DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 03/03/2021. Claims 1, 3-5, 7-9, 13-15 and 17-19 have been amended, claims 2 and 16 are now canceled. Claims 1, 3-15 and 17-19 remain pending.

Remarks
Claim Objections:
In response to corrective amendments, the objection to claim 7 is withdrawn and to claim 16, now canceled, is moot.

Examiner’s Note on 35 U.S.C. 112(f) – Claim Interpretation:
After further consideration and in response to amendments, means-plus-function claim interpretations regarding limitations as specified in the non-final action dated 12/03/2020, per claims 1, 5, 8-9, 11, 12, 13 and 14 remain effective. The amended system claim 18 includes “processing circuitry”, i.e., a hardware structure, therefore per claim 18, both means-plus-function interpretation and a 101 software per se rejection have been avoided.

35 U.S.C. 101 Rejections:
In response to corrective amendments, the rejection of claim 15 is withdrawn and the rejection of canceled claim 16 is moot.

35 U.S.C. 112(b) Rejections:
In response to corrective amendments to claims 1, 5, 7, 13-15, and 17-19, the respective indefiniteness rejections are herein withdrawn.

Response to Arguments
35 U.S.C. 102 Rejections:
Per claims 1, 4, 8-10, 13-15 and 17-19, applicant argues “that Chan fails to disclose, or even suggest, a computer-implemented method performed in an OAuth framework” – Remarks: page 15. 
Examiner respectfully disagrees.
Contrary to this allegation, Chan explicitly discloses that Chan’s embodiments are in fact discussed in the context of Oauth. Chan discloses “[i]n particular, the embodiments may be related to Oauth 2.0.  While discussed in the context of Oauth, the present disclosure is not limited to Oauth” – Chan: par. 0026 – Note: Embodiments of Chan are implemented in oAuth framework as well as other authentication and authorization frameworks such as Nimbula  (see par. 0026-0027). 
Regardless, applicant’s arguments with respect to claim(s) 1, 3-15 and 17-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Rejections per canceled claims 2 and 16 are now moot.

35 U.S.C. 103 Rejections:
access tokens are typically not stored by a client system in OAuth, and neither one of Chan, Pishinov and Smith refers to OAuth in any manner, therefore these claimed features are not disclosed, or even suggested, by any of the cited references – Remarks: page 18, 20 and 21.

Examiner respectfully disagrees based on the same reason set forth above with regard to the alleged deficiency argued with regard to the amended claim 1. 
Contrary to this allegation, Chan explicitly discloses “[t]he token cache provides a secure storage for the client computing device to cache one or more access tokens, store access credentials associated with the one or more access tokens (e.g., a representation of a username and password such as a hash value based on the username and the password), and store metadata used for obtaining a new access token to replace an invalidated access token and/or expired access token” – Chan: par. 0021 – Note: wherein as previously established, the embodiments of Chan are implemented in oAuth framework as well as other authentication and authorization frameworks such as Nimbula  (see par. 0026-0027).
Nonetheless, applicant’s arguments with respect to claim(s) 3, 5-7 and 11-12 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. 
Please see the new grounds of rejection under 35 U.S.C. 103 as follows. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 1, 4, 9-10, 13-15 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Chan, US2015/0350186 A1 in view of Shiraga, US2015/0205547A1

Per claim 1, Chan discloses a computer-implemented performed in an OAuth framework ([i]n particular, the embodiments may be related to Oauth 2.0.  While discussed in the context of Oauth, the present disclosure is not limited to Oauth – Chan: par. 0026), the method comprising: 
receiving, at a client system from a user device, a first access request comprising a first instruction to access a protected resource stored at a resource system (the application or service 502 sends an access request for protected resources to the token client 504…The token client 504 requests a username and a password from the user and performs the cryptographic hash function on username.password to determine a hash-based message authentication code of web service credentials.  The token client 504 transmits the hash-based message authentication code of the web service credentials to the token service computer 508 – Chan: par. 0084);
(If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084);
receiving, at the client system, an access token in response to the token request, the access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the protected resource from the resource system (If the received hash-based message authentication code of the web service credentials is valid, in step 520, the token service computer 508 transmits a valid access token to the token client 504  – Chan: par. 0084 – Note: the valid access token includes a time-to-live or an expiration time – par. 0034);
transmitting the access token from the client system to the resource system and, in response, receiving the protected resource (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token is valid, in step 528, the resource server with access to the protected resources 510 transmits a representation of the requested resources to the token client 504. – Chan: par. 0084); 
storing the access token at a token storage unit of the client system (In step 522, the token client 504 stores the access token in the token cache 506 by providing the cache key.  - Chan: par. 0084);
Chan is not relied on to explicitly disclose but in view of Shiraga explicitly discloses receiving and storing, at the token storage unit, an expiry time indicator in response to the token request (Note: a predetermining timing, i.e., a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller), wherein the expiry time indicator corresponds to the received access token's time to expire and is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system (Upon receiving the response 219 from the print intermediation server 100 via the wireless LAN I/F 78, the CPU 82 stores the AT 218 included in the response 219 in the memory 84 … predetermined timing is a timing at which 15 minutes has elapsed from the creation time of the AT 221 (that is, a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller – Shiraga: par. 0052 and 0091– Note: AT is Access Token, also, referring to FIG. 2, a registration process in which the portable terminal 70 registers necessary information in the print intermediation server 100 is described.  In this embodiment, a registration process which uses OAuth is performed – par. 0034).
Chan in view of Shiraga further discloses receiving, at the client system from the first user device, a second access request comprising a second instruction to access the protected resource stored at the resource system (the application or service 502 sends an access request for protected resources to the token client 504.  The access request includes a session ID that is mapped to a cache key.  In step 514, the token client 504 sends the cache key to the token cache 506.  In step 516, using the cache key, the token cache 506 provides a token metadata – Chan: par. 0084 – Note: for a second/subsequent access request the access token is retrieved from the token cache; therefore, transmitting a request for an access token to the token service computer 508 is skipped); and 
in response to the second access request, transmitting the stored access token to the resource system for receiving the protected resource (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token is valid, in step 528, the resource server with access to the protected resources 510 transmits a representation of the requested resources to the token client 504. – Chan: par. 0084).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan in view of Shiraga to include receiving and storing, at the token storage unit, an expiry time indicator in response to the token request, wherein the expiry time indicator corresponds to the received access token's time to expire and is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system.
One of ordinary skill in the art would have been motivated because it would allow creating and providing a token to a registered portable terminal that has successfully passed oAuth authentication, wherein the token includes information “for performing authentication used in the subsequent processes (for example, the print process of FIGS. 4 to 6)” – Shiraga: par. 0048 – Note: Fig. 4-6 refer to exemplary print processes.

Per claim 15, it recites an article of manufacture comprising: 
a non-transitory computer processor readable medium (The processor 120 and memory 122 are hardware.  The memory 122 includes random access memory (RAM) and non-transitory memory, e.g., a non-transitory computer-readable medium such as one or more flash disks or hard drives.  The non-transitory memory may include any tangible computer-readable medium including, for example, magnetic and/or optical disks, flash drives, and the like – Chan: par. 0044); and 
instructions stored on the medium (The token distribution application may be a software application for registering, authenticating, and authorizing client computing devices 102 to use and access network resources provided by the resource server 108.  The token distribution application comprises machine/computer-readable executable instructions that are executed by the processor 120 or another processor – Chan: par. 0045);
wherein the instructions are configured to be readable from the medium by the at least one computer processor and thereby cause the at least one computer processor to operate in an oAuth framework ([i]n particular, the embodiments may be related to Oauth 2.0.  While discussed in the context of Oauth, the present disclosure is not limited to Oauth – Chan: par. 0026) so as to:
receive, at a client system from a user device, a first access request comprising a first instruction to access a protected resource stored at a resource system (the application or service 502 sends an access request for protected resources to the token client 504.  The access – Chan: par. 0084);
transmit, from the client system to an authorisation system, a token request for an access token to be used for accessing the protected resource, in response to the first access request (If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084);
receive, at the client system, an access token in response to the token request, the access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the protected resource from the resource system (If the received hash-based message authentication code of the web service credentials is valid, in step 520, the token service computer 508 transmits a valid access token to the token client 504  – Chan: par. 0084 – Note: the valid access token includes a time-to-live or an expiration time – par. 0034);
transmit the access token from the client system to the resource system and, in response, receiving the protected resource (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token  – Chan: par. 0084); 
store the access token at a token storage unit of the client system (In step 522, the token client 504 stores the access token in the token cache 506 by providing the cache key.  In step 524, the token cache 506 acknowledges that the access token is stored in the token cache 506 by providing the token client 504 with an acknowledgement - Chan: par. 0084);
Chan is not relied on to explicitly disclose but in view of Shiraga explicitly discloses receive and store, at the token storage unit, an expiry time indicator in response to the token request (Note: a predetermining timing, i.e., a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller), wherein the expiry time indicator corresponds to the received access token's time to expire and is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system (Upon receiving the response 219 from the print intermediation server 100 via the wireless LAN I/F 78, the CPU 82 stores the AT 218 included in the response 219 in the memory 84 … predetermined timing is a timing at which 15 minutes has elapsed from the creation time of the AT 221 (that is, a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller – Shiraga: par. 0052 and 0091– Note: AT is Access Token, also, referring to FIG. 2, a registration process in which the portable terminal 70 registers necessary information in the print intermediation server 100 is described.  In this embodiment, a registration process which uses OAuth is performed – par. 0034).
Chan in view of Shiraga further discloses receive, at the client system from the first user device, a second access request comprising a second instruction to access the protected resource (the application or service 502 sends an access request for protected resources to the token client 504.  The access request includes a session ID that is mapped to a cache key.  In step 514, the token client 504 sends the cache key to the token cache 506.  In step 516, using the cache key, the token cache 506 provides a token metadata and may provide an access token if available in the token cache 506 – Chan: par. 0084); and 
in response to the second access request, transmit the stored access token to the resource system for receiving the protected resource (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token is valid, in step 528, the resource server with access to the protected resources 510 transmits a representation of the requested resources to the token client 504 – Chan: par. 0084).
Therefore, claim 15 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 17, it recites a computer readable medium comprising instructions which, when executed by a computer, cause the computer to carry out a method performed in an oAuth framework ([i]n particular, the embodiments may be related to Oauth 2.0.  While discussed in the context of Oauth, the present disclosure is not limited to Oauth – Chan: par. 0026), the method comprising: 
receiving, at a client system from a user device, a first access request comprising a first instruction to access a protected resource stored at a resource system (the application or service – Chan: par. 0084);
transmitting, from the client system to an authorisation system, a token request for an access token to be used for accessing the protected resource, in response to the first access request (If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084);
receiving, at the client system, an access token in response to the token request, the access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the protected resource from the resource system (If the received hash-based message authentication code of the web service credentials is valid, in step 520, the token service computer 508 transmits a valid access token to the token client 504  – Chan: par. 0084 – Note: the valid access token includes a time-to-live or an expiration time – par. 0034);
transmitting the access token from the client system to the resource system and, in response, receiving the protected resource (If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084);
(In step 522, the token client 504 stores the access token in the token cache 506 by providing the cache key.  In step 524, the token cache 506 acknowledges that the access token is stored in the token cache 506 by providing the token client 504 with an acknowledgement - Chan: par. 0084);
Chan is not relied on to explicitly disclose but in view of Shiraga explicitly discloses receiving and storing, at the token storage unit, an expiry time indicator in response to the token request wherein the expiry time indicator corresponds to the received access token’s time to expire and is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system (The AT includes information that indicates the time at which the AT was created and an expiration time of the AT. In the present embodiment, the expiration time of the AT is set to 30 minutes from the time of creation.  In another example, the expiration time of the AT is not limited to 30 minutes from the time of creation but may be set to an optional period … predetermined timing is a timing at which 15 minutes has elapsed from the creation time of the AT 221 (that is, a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller – Shiraga: par. 0052 and 0091– Note: AT is Access Token, also, referring to FIG. 2, a registration process in which the portable terminal 70 registers necessary information in the print intermediation server 100 is described.  In this embodiment, a registration process which uses OAuth is performed – par. 0034).
Chan in view of Shagari further discloses receiving, at the client system from the first user device, a second access request comprising a second instruction to access the protected resource stored at the resource system (the application or service 502 sends an access request – Chan: par. 0084); and 
in response to the second access request, transmitting the stored access token to the resource system for receiving the protected resource (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token is valid, in step 528, the resource server with access to the protected resources 510 transmits a representation of the requested resources to the token client 504 – Chan: par. 0084).
Therefore, claim 17 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 18, it recites a client system comprising processing circuitry configured to operate in an oAuth framework ([i]n particular, the embodiments may be related to Oauth 2.0.  While discussed in the context of Oauth, the present disclosure is not limited to Oauth – Chan: par. 0026), the processing circuitry configured to: 
receive, from a user device, a first access request comprising a first instruction to access a protected resource stored at a resource system (the application or service 502 sends an access request for protected resources to the token client 504…The token client 504 requests a – Chan: par. 0084);
transmit to an authorisation system, a token request for an access token to be used for accessing the protected resource, in response to the first access request (If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084);
receive an access token in response to the token request, the access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the protected resource from the resource system (If the received hash-based message authentication code of the web service credentials is valid, in step 520, the token service computer 508 transmits a valid access token to the token client 504  – Chan: par. 0084 – Note: the valid access token includes a time-to-live or an expiration time – par. 0034); and 
transmit the access token from the client system to the resource system and, in response, receiving the protected resource (If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084);
wherein the client system further comprises a token storage unit configured to store the access token (In step 522, the token client 504 stores the access token in the token cache 506 by providing the cache key.  In step 524, the token cache 506 acknowledges that the access - Chan: par. 0084); and 
 Chan is not relied on to explicitly disclose but in view of Shiraga explicitly discloses the processing circuitry further configured to: 
receive and store, at the token storage unit, an expiry time indicator in response to the token request (Note: a predetermining timing, i.e., a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller), wherein the expiry time indicator corresponds to the received access token’s time to expire and is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system (The AT includes information that indicates the time at which the AT was created and an expiration time of the AT. In the present embodiment, the expiration time of the AT is set to 30 minutes from the time of creation.  In another example, the expiration time of the AT is not limited to 30 minutes from the time of creation but may be set to an optional period …predetermined timing is a timing at which 15 minutes has elapsed from the creation time of the AT 221 (that is, a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller – Shiraga: par. 0052 and 0091– Note: AT is Access Token, also, referring to FIG. 2, a registration process in which the portable terminal 70 registers necessary information in the print intermediation server 100 is described.  In this embodiment, a registration process which uses OAuth is performed – par. 0034).
Chan in view of Shagari further discloses [features that] receive, from the first user device, a second access request comprising a second instruction to access the protected resource stored at the resource system (the application or service 502 sends an access request for – Chan: par. 0084); and 
transmit the stored access token to the resource system for receiving the protected resource, in response to the second access request (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token is valid, in step 528, the resource server with access to the protected resources 510 transmits a representation of the requested resources to the token client 504 – Chan: par. 0084).
Therefore, claim 18 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 19, it recites a client system configured to operate in an oAuth framework ([i]n particular, the embodiments may be related to Oauth 2.0.  While discussed in the context of Oauth, the present disclosure is not limited to Oauth – Chan: par. 0026), the client system comprising: 
a receiver configured to receive, from a user device, a first access request comprising a first instruction to access a protected resource stored at a resource system (the application or service 502 sends an access request for protected resources to the token client 504…The – Chan: par. 0084);
a transmitter configured to transmit to an authorisation system, a token request for an access token to be used for accessing the protected resource, in response to the first access request (If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084);
wherein the receiver is configured to receive an access token in response to the token request, the access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the protected resource from the resource system (If the received hash-based message authentication code of the web service credentials is valid, in step 520, the token service computer 508 transmits a valid access token to the token client 504  – Chan: par. 0084 – Note: the valid access token includes a time-to-live or an expiration time – par. 0034); and 
wherein the transmitter is configured to transmit the access token from the client system to the resource system and, in response, receiving the protected resource (If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084);
(In step 522, the token client 504 stores the access token in the token cache 506 by providing the cache key.  In step 524, the token cache 506 acknowledges that the access token is stored in the token cache 506 by providing the token client 504 with an acknowledgement - Chan: par. 0084);
Chan is not relied on to explicitly disclose but in view of Shiraga explicitly discloses the token storage unit configured to receive and store an expiry time indicator in response to the token request wherein the expiry time indicator corresponds to the received access token’s time to expire and is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system (The AT includes information that indicates the time at which the AT was created and an expiration time of the AT. In the present embodiment, the expiration time of the AT is set to 30 minutes from the time of creation.  In another example, the expiration time of the AT is not limited to 30 minutes from the time of creation but may be set to an optional period … predetermined timing is a timing at which 15 minutes has elapsed from the creation time of the AT 221 (that is, a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller – Shiraga: par. 0052 and 0091– Note: AT is Access Token, also, referring to FIG. 2, a registration process in which the portable terminal 70 registers necessary information in the print intermediation server 100 is described.  In this embodiment, a registration process which uses OAuth is performed – par. 0034).
Chan in view of Shagari further discloses the receiver configured to receive, from the first user device, a second access request comprising a second instruction to access the protected (the application or service 502 sends an access request for protected resources to the token client 504.  The access request includes a session ID that is mapped to a cache key.  In step 514, the token client 504 sends the cache key to the token cache 506.  In step 516, using the cache key, the token cache 506 provides a token metadata and may provide an access token if available in the token cache 506 – Chan: par. 0084); and 
the transmitter configured to transmit the stored access token to the resource system for receiving the protected resource, in response to the second access request (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token is valid, in step 528, the resource server with access to the protected resources 510 transmits a representation of the requested resources to the token client 504 – Chan: par. 0084).
Therefore, claim 19 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 4, Chan-Shagari discloses the computer-implemented method of claim 1 wherein the access token is stored at the token storage unit independently of the time indicated by the expiry time indicator (The AT includes information that indicates the time at which the AT was created and an expiration time of the AT. In the present embodiment, the expiration time of the AT is set to 30 minutes from the time of creation.  In another example, the expiration time of the AT is not limited to 30 minutes from the time of creation but may be  predetermined timing is a timing at which 15 minutes has elapsed from the creation time of the AT 221 (that is, a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller) – Shagari: par. 0052 and 0091); 
and/or wherein storage of the access token at the token storage unit is maintained until a time after the time indicated by the expiry time indicator (Access tokens may be invalidated and/or expired for a variety of reasons including changes in the username and/or password and time-based usage restrictions placed on the access tokens.  As a result, the client computing device maintains procedures and/or mechanisms to obtain new access tokens to replace the invalidated and/or expired access tokens – Chan: par. 0031).
The same motivation to modify Chan in view of Shagari applied in claim 1 above applies here.

Per claim 9, Chan-Shagari discloses the computer-implemented method of claim 1 further comprising: 
transmitting the access token from the client system to the resource system (the access token is expired, but the token client may not have access to this information.  In step 622, the token client 604 transmits a resource request with the expired access token to the resource server with access to the protected resources 610.  The resource server with access to the protected resources 610 receives the resource request and determines that the access token is expired – Chan: par. 0087) and, in response, receiving a message indicating that the (In step 624, the resource server with access to the protected resources 610 transmits an HTTP response of "401" or "400" to the token client 604.  An HTTP response of 401 indicates that the resource request was unauthorized.  An HTTP response of 400 indicates that the resource request was a bad request – Chan: par. 0087); and 
refreshing the access token, at the token storage unit (Note: equivalent to token cache 606), in response to receiving the message indicating that the access token is not valid (in step 636, the resource server with access to the protected resources 610 may transmit an updated or refreshed access token to the token client 604.  If the response includes the updated access token, the token client 604 stores the updated access token in the token cache 606.  The token cache 606 stores the updated access token and acknowledges to the token client 604 that the updated access token is stored in the token cache 606 – Chan: par. 0088).

Per claim 10, Chan-Shiraga discloses the computer-implemented method of claim 1 comprising: 
receiving, at the client system, a plurality of access tokens from the authorisation system, wherein each of the plurality of access tokens is received in response to a token request transmitted to the authorisation system (In step 512, the application or service 502 sends an access request for protected resources to the token client 504.  The access request includes a session ID that is mapped to a cache key…If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084 – Note: In a cloud or federated computer environment, the 
receiving and storing an expiry time indicator in association with each access token received at the client system, wherein each of the stored expiry time indicators is indicative of a time at which the corresponding access token will not be valid (the token service computer generates a token which may include a time-to-live or an expiration time… if …the access token has expired, the resource server notifies the client computing device that a new access token is needed.  The client computing device uses the metadata for obtaining the access token and sends a request for a new access token to the token service computer to replace the invalidated and/or expired access token – Chan: par. 0034-0035).

Per claim 13, Chan-Shiraga discloses the computer-implemented method of claim 1 comprising: 
receiving, at the client system from the first user device, a plurality of access requests subsequent to the first access request, each of the plurality of subsequent access requests comprising a subsequent instruction to access a respective protected resource stored at the resource system (In step 512, the application or service 502 sends an access request for protected resources to the token client 504… If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508… The token client 504 transmits the hash-based message authentication code of the web service credentials to the token service computer 508– Chan: par. 0084 and [i]n step 612, the application or service 602 sends an access request for protected resources to the token client 604 including the sessionID.  In step 614, the token client 604 sends the cache key to the token cache 606 that is mapped to the sessionID.  Using the cache key, in step 616, the token cache 606 provides a token metadata and may provide an access token to the token client 604 – Chan: par. 0085 – Note: for the first request the hash-based message authentication of the web service credential is equivalent to a first instruction and for the subsequent request, sessionID is read as a subsequent instruction that facilitates providing a token metadata and an access token to the token client); and 
in response to the subsequent access request, transmitting the stored access token to the resource system from the client system for receiving the respective protected resource (Using the cache key, in step 616, the token cache 606 provides a token metadata and may provide an access token to the token client 604…in step 634, the token client 604 transmits a resource request to the resource server with access to the protected resources 610.  The resource request includes a copy of the access token – Chan: par. 0085).

Per claim 14, Chan-Shiraga discloses the computer-implemented method of claim 1 comprising: 
receiving, at the client system (Note: equivalent to token client) from each of a plurality of user devices , an access request comprising an instruction to access a respective protected resource stored at a resource system (In step 512, the application or service 502 sends an  – Chan: par. 0084 – Note: sessionID is read as a subsequent instruction that facilitates providing a token metadata and an access token to the token client, wherein the token client 118 includes a token cache 204 to store access tokens and associated data and information and the token cache 204 may store one or more access tokens, one or more credential hash values, and one or more token metadata – par. 0053); 
transmitting, from the client system to an authorisation system, a token request for an access token to be used for accessing the respective protected resource, in response to each of the access requests received from the plurality of user devices (The token client 504 transmits the hash-based message authentication code of the web service credentials to the token service computer 508 – Chan: par. 0084);
receiving, at the client system, an access token in response to each of the token requests (If the received hash-based message authentication code of the web service credentials is valid, in step 520, the token service computer 508 transmits a valid access token to the token client 504 – Chan: par. 0084), each access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the respective protected resource from the resource system (The access token may be … expired if a time-to-live of the access token is reached - Chan: par. 0068 – Note:); 
transmitting each of the access tokens from the client system to the resource system and, in response, receiving the respective protected resource (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources  – Chan: par. 0084); 
storing each of access tokens at the token storage unit (In step 522, the token client 504 stores the access token in the token cache 506 by providing the cache key… Optionally, in step 528, the resource server with access to the protected resources 510 and/or the token service computer 508 may transmit an updated or refreshed access token to the token client 504.  If the response includes the updated access token, in step 530, the token client 504 stores the updated access token in the token cache 506 – Chan: par. 0084).

2.	Claims 5-8 are is rejected under 35 U.S.C. 103 as being unpatentable over Chan, US2015/0350186 A1 in view of Shiraga, US2015/0205547A1 as applied in claim 1 above, further in view of Smith, US8577334 B1.

Per claim 5, Chan-Shiraga discloses the computer-implemented method of claim 1.
Chan-Shiraga is not relied on to disclose but further in view of Smith discloses further comprising token storage maintenance steps performed by the client system comprising: 
comparing the time indicated by the stored expiry time indicator with a current time (the application 30 saves the access permissions in the memory 28 after the second message is received and when the current time is past the expiration time and the input selection is  – Smith: col. 5, lines 25-36); 
deleting the access token corresponding with the stored expiry time if the time indicated by the stored expiry time indicator is after the current time and, optionally, wherein the token storage maintenance steps are executed intermittently (When the current time is past the expiration time the at least one access permission is deleted from the memory of the electronic device… Network access is only needed during the activation process.  Once the permissions have been stored on the electronic device, the device can manage the access until the permissions expire, at which point the electronic device will delete the access permission from the memory of the device.  Deletion of the access permission is triggered when an attempt to access the privileged menu occurs after the expiration time – Smith: col. 9, lines 63-67 and col. 10, lines 1-10).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan-Shiraga further in view of Smith to include further comprising token storage maintenance steps performed by the client system comprising: comparing the time indicated by the stored expiry time indicator with a current time; deleting the access token corresponding with the stored expiry time if the time indicated by the 
One of ordinary skill in the art would have been motivated because it would allow “to ensure the data in the data store can't be altered to enable access” – Smith: col. 5, lines 36-37 and yet allow “the device to control access to the privileged functions when no communication link is available to the network” – Smith: col. 9, lines 67. 

Per claim 6, Chan-Shiraga-Smith discloses the computer-implemented method of claim 5, wherein the token storage maintenance steps are executed according to a predetermined schedule (The CPU 82 monitors the arrival of the predetermined timing from the creation time of the AT 221 included in the received AT 221.  When the arrival of the predetermined timing is detected, the CPU 82 sends an AT request 274 including the RT stored in the memory 84 to the print intermediation server 100 via the wireless LAN I/F 78 – Shiraga: par. 0091).
The same motivation to modify Chan in view of Shiraga applied in claim 1 above applies here.

Per claim 7, Chan-Shiraga-Smith discloses the computer-implemented method of claim 6, wherein the predetermined scheduled defines a time interval between adjacent executions of the token storage maintenance steps wherein, optionally, the time interval is configurable at the client system based on a user input received at the client system and/or wherein the time interval is configurable at the client system based on monitored performance of the client system (After that, the user of the portable terminal 70 reactivates the printer application.  At this point in – Shiraga: par. 0099-0101 – Note: in at least one embodiment, the predetermined timing may be an optional timing as long as the timing occurs before the expiration time of the AT 221 arrives, i.e., user determined timing – par. 0091).
The same motivation to modify Chan in view of Shiraga applied to claim 1 above applies here.

Per claim 8, Chan-Shiraga discloses the computer-implemented method of claim 1.
Although Chan discloses “based on oAuth, the token refresh module 210 may follow the oAuth specification to refresh the access token.  According to oAuth, a current token may be used to obtain a refreshed token …At a particular interval, the token refresh module 210 may execute in order to keep a session associated with the access token active.  Thus, the oAuth access token may be used to access protected resources without interruption” – Chan: par. 0069, Chan-Shiraga is not relied on to explicitly disclose but further in view of Smith discloses further comprising: the client system comparing the time indicated by the stored expiry time indicator with a current time (the application 30 saves the access permissions in the memory 28 after the second message is received and when the current time is past the expiration time and the input selection is received, the application 30 deletes the at least one access permission from the memory 28… the expiration timer is checked and if expired, the access permissions in the data store on the electronic device 12 are deleted – Smith: col. 5, lines 25-35), and 
Chan-Shiraga-Smith further discloses refreshing the access token if the time indicated by the stored expiry time indicator is after the current time (If the access token is invalidated and/or expired, the token refresh module 210 uses the token metadata to obtain a new access token…The token refresh module 210 uses the token metadata to present a request for a new access token to the token service computer 104 and generate an access token parameter map for determining where an access token is provided in a response from the  – Chan: par. 0068).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan-Shiraga further in view of Smith to include comparing the time indicated by the stored expiry time indicator with a current time.
One of ordinary skill in the art would have been motivated because it would allow “to ensure the data in the data store can't be altered to enable access” – Smith: col. 5, lines 36-37.

3.	Claims 3 and 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Chan, US2015/0350186 A1 in view of Shiraga, US2015/0205547A1 as applied in claim 10 above, further in view of Pishinov, US2018/0139192 A1.

Per claim 3, Chan-Shiraga discloses the computer-implemented method of claim 1 wherein the expiry time indicator is indicative of a length of time that the access token will be valid for (The predetermined timing is a timing at which 15 minutes has elapsed from the creation time of the AT 221 (that is, a timing at which the remaining expiration time of the AT 221 is half the expiration time or smaller)… the predetermined timing may be an optional – Shiraga: par. 0091); and 
the method further comprises: determining the received access token's time to expire based on the length of time that the access token will be valid for and a time at which the access token is received at the client system (The CPU 82 monitors the arrival of the predetermined timing from the creation time of the AT 221 included in the received AT 221.  When the arrival of the predetermined timing is detected, the CPU 82 sends an AT request 274 including the RT stored in the memory 84 to the print intermediation server 100 via the wireless LAN I/F 78. [0093] Upon receiving the AT request 274 from the portable terminal 70… the print intermediation server 100 creates an AT 276 which is a token different from the AT 221 associated with the successfully authenticated RT…print intermediation server 100 stores the created AT 276 instead of the stored AT 221.  The print intermediation server 100 sends a response 278 including the created AT 276 to the portable terminal 70 – Shiraga: par. 0092-0093).
The same motivation to modify Chan in view of Shiraga applied to claim 1 above applies here.
In the alternative where “determining the received access token's time to expire based on the length of time that the access token will be valid for and a time at which the access token is received at the client system” is not inherent or rendered obvious by one or both of Chan and Shiraga, Chan-Shiraga further in view of Pishinov discloses determining the received access token's time to expire based on the length of time that the access token will be valid for and a time at which the access token is received at the client system (At operation 302, the the lifetime for the token may be five minutes and the minimal remaining configurable lifetime is thirty seconds.  In this example, the interval may be scheduled to be three and a half minutes given a one-minute acquisition duration – Pishinov: par. 0028 and 0029 and 0030).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan-Shiraga further in view of Pishinov to include determining the received access token's time to expire based on the length of time that the access token will be valid for and a time at which the access token is received at the client system.
One of ordinary skill in the art would have been motivated because it would allow “to facilitate a more efficient, adaptive token management system” – Pishinov: par. 0014, wherein the adaptive token management system “utilizes a heuristic approach for auto token renewal to predict the possibility that a token could be needed again later. For those tokens that satisfy  – Pishinov: par. 0019. 

Per claim 11, Chan-Shiraga discloses the computer-implemented method of claim 10 further comprising: the client system determining a predicted expiry time for the access tokens received from the authorisation system based on the stored expiry time indicators (the token refresh module 210 may follow the Oauth specification to refresh the access token.  According to Oauth, a current token may be used to obtain a refreshed token.  At a particular interval, the token refresh module 210 may execute in order to keep a session associated with the access token active.  Thus, the Oauth access token may be used to access protected resources without interruption – Chan: par. 0069).
In the alternative where one argues “the client system determining a predicted expiry time for the access tokens received from the authorisation system based on the stored expiry time indicators” is not inherent or rendered obvious by one or both of Chan and Shiraga, Chen-Shiraga further in view of Pishinov discloses the client system determining a predicted expiry time for the access tokens received from the authorisation system based on the stored expiry time indicators (In the illustrated example, the authentication module also renews the token based upon pending requests or anticipated expiration of the token – Pishinov: par. 0028 – Note: wherein expiration of the tokens is anticipated and renewal of the tokens is performed in anticipation of the expiration of the tokens – par. 0014).  


Per claim 12, Chan-Shiraga-Pishinov discloses the computer-implemented method of claim 11 further comprising: 
the client system determining that the predicted expiry time does not meet a predetermined threshold and, in response, not storing further access tokens received from the authorisation system (The authentication module then evaluates whether the token renewal request interval has been reached at operation 306.  Once the token renewal request interval is reached, the authentication module evaluates whether there are pending requests for the token from client applications at operation 308. [0033] If there are no pending requests, the authentication module determines at 309 whether the cached token has been keep valid for longer than a threshold time.  In some examples, the threshold time is referred to as the maximum time to keep a cached token valid.  This threshold time is a configurable parameter that may be based on system requirements, and may be specific to the particular token, to the particular type of token, or to the particular data associated with the token – Pishinov: par. 0032-0033 – Note: while the cached token is not older than the threshold time, it is maintained in the cache and therefore no refresh request is submitted. As a consequence, no new access token is created, received and/or stored) and/or wherein the predicted expiry time is determined by calculating an average of the times indicated by the stored expiry time indicators (Note: this limitation is not required in the claimed scope).
.

Allowable Subject Matter
The alternative limitation “wherein the predicted expiry time is determined by calculating an average of the times indicated by the stored expiry time indicators” recited in claim 12 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Bahety (US2018/0367306A1) discloses securing authorization tokens using client instance specific secrets, wherein tokens are valid for service requests only if time constraints and additional security constraints are met by additional information stored in the token in hashed form.  A required comparison of a timestamp in a client service request header to the current server time limits the useful token life, e.g., to a few minutes.  The service request header also includes data generated based on a secret previously assigned to a specific client instance.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533.  The examiner can normally be reached on Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to 






/AREZOO SHERKAT/            Examiner, Art Unit 2434                                                                                                                                                                                            
/DANT B SHAIFER HARRIMAN/            Primary Examiner, Art Unit 2434