Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the communication and claim amendment
filed on 04//12/2021; Claims 3-4, 6, 10-11, 13, 17, and 19 were canceled; Claims 1, 8, and 15 are independent claims.  Claims 1-2, 5, 7-9, 12, 14-16, 18, and 20 have been examined and are pending. This Action is made FINAL. 
Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 04//12/2021, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicants argue: None of the cited references have been shown to teach or suggest an authority object as recited in claim 1. Claim 1 recites an “authority object”, which is (in list format):
1) received at an authentication application from a first application,
2) sent from the authentication application to a second application in response to a query,
3) included in a request for a token from the second application,
4) sent in a token to the second application from the authentication application, and
(Remarks/Arguments, pages 8-11).
         The Examiner disagrees with the Applicants. The Examiner respectfully submits that the combination of Chaim, Branden, Wurster, and Sondhi does disclose the aforementioned limitations as the following:
Chaim teaches receiving, at an authentication application and from a first application, a security configuration file that is a JavaScript Object Notation (JSON) file (Chaim: pages 2 & 4-8, xs-security.json is JSON file), wherein the security configuration file  includes an authority object, wherein the authority object is a JSON object which indicates that, the first application authorizes a second application to trigger jobs at the first application (Chaim: page 2, to enable authorization includes the following steps:  1. Defined scopes and role-templates in xs-security.json [i.e. first application defined scope and role-template for 2nd application in JSON file]; 2. Recreate the User Account and Authentication (UAA) service [i.e. an authentication application] with xs-security.json; 3. Add authorization [i.e. authority object] check to the application tinyui and tinyjs; and 4. Create roles, role collections from templates and assign them to users; pages 2-3, 1. Create the xs-security.json file, The xs-security.json file is a configuration file that defines the scopes used by the application and role-templates that consolidate the scope into functional roles. Below is simple sample xs-security.json for our TinyWorld application. It defines one scope to only view data, and another to also create data; pages 4-8, 3. Add authorization checks to the applications; To enable authorization in App Router based applications, specify the scope a user must assigned to in order access resources to specific router. This assignment of scopes to routes is in the xs-app.json file), and wherein the second application provides shared services to a plurality of applications including the first application (Chaim: pages 4-8, 3. Add authorization [i.e. authority object] checks to the applications [i.e. second application]; To enable authorization in App Router based applications, we need to specify the scope a user must assigned to in order access resources to specific router. This assignment of scopes to routes is in the xs-app.json file; a. To the /euro.xsodata/ route add “scope”: $XSAPPNAME.view”, b. To the xsjs route add “scope”: “$XSAPPNAME.create”).
Branden discloses receiving, at the authentication application and from the second application, a request for a token (Branden: par. 0044, a message (e.g., service request, HTTP POST request) from the application service [i.e. second application] 2041 to API service 210 can comprises one or more JSON Web Token (JWT) objects),  sending, by the authentication application, a token to the second application, wherein the token is a JSON web token (JWT) (Branden: par. 0045, if the request and JWT claim set are authorized and authorized (e.g. by the authentication module 211 and the authorization module, respectively, The API server 210 can return an access token (e.g. enterprise access token, user access token, etc.) [i.e. to the second application]). 
Wurster discloses wherein the first application validates the token received from the second application when the second application triggers jobs at the first application (Wurster: par. the operations by the first application to verify that the second application has permission to access [i.e. token] its data can be modified such that the first application can verify one, a subset, or all of the digital certificates  [i.e. another example token] associated with the second application that is stored in the permissions record).
Sondhi discloses wherein receiving, at the authentication application, a query from the second application and in response sending the authority object to the second application (Sondhi: par. 0072, The OAuth authorization server uses this URL to send, to the resource server, an inquiry [i.e. query] regarding the scope of access (e.g., quotas) that the client application [i.e. 2nd application] and/or user is permitted to have relative to the requested resource.  In response to such an inquiry, the resource server can determine, by applying its authorization policies to the parameters of the request (e.g., client application identity, user identity, resource identity, the scope of access that should be granted [i.e. authority object], if any.  The resource server can reply to the OAuth authorization server with this scope of access information); 
the request including the authority object (Sondhi: par. 0072: an inquiry regarding the scope of access (e.g., quotas) that the client application [i.e. 2nd application] and/or user is permitted to have relative to the requested resource [i.e. relating authority object]), a token including the authority object (Sondhi: par. 0011: the access token specifies the scope of the access that the client is permitted to the user's account on the resource server [i.e. relating authority object]), the first application validates the authority object in the token (Sondhi: par. 0050, OAuth authorization server 220 may invoke separate APIs for access token creation and access token validation.  The customer may implement custom programmatic code to perform each task.  During validation, policies constructed during token creation can be accessed to determine whether the action that client application 204 [i.e. 2nd application] seeks to perform relative to resources [i.e. related to authority object] matches the policy that is encoded by the access token that client application 204 presents). 
It is clear that the combination of Chaim, Branden, Wurster, and Sondhi as a whole does teach the aforementioned limitations.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.
Claims 1-2, 8-9, 12, and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Chaim Bendelac (“Chaim,” Developing with XS Advanced: Add authorization, March 29, 2016, pages 1-11), in view of Branden et al (“Branden,” US 2016/0065555, published Mar. 3, 2016), further in view of Wurster (“Wurster,” US 2015/0339482, published Nov. 26, 2015), and Sondhi et al. (“Sondhi.
Regarding claim 1, Chaim discloses a computer-implemented method, comprising: 
receiving, at an authentication application and from a first application, a security configuration file that is a JavaScript Object Notation (JSON) file (Chaim: pages 2 & 4-8, xs-security.json is JSON file), wherein the security configuration file  includes an authority object, wherein the authority object is a JSON object which indicates that, the first application authorizes a second application to trigger jobs at the first application (Chaim: page 2, to enable authorization includes the following steps:  1. Defined scopes and role-templates in xs-security.json [i.e. first application defined scope and role-template for 2nd application in JSON file]; 2. Recreate the User Account and Authentication (UAA) service [i.e. an authentication application] with xs-security.json; 3. Add authorization [i.e. authority object] check to the application tinyui and tinyjs; and 4. Create roles, role collections from templates and assign them to users; pages 2-3, 1. Create the xs-security.json file, The xs-security.json file is a configuration file that defines the scopes used by the application and role-templates that consolidate the scope into functional roles. Below is simple sample xs-security.json for our TinyWorld application. It defines one scope to only view data, and another to also create data; pages 4-8, 3. Add authorization checks to the applications; To enable authorization in App Router based applications, specify the scope a user must assigned to in order access resources to specific router. This assignment of scopes to routes is in the xs-app.json file), and wherein the second application provides shared services to a plurality of applications including the first application (Chaim: pages 4-8, 3. Add authorization [i.e. authority object] checks to the applications [i.e. second application]; To enable authorization in App Router based applications, we need to specify the scope a user must assigned to in order access resources to specific router. This assignment of scopes to routes is in the xs-app.json file; a. To the /euro.xsodata/ route add “scope”: $XSAPPNAME.view”, b. To the xsjs route add “scope”: “$XSAPPNAME.create”);
Chaim does not explicitly disclose receiving, at the authentication application, a query from the second application and in response sending the authority object to the second application; receiving, at the authentication application and from the second application, a request for a token, the request including the authority object, wherein the request is separate from the query; and sending, by the authentication application, a token including the authority object to the second application, wherein the token is a JSON web token (JWT), wherein the second application sends the token to the first application when the second application triggers jobs at the first application; and wherein the first application validates the authority object in the token received from the second application when the second application triggers jobs at the first application.
However, in an analogous art, Branden discloses a cloud-based service platform using enterprise application authentication, wherein receiving, at the authentication application and from the second application, a request for a token (Branden: par. 0044, a message (e.g., service request, HTTP POST request) from the application service [i.e. second application] 2041 to API service 210 can comprises one or more JSON Web Token (JWT) objects), 
sending, by the authentication application, a token to the second application, wherein the token is a JSON web token (JWT) (Branden: par. 0045, if the request and JWT claim set are authorized and authorized (e.g. by the authentication module 211 and the authorization module, respectively, The API server 210 can return an access token (e.g. enterprise access token, user access token, etc.) [i.e. to the second application]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Branden with the method and system of Chaim, wherein receiving, at the authentication application and from the second application, a request for a token the request including the authority object; sending, by the authentication application, a token including the authority object to the second application, wherein the token is a JSON web token to provide user with means for the cloud-based service platform maintains enterprise-level branding and security and auditing policies that conform to a given security and regulatory requirement, and service-level agreement.  The method reduces use of computer memory, reduces demand for computer processing power, and reduces communication overhead for incorporating features of a cloud-based service platform into an enterprise application.  The method reduces the resources and time required to integrate the cloud-based service platform into the enterprise application, and reduces the resources and time required to maintain and certify the integrated service platform.  The user of an enterprise's applications is allowed to simultaneously collaborate with employees of the enterprise (Branden: abstract, pars. 0007, 0027).
Branden does not explicitly disclose wherein the first application validates the token received from the second application when the second application triggers jobs at the first application. 
However, in an analogous art, Wurster teaches intra-application permissions on electronic device wherein the first application validates the token received from the (Wurster: par. the operations by the first application to verify that the second application has permission to access [i.e. token] its data can be modified such that the first application can verify one, a subset, or all of the digital certificates  [i.e. another example token] associated with the second application that is stored in the permissions record).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Wurster with the method and system of Chaim and Braden, wherein the first application validates the token received from the second application when the second application triggers jobs at the first application to provide users with means for accessing permitted data by a candidate program during operation without requesting permissions once the permission to access data in an installed program is granted to the candidate program and storing a permissions authority digital signature in the electronic device without requiring a permissions server to be online at a time of the verification of the permissions record, thus enabling sharing of permissions to a subset of applications executing on the electronic device, while allowing the first and second applications to be signed with different signing keys (Wurster: abstract, par. 0052).
Barakat does not explicitly disclose receiving, at the authentication application, a query from the second application and in response sending the authority object to the second application.
However, in an analogous art, Sondhi discloses bundled authorization requests, wherein receiving, at the authentication application, 
 (Sondhi: par. 0072, The OAuth authorization server uses this URL to send, to the resource server, an inquiry [i.e. query] regarding the scope of access (e.g., quotas) that the client application [i.e. 2nd application] and/or user is permitted to have relative to the requested resource.  In response to such an inquiry, the resource server can determine, by applying its authorization policies to the parameters of the request (e.g., client application identity, user identity, resource identity, the scope of access that should be granted [i.e. authority object], if any.  The resource server can reply to the OAuth authorization server with this scope of access information); 
the request including the authority object (Sondhi: par. 0072: an inquiry regarding the scope of access (e.g., quotas) that the client application [i.e. 2nd application] and/or user is permitted to have relative to the requested resource [i.e. relating authority object]), 
a token including the authority object (Sondhi: par. 0011: the access token specifies the scope of the access that the client is permitted to the user's account on the resource server  [i.e. relating authority object]), 
the first application validates the authority object in the token (Sondhi: par. 0050, OAuth authorization server 220 may invoke separate APIs for access token creation and access token validation.  The customer may implement custom programmatic code to perform each task.  During validation, policies constructed during token creation can be accessed to determine whether the action that client application 204 [i.e. 2nd application] seeks to perform relative to resources [i.e. related to authority object] matches the policy that is encoded by the access token that client application 204 presents). 
(Sondhi: pars. 0015-0016).
Regarding claim 2, the combination of Chaim, Branden, Wurster, and Sondhi teaches the computer-implemented method of claim 1.  The combination of Chaim, Branden, Wurster, and Sondhi further teaches wherein receiving the security configuration file and sending the authority to the second application occur during a deployment of the first application (Chaim: pages 2, 4-8).
Regarding claim 8, claim 8 is directed to a non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations associated with the method claimed in claim 1; claim 8 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 9, claim 9 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Regarding claim 15, claim 15 is directed to a computer-implemented system associated with the method claimed in claim 1; claim 15 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 16, claim 16 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Claims 5, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Chaim Bendelac (“Chaim,” Developing with XS Advanced: Add authorization, March 29, 2016, pages 1-11), in view of Branden et al (“Branden,” US 2016/0065555, published Mar. 3, 2016), further in view of Wurster (“Wurster,” US 2015/0339482, published Nov. 26, 2015),  and Sondhi et al. (“Sondhi,” US 2015/0089569, published Mar. 26, 2015).
Regarding claim 5, the combination of Chaim, Branden, Wurster, and Sondhi teaches the computer-implemented method of claim 1. The combination of Chaim, Chaim, Branden, Wurster, and Sondhi further discloses, wherein the second application has an OAuth client (Chamin: pages 4-8; Sondhi: fig. 3, par.  0054, OAuth Client), sending the authority to the second application includes sending the authority to the OAuth client of the (Chamin: pages 4-8; Sondhi: fig. 3, par.  0054, OAuth Client)), and sending the token to the second application includes sending the token to the OAuth client of the second application (Chamin: pages 4-8; Sondhi: fig. 3, par. 0054, OAuth Client). 
Regarding claim 12, claim 12 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chaim Bendelac (“Chaim,” Developing with XS Advanced: Add authorization, March 29, 2016, pages 1-11), in view of Branden et al (“Branden,” US 2016/0065555, published Mar. 3, 2016), further in view of Wurster (“Wurster,” US 2015/0339482, published Nov. 26, 2015),  and Sondhi et al. (“Sondhi,” US 2015/0089569, published Mar. 26, 2015), and Canessa et al. (“Canessa,” US 2011/0320469, published Dec. 29, 2011).
Regarding claim 7, the combination of Chaim, Branden, Wurster, and Sondhi teaches the computer-implemented method of claim 1. Chaim further discloses comprising, in response to receiving the security configuration file: 
creating a user account and authentication (UAA) service instance (Chaim: page 2, to enable authorization includes the following steps:  1. Defined scopes and role-templates in xs-security.json; 2. Recreate the UAA service with xs-security.json; 3. Add authorization check to the application tinyui and tinyjs; and 4. Create roles, role collections from templates and assign them to users; pages 2-3, 1. Create the xs-security.json file; pages 4-8, 3. Add authorization checks to the applications; To enable authorization in App Router based applications, specify the scope a user must assigned to in order access resources to specific router); 
binding the UAA service instance to the first application (Chaim: page 2, to enable authorization includes the following steps:  1. Defined scopes and role-templates in xs-security.json; 2. Recreate the UAA service with xs-security.json; 3. Add authorization check to the application tinyui and tinyjs; and 4. Create roles, role collections from templates and assign them to users; pages 2-3, 1. Create the xs-security.json file; pages 4-8, 3. Add authorization checks to the applications; To enable authorization in App Router based applications, specify the scope a user must assigned to in order access resources to specific router); 
Amiri does not explicitly disclose querying a cloud controller for a global unique identifier (GUID) of the first application; storing different types of data including globally unique identifier (GUID).
However, in an analogous art, Canessa discloses a shared archives interconnected content-addressable storage system, wherein 
querying a cloud controller for a global unique identifier (GUID) of the first application (Canessa: par. 0089, returning GUIDs to the data files stored in the CAS cloud that match the query);
storing different types of data including globally unique identifier (GUID) (Canessa: par. 0004, storing different types of data including globally unique identifier (GUID));
(Canessa: abstract).
Regarding claim 14, claim 14 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Regarding claim 20, claim 20 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Conclusion
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439
April 15th, 2021



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439