Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with David Kim on March 17, 2021.

In the claims:

21. (currently amended) A computer-implemented method for authorizing access to a networked resource, the method comprising:
running a client resource at a user device;
identifying, at a first agent associated with the client resource, a network request transmitted from the client resource and directed to the networked resource;
classifying one or more of the client resource or the networked resource into one or more type groups;
generating one or more access tokens associated with the respectively classified resource based on the one or more type groups;
transparently injecting one or more identity tokens associated with the client resource and the one or more access tokens associated with the networked resource into the network request en route to the networked resource; and
using the one or more access tokens to selectively route the network request in accordance with one or more security policies associated with the one or more access tokens.
22. (previously presented) The computer-implemented method of claim 21 further comprising identifying the client resource using a fingerprint of the user device.
23. (previously presented) The computer-implemented method of claim 21 further comprising detecting the client resource running at the user device by identifying one or more application layer protocols used by the client resource, wherein the one or more identity tokens are injected independent of the one or more application layer protocols.
24. (canceled)
25. (canceled)
26. (previously presented) The computer-implemented method of claim 21 further comprising generating a registration request associated with the client resource for use in registering the client resource with a controller.
27. (previously presented) The computer-implemented method of claim 21 further comprising removing one or more credentials associated with the client resource from the network request.
28. (previously presented) The computer-implemented method of claim 21 further comprising encrypting the network request for transmission to a second agent associated with the networked resource through an encrypted channel.

30. (previously presented) The computer-implemented method of claim 21 further comprising:
determining whether at least one token of the one or more identity tokens or the one or more access tokens is expired; and
on condition that the at least one token is expired, refreshing the at least one token.
31. (currently amended) A control system for authorizing access to a networked resource, the control system comprising:
a controller configured to classify one or more of a client resource or the networked resource into one or more type groups and generate one or more access tokens associated with the respectively classified resource based on the one or more type groups;
a client agent associated with [[a]] the client resource running at a user device, the client agent configured to transparently inject one or more identity tokens associated with the client resource and the one or more access tokens associated with the networked resource into a network request issued by the client resource and directed to the networked resource, and
a destination agent associated with the networked resource, the destination agent configured to intercept the network request and use the one or more access tokens to selectively route the network request in accordance with one or more security policies associated with the one or more access tokens.
32. (currently amended) The control system of claim 31, further comprising a wherein the controller is configured to:
scan a plurality of host systems including the user device to detect the one or more of the client resource or the networked resource;

33. (currently amended) The control system of claim 31, further comprising a wherein the controller is configured to: classify one or more of the client resource or the networked resource into one or more type groups; and associate the one or more of the client resource or the networked resource with the one or more security policies based on the one or more type groups.
34. (previously presented) The control system of claim 31, wherein the client agent is configured to remove one or more credentials associated with the client resource from the network request.
35. (previously presented) The control system of claim 31, wherein the client agent is configured to transparently encrypt the network request.
36. (previously presented) The control system of claim 31, wherein the client agent is configured to track the network request using the one or more identity tokens.
37. (previously presented) The control system of claim 31, wherein the client agent is configured to:
determine whether at least one token of the one or more identity tokens or the one or more access tokens is expired; and
on condition that the at least one token is expired, generate a request for refreshing the at least one token.
38. (currently amended) A system for facilitating communication between a client resource and a networked resource, the system comprising:
a controller configured to classify one or more of the client resource or the networked resource into one or more type groups and generate one or more access tokens associated with the respectively classified resource based on the one or more type groups;
an injection mechanism that intercepts a network request issued by the client resource and directed to the networked resource, and transparently injects one or more identity tokens associated with the client resource and the one or more access tokens associated with the networked resource into the network request; and
an interception mechanism that selectively routes the network request to the networked resource in accordance with one or more security policies associated with the one or more access tokens.
39. (previously presented) The system of claim 38, wherein the injection mechanism is configured to remove one or more credentials associated with the client resource from the network request.
40. (previously presented) The system of claim 38, wherein the injection mechanism is configured to track the network request using the one or more identity tokens.

Reasons For Allowance

Claims 21 – 23 and 26 – 40 are allowed.
The following is an examiner’s statement of reasons for allowance: 
Claims 21 – 23 and 26 – 40 are allowable over the prior art since the prior art references taken individually or in combination fail to particularly disclose, fairly suggest, or render obvious Applicant’s novel aspect and claim language, combined with the whole, of classifying one or more of the client resource or the networked resource into one or more type groups; generating one or more access tokens associated with the respectively classified resource based 
using the one or more access tokens to selectively route the network request in accordance with one or more security policies associated with the one or more access tokens.
Mittal (US Patent No. 10205666 B2) is relied upon to teach first and second agents and a token allocator configured to inject a first token (see Mittal claim 1); however, Mittal does not teach Applicant’s independent claim language.
Carter (US Pub. No. 2012/0017085 A1) is relied upon to teach having a security token with each request issued within a cloud environment to validate each request and to enforce policy (see Carter para 0042 – 0045); however, integrating the teachings of Carter do not remedy the deficiencies of the prior art of record.
Caffary (US Pub. No. 2016/0044040 A1) is relied upon to teach an agent configured to inject a security token (see Caffary para 0060); however, Caffary does not teach Applicant’s independent claim language.
Kroehling (US Pub. No. 2017/0214683 A1) is relied upon to teach access tokens injected into a communication request before the application receives the incoming request (see Kroehling para 0011 – 0012); however, integrating the teachings of Kroehling do not remedy the deficiencies of the prior art of record.
Boubez (US Patent No. 9130921 B2) is relied upon to each an agent intercepting a service request and decorating the service request message with a security token (see Boubez claim 1); however, integrating the teachings of Boubez do not remedy the deficiencies of the prior art of 
 Gluck (US Patent No. 9350705 B2) is relied upon to suggest add a token to a request and pass the request with the token (see Gluck Figure 3 blocks 345 and 355).
Accordingly, the prior art of record does not reasonably suggest Applicant’s independent claim language.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is (571) 270-5191.  The examiner can normally be reached on Mon-Thurs. from M-TH 6am-3:30pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571) 272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BRIAN F SHAW/Primary Examiner, Art Unit 2491