Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	
	Allowable Subject Matter
Claims 1-20 are allowed.

	The following is an examiner’s statement of reasons for allowance:
        Regarding claim 1, although the prior art of record teaches (such as, Engan (US 20190312730 as mentioned in IDS dated 4-17-2020 ) receiving, from a client device and at a first service provider (1-SP) server, a client recursive authentication token that is associated with a request to access a secure service provided by the 1-SP server, none of the prior art, alone or in combination teaches determining that an additional secure service provided by a second service provider (2-SP) server is required to fulfill the request to access the secure service, based at least in part on the client payload message; generating a 1-SP recursive authentication token for delivery to the 2-SP server, the 1-SP recursive authentication token including a 1-SP header, a 1-SP payload and a 1-SP digital signature; embedding within the 1-SP payload at least a 1-SP payload message that indicates an access request for the additional secure service provided by the 2-SP server, an IDP 1-SP token associated with the 1-SP server,  in view of other limitations of claim 1..
Regarding claim 9, although the prior art of record teaches (such as, Engan (US 20190312730 as mentioned in IDS dated 4-17-2020 ) receiving, from a first service provider (1-SP) server, a 1-SP recursive authentication token that is associated with a  none of the prior art, alone or in combination teaches parsing through the 1-SP payload message to determine whether an additional secure service is required from a 3-SP server to fulfill the 1 -SP request, based at least in part on validating the content and the origin of the IDP l-SP token and the I-SP recursive authentication token; in response to determining that the additional secure service is required from the 3-SP server, generating a 2-SP recursive authentication token for delivery to the 3-SP server, the 2-SP recursive authentication token including a 2-SP header, a 2-SP payload, and a 2-SP digital signature, the 2-SP payload further including at least a 2-SP payload message that indicates an access request for the secure service from the 3-SP server, an IDP 2-SP token, and the 1-SP recursive authentication token,  in view of other limitations of claim 9..
Regarding claim 16 although the prior art of record teaches (such as, Engan (US 20190312730 as mentioned in IDS dated 4-17-2020 ) the first payload including at least a first IDP token and a first payload message that requests access to an initial secure service, the sender device being one of a client device or a service provider (SP) server, none of the prior art, alone or in combination teaches parse through the first payload message of the first recursive authentication token to determine whether access to an additional secure service is required to fulfill the initial secure service;  Atty Docket: TM.P0541US39 Client Ref: P1598-USin response to determining that access to the additional secure service is required from an additional SP server, generate a second recursive authentication token that comprises a second header, a second payload, and a second digital signature, the second payload including at least a second payload message associated with the additional secure  in view of other limitations of claim 16.
	The closest prior art (patent publications) made of records are: 
Engan (US20190312730 as mentioned in IDS dated 4-17-2020) teaches that a server 
application may request an authentication token from an authentication token provider on behalf of a client application instance. An application instance public key of a client application instance may be received at the server application, in which the application instance public key belongs to an application instance public-private key pair of the client application instance. An authentication token request is generated at the server application, in which the request includes the application instance public key of the client application instance and is signed with a server application private key of a server application public-private key pair that belongs to the server application. The authentication token request is sent by the server application to an authentication token provider to request an authentication token for use by the client application instance.
 Bocanegra (US20150150109 as mentioned in IDS dated 03-27-2019) teaches 
techniques for authenticated access to a protected resource. A third party application receives a request to access a protected resource, including a bearer token encoded in an HTTP Authorization request header field. The bearer token includes a client identification value that is encrypted and signed in a predefined syntax. The third party application determines whether the bearer token conforms to the predefined bearer token syntax, such as a JavaScript Object Notation Web Token syntax. If the bearer token conforms to the bearer token syntax, the client identification value is extracted from the bearer token. The client identification value is compared to a predefined list of authorized client identification values associated with the protected resource. If the client identification value matches any of the values on the list of authorized values, the bearer token is validated, which permits the third party application to access to the protected resource. 
 Khalil (US20190044940) teaches that a device can establish an identity for an 
individual by communicating with a first set of devices. The first set of devices can include a user device, a first server device associated with a certificate authority, or a second server device associated with an identity provider. The device can authenticate the identity of the individual by communicating with a second set of devices. The second set of devices can include the user device, or a third server device associated with a first service provider. The device can authorize the identity of the individual to be used by one or more service providers by communicating with a third set of devices. The third set of devices can include the user device, the third server device, or a fourth server device associated with a second service provider. 
 Polo Moragon (US 20130347071) teaches a method and system are provided for 
granting access to a secured website of a content provider. The method includes: detection of a user's request for accessing secured website on a first communication device, the request indicating that at least one access code for accessing secured website is stored on an authentication server; transmission of a request for a validation to a second communication device identified with indication; and after verification of the validation received from the second communication device, forwarding the request for access to the secured website to the content provider using the stored website access code corresponding to the security code. 
Unnikrishnan (US20160094531) teaches systems and methods for authentication by 
an authentication component when a client attempts to access a secured resource(s). As an example, an access request is received from a client at an authentication component. The authentication component generates an authentication challenge including criteria to assist the client in selecting an appropriate authentication credential, a request for proof of possession of the authentication credential, and challenge-specific data for the client to return in a challenge response. A challenge response is received from the client. The authentication component evaluates the challenge response and determines whether to authenticate the client for access to a resource based on the evaluated challenge response. Other examples are also described. 
  Rowley (US 20080189778) disclosed a method and apparatus for authenticating a 
client is described. In one embodiment, an identity provider server authenticates the client that is redirected from a relying party server. The identity provider server authenticates the client without receiving a replayable credential from the client. Upon authentication of the client, the identity provider server transmits a token of authentication to the client.
 Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHER KHAN whose telephone number is (571)272-8574.  The examiner can normally be reached on Monday-Friday-8:00am - 5:00pm (EST).If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHER A KHAN/           Primary Examiner, Art Unit 2497