topology; and 
Therefore, the claims are allowable over the cited prior art. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774.  The examiner can normally be reached on M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/JAMES J WILCOX/           Examiner, Art Unit 2439 


/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439