DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 04/29/2021.
In the instant Amendment, claims 1, 9, and 17 have been amended; and claims 1, 9, and 17 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.

Response to Arguments
Applicant’s arguments with respect to the pending claims are moot in view of new ground(s) of rejection.
The newly added limitations into claims 1, 9 and 17 have been addressed in rejection below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the 

Claims 1-3, 6-11, 14-17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hsu et al. (“Hus,” US 2015/0326578), published on November 12, 2015, in view of DUNJIC et al. (“Dunjic,” US 2019/0372993), published on December 5, 2019.

Regarding claim 1: Hsu discloses a method, comprising:
 2receiving, by an access management system (AMS), an access token request from 3a client application (Hsu: ¶0037 the client application 203 may request an access token from the first device 201 before accessing the resource from the second device 202);
 4determining, by the AMS, that the user is authorized to access the resource (Hsu: ¶0028 the first device 201 may authenticate the user identity to confirm that the user is authorized to access the resource as requested);
5generating, by the AMS, a first access token in response to the determining that 6the user is authorized to access the resource (Hsu: ¶0042 if it is determined, at S301, to grant access to the requested resource, the first device 201 may generate an access token. The access token indicates the client application 203 is authorized to access the resource provided by the second device 202), wherein the first access token includes one or more constraints, each constraint corresponding to a condition for granting or denying user Hsu: ¶0043 at S302, the access token may be customized using an access constraint, for the requested access; ¶0044 the access constraint may include constraints for any aspect of resource access control, such as an access time constraint that designates a particular date, time or time segment when the resource may be accessed); and
sending, by the AMS, the first access token to the client application, wherein the 10first access token is presentable in an access request for obtaining access to the resource, and wherein the one or more constraints are read by the client application from the first access token to determine by the client application whether to 12proceed with the access request (Hsu: ¶0063 in OAuth architecture, the authorization information of the user, with respect to the client application 203, may, at S604, be converted into corresponding constraints and included in the access token; ¶0064 the customized access token may be provided to the client application 203 from the authorization server 201, at S609. The client application 203 may then request a resource from the resource server 202, at S610, using the provided access token).
Hus does not explicitly disclose the access token request identifying a user and a resource to be accessed.
However Dunjic discloses the access token request identifying a user and a resource to be accessed (Dunjic: ¶0015 the processing unit is configured to: receive first credentials identifying a user; receive second credentials identifying a user account).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Dunjic with the system and method of Hsu to include the access token request identifying a user and a resource to be Dunjic: ¶0001).

1Regarding claim 2: Hsu in view of Dunjic discloses the method of claim 1.
Hsu further discloses wherein generating the first access token further 2comprises adding to the first access token information indicating an expiration time for a rule 3represented by the one or more constraints (Hsu: ¶0044 the access constraint may include constraints for any aspect of resource access control, such as an access time constraint that designates a particular date, time or time segment when the resource may be accessed).
 
1Regarding claim 3: Hsu in view of Dunjic discloses the method of claim 2.
Hsu further discloses wherein generating the first access token further 2comprises adding to the first access token information indicating an expiration time for the first 3access token (Hsu: ¶0067 by recording, in memory of the authorization server, a cryptographic nonce associated with an access token for the duration of the expiry period of said token).

Regarding claim 6: Hsu in view of Dunjic discloses the method of claim 1.
Hsu further discloses wherein the one or more constraints correspond to at least one of the following conditions: a time during which access is allowed, a time during 3which access is denied, a user or user group that is allowed access, a user or user group that is 4denied access, an Internet Protocol (IP) address that is allowed access, an IP address that is 5denied access, a geographic location that is allowed access, or a geographic location that Hsu: ¶0044 the access constraint may include constraints for any aspect of resource access control, such as an access time constraint that designates a particular date, time or time segment when the resource may be accessed [...] and an access location constraint that designates that the resource is only accessible to requestors in a given location or within a given geographical range).
1
Regarding claim 7: Hsu in view of Dunjic discloses the method of claim 1.
Hsu further discloses wherein the AMS determines that the user is 2authorized to access the resource based on an Open Authorization (OAuth) protocol (Hsu: ¶0058 an OAuth environment provides a safe, open, and simple standard for authorizing a user to access a resource).1

Regarding claim 8: Hsu in view of Dunjic discloses the method of claim 1.
Dunjic further discloses  2authenticating, by the AMS, the user based on one or more user supplied 3credentials prior to generating the first access token (Hsu: ¶0028 responsive to reception of the authentication request, the first device 201 may authenticate the user identity to confirm that the user is authorized to access the resource as requested. If the user passes authentication [...] the first device 201 may perform an authorization check and provide an access token for the client application 203 to use to access the resource from the second device 202).1

Regarding claim 9: Hsu discloses a non-transitory computer-readable storage medium containing 2instructions that, when executed by one or more processors of an 
 4receiving an access token request from a client application (Hsu: ¶0037 the client application 203 may request an access token from the first device 201 before accessing the resource from the second device 202);
 6determining that the user is authorized to access the resource (Hsu: ¶0028 the first device 201 may authenticate the user identity to confirm that the user is authorized to access the resource as requested);
 7generating a first access token in response to the determining that the user is 8authorized to access the resource (Hsu: ¶0042 if it is determined, at S301, to grant access to the requested resource, the first device 201 may generate an access token. The access token indicates the client application 203 is authorized to access the resource provided by the second device 202), wherein the first access token includes one or more constraints, 9each constraint corresponding to a condition for granting or denying access to the resource (Hsu: ¶0043 at S302, the access token may be customized using an access constraint, for the requested access; ¶0044 the access constraint may include constraints for any aspect of resource access control, such as an access time constraint that designates a particular date, time or time segment when the resource may be accessed); and
10sending the first access token to the client application, wherein the first access 11token is presentable in an access request for obtaining access to the resource, and wherein the 12one or more constraints are read from the first access token to determine whether to proceed with 13the access request (Hsu: ¶0063 in OAuth architecture, the authorization information of the user, with respect to the client application 203, may, at S604, be converted into corresponding constraints and included in the access token; ¶0064 the customized access token may be provided to the client application 203 from the authorization server 201, at S609. The client application 203 may then request a resource from the resource server 202, at S610, using the provided access token).
Hus does not explicitly disclose the access token request identifying a user and a resource to be accessed.
However Dunjic discloses the access token request identifying a user and a resource to be accessed (Dunjic: ¶0015 the processing unit is configured to: receive first credentials identifying a user; receive second credentials identifying a user account).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Dunjic with the system and method of Hsu to include the access token request identifying a user and a resource to be accessed to provide user with a means for performing user authentication and authorization for accessing protected data sources (Dunjic: ¶0001).

Regarding claims 10-11: Claims 10-11 are similar in scope to claims 2-3, respectively, and are therefore rejected under similar rationale.

Regarding claims 14-16: Claims 14-16 are similar in scope to claims 6-8, respectively, and are therefore rejected under similar rationale.



37ORA190078-US-NPRegarding claim 17: Hus discloses an access management system, comprising:
Hsu: fig. 1; ¶0018 one or more processors or processing units 16); and
a memory coupled to the one or more processors (Hsu: fig. 1 ¶0018 a system memory 28), the memory storing instructions 4that, when executed by the one or more processors, cause the one or more processors to perform 5processing comprising:
 6receiving an access token request from a client application (Hsu: ¶0037 the client application 203 may request an access token from the first device 201 before accessing the resource from the second device 202);
8determining that the user is authorized to access the resource (Hsu: ¶0028 the first device 201 may authenticate the user identity to confirm that the user is authorized to access the resource as requested);
 9generating a first access token in response to the determining that the user 10is authorized to access the resource (Hsu: ¶0042 if it is determined, at S301, to grant access to the requested resource, the first device 201 may generate an access token. The access token indicates the client application 203 is authorized to access the resource provided by the second device 202), wherein the first access token includes one or more 11constraints, each constraint corresponding to a condition for granting or denying access to 12the resource (Hsu: ¶0043 at S302, the access token may be customized using an access constraint, for the requested access; ¶0044 the access constraint may include constraints for any aspect of resource access control, such as an access time constraint that designates a particular date, time or time segment when the resource may be accessed); and
13sending the first access token to the client application, wherein the first 14access token is presentable in an access request for obtaining access to the resource, and  15wherein Hsu: ¶0063 in OAuth architecture, the authorization information of the user, with respect to the client application 203, may, at S604, be converted into corresponding constraints and included in the access token; ¶0064 the customized access token may be provided to the client application 203 from the authorization server 201, at S609. The client application 203 may then request a resource from the resource server 202, at S610, using the provided access token).
Hus does not explicitly disclose the access token request identifying a user and a resource to be accessed.
However Dunjic discloses the access token request identifying a user and a resource to be accessed (Dunjic: ¶0015 the processing unit is configured to: receive first credentials identifying a user; receive second credentials identifying a user account).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Dunjic with the system and method of Hsu to include the access token request identifying a user and a resource to be accessed to provide user with a means for performing user authentication and authorization for accessing protected data sources (Dunjic: ¶0001).

Regarding claim 20: Claim 20 is similar in scope to claim 6, and are therefore rejected under similar rationale.

Claims 4-5, 12-13 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Hsu et al. (“Hus,” US 2015/0326578), published on November 12, 2015, in view of DUNJIC et al. (“Dunjic,” US 2019/0372993), published on December 5, 2019 and Prasad et al. (“Prasad,” US 7010600), published on March 7, 2006.

Regarding claim 4: Hsu in view of Dunjic discloses the method of claim 3.
Hsu in view of Dunjic does not explicitly disclose wherein the expiration time for the rule is different 2from the expiration time for the first access token.
However Prasad discloses wherein the expiration time for the rule is different 2from the expiration time for the first access token (Prasad: col. 9 lines 7-8 the expiration time of element 550 may be associated with specific roles R1, R2 of element 510; col. 3 lines 48-51 a token may include [...] a time stamp).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Prasad with the system and method of Hsu and Dunjic to include the expiration time for the rule is different 2from the expiration time for the first access token to provide user with a means for managing network resources for authenticated users (Prasad: col. 1 lines 9-10).

Regarding claim 5: Hsu in view of Dunjic discloses the method of claim 1.
Dunjic further discloses  2receiving, by the AMS, a request from the client application for a new access 3token presentable for obtaining access to the resource (Dunjic: ¶0034 retrieving refresh tokens and new access tokens); and
Dunjic: ¶0064 in operation 522, the requested access token (and optionally, the refresh token) is provided to the client application).
Hsu in view of Dunjic does not explicitly discloses wherein the second access token includes at least one of an additional 6constraint not included in the first access token, a removal of a constraint included in the first 7access token, or a replacement for a constraint included in the first access token.
However Prasad discloses wherein the second access token includes at least one of an additional 6constraint not included in the first access token, a removal of a constraint included in the first 7access token, or a replacement for a constraint included in the first access token (Prasad: col. 7 lines 43-47 the user may be assigned a "general" role to enable access only to public resources on different administrative domains. Alternatively, the user may be assigned an "administrator" role to enable the user to access highly secure resources in different administrative domains).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Prasad with the system and method of Hsu and Dunjic to include the second access token includes at least one of an additional 6constraint not included in the first access token to provide user with a means for managing network resources for authenticated users (Prasad: col. 1 lines 9-10).

1Regarding claims 12-3: Claims 12-13 are similar in scope to claims 4-5, respectively, and are therefore rejected under similar rationale.
 
Regarding claim 18: Hsu in view of Dunjic discloses the access management system of claim 17.
Hus further discloses wherein generating the first 2access token further comprises: 3adding to the first access token information indicating an expiration time for a 4rule represented by the one or more constraints (Hsu: ¶0044 the access constraint may include constraints for any aspect of resource access control, such as an access time constraint that designates a particular date, time or time segment when the resource may be accessed); and
5adding to the first access token information indicating an expiration time for the 6first access token (Hsu: ¶0067 by recording, in memory of the authorization server, a cryptographic nonce associated with an access token for the duration of the expiry period of said token).
Hus in view of Dunjic does not explicitly disclose wherein the expiration time for the rule is different from the expiration time 7for the first access token.
However Prasad discloses wherein the expiration time for the rule is different from the expiration time 7for the first access token (Prasad: col. 9 lines 7-8 the expiration time of element 550 may be associated with specific roles R1, R2 of element 510; col. 3 lines 48-51 a token may include [...] a time stamp).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Prasad with the system and method of Hsu and Dunjic to include the expiration time for the rule is different from the expiration time 7for the first access token to provide user with a means for managing network resources for authenticated users (Prasad: col. 1 lines 9-10).
 Regarding claim 19: Claim 19 is similar in scope to claim 5, and is therefore rejected under similar rationale.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857.  The examiner can normally be reached on Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FAHIMEH MOHAMMADI/    Examiner, Art Unit 2439         



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439