DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 05/17/2019. Claims 1-20 are pending in this examination.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/415,690.
Claim Rejections - 35 USC § 103
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims  rejected under 35 U.S.C. 103 as being unpatentable over of US Patent No.2019/0103968 issued to Sirnivasan(filed in IDS 08/28/2020) and in view of a US application 9,801,216 issued to Williams.
Regarding claim 1,  Sirnivasan discloses a system in a computing device for providing an authorization token the system comprising: one or more processors;  and one or more memory devices that store program code configured to be executed by the one or more processors, the program code comprising[ see FIG and corresponding text for more detail]; and
an identity validator configured to [see FIG.2, ¶66, Token relay system 102 identifies the requesting client based upon the client ID included in the request received in 206…], and [see FIGS.1 and 2, ¶69, at 212, token issuer authority 110 (or IDCS 114) verifies if the scopes requested in the token request received in 210 are allowed for token relay system 102]; and
 receive a token request, from an authorization token manager of a first computing environment [see FIG.s, ¶68, upon successfully passing all the checks/verifications/validations, token relay system 102 creates a client assertion that is communicated to token issuer authority 110 in 210], and [see FIGS.1 and 2, ¶69, at 212, token issuer authority 110 (or IDCS 114) verifies if the scopes requested in the token request received in 210 are allowed for token relay system 102]; and
that includes identity information [¶66, see FIG.2, ¶66, Token relay system 102 identifies the requesting client based upon the client ID included in the request received in 206…]; and
and an indication that the token request was initiated in an application executing in a second computing environment at least partially isolated from the first computing environment [see FIG 2, ¶60, the request communicated in 206 also includes an OIDC (OpenID Connect) token added by Cloud Gate 112 as a custom HTTP header.  The OIDC token is an identity token and may be represented as a JWT (JavaScript Object Notation (JSON)) assertion  virtual machines running virtual operating systems], and [¶152, In instances where computer system 600 is executing one or more virtual machines, one or more processing units may be allocated to each virtual machine.], and [¶162]; and
 and validate the identity information [¶14, in certain embodiments, prior to transmitting the second request to the token issuer system, the token relay system may perform processing including validating the anti-CSRF information/token, and verifying that the client is allowed to request a token for the scope identified in the first request], and [¶66, see FIG.2, ¶66,  Token relay system 102 identifies the requesting client based upon the client ID included in the request received in 206…]; and
and a token generator configured to [see FIGs 1, 2, token issuer authority]; and 
 and transmit the authorization token that includes the trust indication to the first computing environment [¶71,  At 216, token relay system 102 relays the access token received from IDCS 114 (or token issuer authority 110) in 214 all the way back to non-confidential client 104.
Sirnivasan does not explicitly disclose, however, Williams discloses generate an authorization token that includes a trust indication indicative of a trust level of the second computing environment; authorization token with a trust indication [Col.10 lines 55-67-Col.11 lines 1-15, the fulfillment service 108 may register the unprovisioned device 110 based upon identifying a pre-existing association between the provisioned device 104 and the unprovisioned device 110.  For example, the customer account 230 may include information level of trust to the security token 232.  In some examples, the level of the trust of the security token 232 may be used when determining whether an order request associated with security token 232 should be fulfilled without additional authentication and/or authorization steps.  In some other examples, the level of the trust of the security token 212 of the provisioned device 104 may be used to determine whether the provisioned device 104 is permitted to register the unprovisioned device 110.  In yet still some other examples, the level of the trust of the security token 212 of the provisioned device 104 may be used to determine the level of trust for the security token 232 of the unprovisioned device 110 registered by the provisioned device 104.], and [Col.14.lines 14-30, at 308, the provisioned device may send, via the communication interface, the configuration information to the unprovisioned device.  For example, once the provisioned device 104 has determined the configuration information 146, the provisioned device 104 may send the configuration information 146 to the unprovisioned device 110.  In some instances, the configuration information 116 may include a registration token 122.  Further, the provisioned device 104 may assign a level of trust to the registration token 122.  For instance, if the provisioned device 104 has authenticated the unprovisioned device 110, the provisioned device 104 may assign a higher level of trust to the registration token 122.  In some examples, the level of trust may correspond to the type of authentication employed by the level of trust of the registration token 122 may be higher if two-factor authentication was performed], and [Col.18 lines 6-16 at 608, the fulfillment service may generate a security token that identifies the electronic device within the fulfillment environment.  For example, the device management service 220 may generate the security token 232 associated with the unprovisioned device 110 based at least in part on a secret of the fulfillment service 108.  In some examples, the device management service 220 may associate a level of trust to the security token.  Further, the level of trust may be based at least in part on information associated with the registration token 122 or security token 232].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Sirnivasan with the teaching Willams in order to,  once the provisioned device  has determined the configuration information , the provisioned device  may send the configuration information  to the unprovisioned device .  In some instances, the configuration information  may include a registration token .  Further, the provisioned device  may assign a level of trust to the registration token .  For instance, if the provisioned device has authenticated the unprovisioned device , the provisioned device  may assign a higher level of trust to the registration token [ Williams, Col.14.lines 14-30].
Regarding claim 2, Sirnivasan discloses wherein the trust indication comprises an indication that the application executing in the second computing environment is not trusted [¶4, when a client is a non-confidential client, the security of its environment cannot be guaranteed or trusted like for a confidential client].
Regarding claim 3, Sirnivasan  discloses, wherein the second computing environment comprises a virtual machine hosted in the first computing environment [ see FIG 4, ¶117,  In certain embodiments, server 412 may also provide other services or software applications that can include non-virtual and virtual environments…], and [¶122, Server 412 can include one or  virtual machines running virtual operating systems], and [¶152, In instances where computer system 600 is executing one or more virtual machines, one or more processing units may be allocated to each virtual machine.], and [¶162].
Regarding claim 4, Sirnivasan  discloses, wherein the authorization token is configured to permit the application executing in the second computing environment to access a secured resource in the first computing environment [ see Paragraphs 11,122,152, and 162, visualization, virtual machine, hypervisor], and[ ¶3, the OAuth standard defines a set of interactions (protocol flows) for clients (e.g., applications) to acquire tokens, which can then be used to securely access protected resources such as REST based web resources.  The most secure posture that an OAuth client can assume is that of a "confidential client," where the client is required to be able to securely maintain a secret (e.g., client identifying credentials such as a certificate/key pair). A confidential client can validate itself using the secret information and then get an access token to access a protected resource. ].
Regarding claim 5, Sirnivasan discloses, wherein the authorization token is configured to permit the application executing in the second computing environment to access a secured resource over a network [¶3, the OAuth standard defines a set of interactions (protocol flows) for clients (e.g., applications) to acquire tokens, which can then be used to securely access protected resources such as REST based web resources.  The most secure posture that an OAuth client can assume is that of a "confidential client," where the client is required to be able to securely maintain a secret (e.g., client identifying credentials such as a certificate/key pair). A confidential client can validate itself using the secret information and then get an access token to access a protected resource. ], and [see FIG., items #218(Use access token and CALL REST resource endpoint) and item#220(permit access to protected resource]].

Regarding claim 6, Sirnivasan  discloses, wherein the access of the secured resource by the application executing in the second computing environment comprises a read-only access of the secured resource [ see table A, A Client ID Origin Scopes ABC_ReadWrite_App 
http://www.abc.com read, write ABC_Read_App http://www.abc.com read 
XYZ_ReadWrite_App http://www.xyz.com read, write], and [¶¶105-108].
Regarding claim 7, Sirnivasan discloses receiving a token request from an application executing in a second computing environment at least partially isolated from a first computing environment to access a resource [see FIG 2, ¶60, the request communicated in 206 also includes an OIDC (OpenID Connect) token added by Cloud Gate 112 as a custom HTTP header.  The OIDC token is an identity token and may be represented as a JWT (JavaScript Object Notation (JSON)) assertion about the user requestor and/or a reference to the client], and [ see FIG 4, ¶117,  In certain embodiments, server 412 may also provide other services or software applications that can include non-virtual and virtual environments…], and [¶122, Server 412 can include one or more virtual machines running virtual operating systems], and [¶152, In instances where computer system 600 is executing one or more virtual machines, one or more processing units may be allocated to each virtual machine.], and [¶162]; and[ see FIG.s, ¶68, upon successfully passing all the checks/verifications/validations, token relay system 102 creates a client assertion that is communicated to token issuer authority 110 in 210], and [ see FIGS.1 and 2, ¶69, at 212, token issuer authority 110 (or IDCS 114) verifies if the scopes requested in the token request received in 210 are allowed for token relay system 102]; and
providing the authorization token that includes the trust indication to the application executing in the second computing environment [¶71,  At 216, token relay system 
Sirnivasan does not explicitly disclose. However, Williams discloses assigning a trust level to the token request; obtaining an authorization token that includes a trust indication, the trust indication corresponding to the trust level of the token request[Col.10 lines 55-67-Col.11 lines 1-15 ; Col.14.lines 14-30 ; Col.18 lines 6-16, the device management service 220 may associate a level of trust to the security token].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Sirnivasan with the teaching Willams in order to,  once the provisioned device  has determined the configuration information , the provisioned device  may send the configuration information  to the unprovisioned device .  In some instances, the configuration information  may include a registration token .  Further, the provisioned device  may assign a level of trust to the registration token .  For instance, if the provisioned device has authenticated the unprovisioned device , the provisioned device  may assign a higher level of trust to the registration token [ Williams, Col.14.lines 14-30].
Regarding claim 8, Sirnivasan  discloses wherein said obtaining the authorization token comprises: transmitting the token request and the assigned trust level to a token issuer [ see FIG.s, ¶68, upon successfully passing all the checks/verifications/validations, token relay system 102 creates a client assertion that is communicated to token issuer authority 110 in 210], and [ see FIGS.1 and 2, ¶69, at 212, token issuer authority 110 (or IDCS 114) verifies if the scopes requested in the token request received in 210 are allowed for token relay system 102]; and
Sirnivasan does not explicitly disclose. However, Williams discloses receiving the authorization token that includes the trust indication corresponding to the trust level from the token issuer [Col.10 lines 55-67-Col.11 lines 1-15 ; Col.14.lines 14-30 ; Col.18 lines 6-16, the device management service 220 may associate a level of trust to the security token].
level of trust to the registration token .  For instance, if the provisioned device has authenticated the unprovisioned device , the provisioned device  may assign a higher level of trust to the registration token [ Williams, Col.14.lines 14-30].
Regarding claim 9, Sirnivasan discloses, wherein the trust indication comprises an indication that the application executing in the second computing environment is not trusted [¶4, when a client is a non-confidential client, the security of its environment cannot be guaranteed or trusted like for a confidential client].
Regarding claim 10, Sirnivasan discloses, receiving the authorization token from the application executing in the second computing environment [ see FIG.s, ¶68, upon successfully passing all the checks/verifications/validations, token relay system 102 creates a client assertion that is communicated to token issuer authority 110 in 210], and [ see FIGS.1 and 2, ¶69, at 212, token issuer authority 110 (or IDCS 114) verifies if the scopes requested in the token request received in 210 are allowed for token relay system 102]; and  [see FIG 2, ¶60, the request communicated in 206 also includes an OIDC (OpenID Connect) token added by Cloud Gate 112 as a custom HTTP header.  The OIDC token is an identity token and may be represented as a JWT (JavaScript Object Notation (JSON)) assertion about the user requestor and/or a reference to the client], and [ see FIG 4, ¶117,  In certain embodiments, server 412 may also provide other services or software applications that can include non-virtual and virtual environments…], and [¶122, Server 412 can include one or more virtual machines running virtual operating systems], and [¶152, In instances where computer system 600 is executing one or more virtual machines, one or more processing units may be allocated to each virtual machine.], and [¶162].
performing a precautionary action in the first computing environment to protect the resource in response to receiving the authorization token [¶141, a virus scanning and white list service, a high availability, backup and recovery service].
Regarding claim 11, Sirnivasan discloses, wherein the precautionary action includes creation of a backup of the resource in response to receiving the authorization token [¶141, a virus scanning and white list service, a high availability, backup and recovery service].
Regarding claim 12, Sirnivasan discloses,, further comprising granting a read-only access to the resource by the first computing environment in response to receiving the authorization token[ see table A, A Client ID Origin Scopes ABC_ReadWrite_App http://www.abc.com read, write ABC_Read_App http://www.abc.com read XYZ_ReadWrite_App http://www.xyz.com read, write ], and [¶¶105-108].
Regarding claim 13, Sirnivasan discloses, wherein the resource is stored in a server that is configured to perform a precautionary action in response to: receiving the authorization token [ see FIG., items #218(Use access token and CALL REST resource endpoint) and item#220(permit access to protected resource]; and
and determining the precautionary action is to be performed based on the extracted trust indication [¶141, a virus scanning and white list service, a high availability, backup and recovery service].
Sirnivasan does not explicitly disclose. However, Williams discloses extracting the trust indication from the authorization token [Col.10 lines 55-67-Col.11 lines 1-15 ; Col.14.lines 14-30 ; Col.18 lines 6-16, the device management service 220 may associate a level of trust to the security token].
level of trust to the registration token .  For instance, if the provisioned device has authenticated the unprovisioned device , the provisioned device  may assign a higher level of trust to the registration token [ Williams, Col.14.lines 14-30].
Regarding claim 14, Sirnivasan discloses,, wherein the second computing environment comprises a virtual machine hosted in the first computing environment [¶122, Server 412 can include one or more virtual machines running virtual operating systems], and [¶152, In instances where computer system 600 is executing one or more virtual machines, one or more processing units may be allocated to each virtual machine.], and [¶162].
Regarding claim 15, Sirnivasan discloses receive, from an application executing in a computing environment, an authorization token to access a resource [ see FIG.s, ¶68, upon successfully passing all the checks/verifications/validations, token relay system 102 creates a client assertion that is communicated to token issuer authority 110 in 210], and [ see FIGS.1 and 2, ¶69, at 212, token issuer authority 110 (or IDCS 114) verifies if the scopes requested in the token request received in 210 are allowed for token relay system 102], and [ see FIG.2 and correspondent text for detail, access token request(202), Use access token and CALL REST request endpoint(218), permit access to protected resources(220) , access resource using token(222)]; and
perform a precautionary action to protect the resource in response to receiving the authorization token including the trust indication [ ¶141, a virus scanning and white list service, a high availability, backup and recovery service]; and
a resource access provider configured to grant access to the resource by the application executing in the computing environment[ see FIG.2 and correspondent text for 
Sirnivasan does not explicitly disclose. However, Williams discloses the authorization token including a trust indication indicative of a trust level of the application [Col.10 lines 55-67-Col.11 lines 1-15 ; Col.14.lines 14-30 ; Col.18 lines 6-16, the device management service 220 may associate a level of trust to the security token].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Sirnivasan with the teaching Willams in order to,  once the provisioned device  has determined the configuration information , the provisioned device  may send the configuration information  to the unprovisioned device .  In some instances, the configuration information  may include a registration token .  Further, the provisioned device  may assign a level of trust to the registration token .  For instance, if the provisioned device has authenticated the unprovisioned device , the provisioned device  may assign a higher level of trust to the registration token [ Williams, Col.14.lines 14-30].
Regarding claim 16, Sirnivasan discloses, wherein the trust indication comprises an indication that the application executing in the computing environment is not trusted [¶4, when a client is a non-confidential client, the security of its environment cannot be guaranteed or trusted like for a confidential client].
Regarding claim 17, Sirnivasan discloses, wherein the computing environment comprises a virtual machine hosted in another computing environment [¶122, Server 412 can include one or more virtual machines running virtual operating systems], and [¶152, In instances where computer system 600 is executing one or more virtual machines, one or more processing units may be allocated to each virtual machine.], and [¶162].
Regarding claim 18, Sirnivasan discloses, wherein the precautionary action performed by the resource protector includes: creation of a backup of the resource in response to receiving the authorization token [¶141, a virus scanning and white list service, a high availability, backup and recovery service
Regarding claim 19, Sirnivasan discloses, wherein the resource access provider is configured to grant a limited access to the resource by the application executing in the computing environment in response to receiving the authorization token [see table A, A Client ID Origin Scopes ABC_ReadWrite_App http://www.abc.com read, write ABC_Read_App http://www.abc.com read XYZ_ReadWrite_App http://www.xyz.com read, write], and [¶¶105-108].
Regarding claim 20, Sirnivasan discloses, wherein the resource protector is configured to perform an enhanced identity authentication in response to receiving the authorization token[¶2, REST resources by policy only accept an OAuth token in an OAuth based identity environment], and [¶¶9, 30, 40, 141]; and
wherein the resource access provider is configured to grant the access to the resource in response to performing the enhanced identity authentication [see FIG.2 and correspondent text for detail, access token request (202), Use access token and CALL REST request endpoint (218), permit access to protected resources (220), access resource using token (222)], and [¶72, Since the user has already been authenticated, at 220, Cloud Gate 114 then permits access to protected resource 108].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Liao (US2016/0164680) [¶48, trust level of the token].
Agrawal (US2018/0145969)[see FIG.6, ¶¶8, 59, 67, authorization token, trust level].
Palanisamy(US2015/0312038)[ ¶¶99, 102, Authorization request with token, assurance level].
Radhakrishnan (US2013/0047195) [Making token-based access decisions, ¶40].

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHAHRIAR ZARRINEH/Examiner, Art Unit 249