DETAILED ACTION
Response to Amendment
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in reply to papers filed on 2021-03-30. Claims 1-20 are pending. Claims 1, 6, 13 is/are independent.
Examiner notes that Applicant has failed to mark changes in the amended claims as required by 37 C.F.R. 1.121(c)(2) in at least claims 8, 10, and 12.  Applicant is reminded that further failures to observe 37 C.F.R. 1.121(c)(2) may result in a Notice of Non-Compliant Amendment.  See MPEP 714(II).
The rejection(s) of claims under 35 U.S.C. § 101 are withdrawn in view of Applicant’s amendments.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive and/or are moot in view of the new ground(s) of rejection.
With respect to claim(s) 1 (see page(s) 10-14 of Applicant’s Remarks), Applicant argues that the prior art of record (in particular, U.S. Publication 20120039326 to Chia et al. (hereinafter "Chia '326") in view of U.S. Publication 20140189808 to Mahaffey et al. (hereinafter "Mahaffey '808")) does not disclose “the HTTP request contains a first header, See R. Fielding (ed.) and J. Reschke (ed.), "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", Internet Engineering Task Force (IETF) (June 2014) (hereinafter "RFC7230") at § 3.2.4.  Further, RFC7230 for HTTP explicitly teaches "New header fields can be defined such that, when they are understood by a recipient, they might override or enhance the interpretation of previously defined header fields, define preconditions on request evaluation, or refine the meaning of responses." [RFC7230 § 3.2.1].  Thus, nothing could be more obvious when passing a parameter in an HTTP request than adding a new header with a new Field-Name.  Of course, the particular printed matter that forms the Field-Name of a header cannot distinguish the prior art.  See MPEP 2112.01(III) (according no patentable weight to a choice of nonfunctional printed matter).  Rather, as taught by RFC7230 for HTTP, new headers are to be given their own Field-Name so that they can be recognized by software that knows what to do with the information they contain [RFC7230 § 3.2.1].  Thus, patentable weight can be assigned to the fact that a header contains a source identifier, but no patentable weight is gained by naming the Field-name "SOURCE".  Thus, it would have been obvious to have given new header a character string name identifying it so that recipients would know it contained a source identifier (indeed, HTTP would have required it), but no weight is accorded to naming the field "SOURCE" or "X-SNC-INTEGRATION-SOURCE".  Patent protection is not available for the name itself.  See MPEP 2112.01(III).  For all these reasons, Applicant's argument is unpersuasive.
see page(s) 10-14 of Applicant’s Remarks), Applicant argues that the prior art of record (in particular, Chia '326 in view of Mahaffey '808) does not disclose “receiving a hypertext transfer protocol (HTTP) request sent to the hosted instance from a client instance of the one or more client instances; determining that the HTTP request contains a first header, wherein the first header comprises a first character string identifying the first header as a source header and a second character string identifying the client instance as a source of the HTTP request . . . .”  However, Chia '326 discloses the client sending for authentication the username, the password, and the client instance for a request [Chia '326 ¶ 0075, 0059-0063, 0055-0056].  To be sure, Chia '326 does not disclose HTTP headers for transmitting these parameters.  To this, Mahaffey '808 adds using HTTP headers to transmit these parameters in an authentication request [Mahaffey '808 ¶ 0068].   For each of these reasons, Applicant's argument is unpersuasive.
Applicant argues that Mahaffey '808 discloses only an authenticating client sending such parameters, as opposed to a requesting client sending them.  This argument attacks the reference piecemeal, as Chia '326 discloses sending the parameters from the requesting client [Chia '326 ¶ 0051, 0060, 0066, 0075, Fig. 2].  One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Further, Mahaffey '808 does disclose the requesting client sending these parameters.  See Mahaffey '808 ¶ 0092 ("user credentials, encryption keys, and other possible objects that are used to authenticate a user, message or other transaction" are stored on the requesting client following initial authentication); Mahaffey '808 ¶ 0093 (in an 
Further with regard to Applicant's argument that Mahaffey '808 discloses only an authenticating client sending such parameters, as opposed to a requesting client sending them, Examiner notes that the claims are drawn to the receiving side.  That is, the claim only requires that the claimed "hosted instance" receives a HTTP request having first and second headers; it does not require that the client send the first and second headers.  That is, consistent with the broadest reasonable interpretation, a "hosted instance" that receives a HTTP request enriched along the way by a network provider [Mahaffey '808 ¶ 0089] satisfies these limitations.  For this additional reason, Applicant's argument is unpersuasive.
With respect to claim(s) 11 (see page(s) 10-14 of Applicant’s Remarks), Applicant argues that the prior art of record (in particular, Chia '326 in view of Mahaffey '808) does not disclose “determining that the HTTP request contains a second header comprising a username and password associated with a user of the client instance”.  However, Chia '326 discloses the client sending for authentication the username, the password, and the client instance for a request [Chia '326 ¶ 0075, 0059-0063, 0055-0056].  Further, Mahaffey '808 discloses adding additional HTTP headers to transmit these parameters in an authentication request [Mahaffey '808 ¶ 0079, 0068].  For all of these reasons, Applicant's argument is unpersuasive.

Applicant’s arguments with respect to the remaining claim(s) is/are based on Applicant’s arguments with respect to claim(s) 1 and have been considered as detailed above.

Summary of Claim Rejections under 35 U.S.C. § 103
The following table summarizes the rejections set forth in detail below of the claims over the prior art.

Claim No.
Chia '326 in view of Mahaffey '808 in view of RFC7230
Chia '326 in view of Mahaffey '808 in view of RFC7230 in view of AAPA
1
[Wingdings font/0xFC]

2
[Wingdings font/0xFC]

3
[Wingdings font/0xFC]

4
[Wingdings font/0xFC]

5
[Wingdings font/0xFC]

6
[Wingdings font/0xFC]

7
[Wingdings font/0xFC]

8
[Wingdings font/0xFC]

9
[Wingdings font/0xFC]

10
[Wingdings font/0xFC]

11
[Wingdings font/0xFC]

12

[Wingdings font/0xFC]
13
[Wingdings font/0xFC]

14
[Wingdings font/0xFC]


[Wingdings font/0xFC]

16
[Wingdings font/0xFC]

17
[Wingdings font/0xFC]

18
[Wingdings font/0xFC]

19
[Wingdings font/0xFC]

20
[Wingdings font/0xFC]



Claim Rejections - 35 U.S.C. § 103
The following is a quotation of the appropriate paragraphs of AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of AIA  35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-11, 13-20 is/are rejected under 35 U.S.C. § 103    pre-AIA  35 U.S.C. § 103(a) as being unpatentable over U.S. Publication 20120039326 to Chia et al. (hereinafter "Chia '326") in view of U.S. Publication 20140189808 to Mahaffey et al. (hereinafter "Mahaffey '808") in view of R. Fielding (ed.) and J. Reschke (ed.), "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", Internet Engineering Task Force (IETF) (June 2014) (hereinafter "RFC7230").  Chia '326 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).    Mahaffey '808 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).  RFC7230is prior art to the claims under 35 U.S.C. § 102(a)(1).
Per claim 1 (independent):
Chia '326 discloses a system (system for authentication and access control [Chia '326 ¶ 0059, 0063-0065])
Chia '326 does not disclose a hosted instance hosted by a datacenter, wherein the hosted instance is configured to communicate with one or more client instances generated for one or more client networks, the hosted instance configured to perform operations
Chia '326 does not disclose receiving a hypertext transfer protocol (HTTP) request sent to the hosted instance from a client instance of the one or more client instances
However, Chia '326 discloses receiving a request sent to the hosted instance from a client instance of the one or more client instances (provides improvement to HTTP basic authentication [Chia '326 ¶ 0003]; network authorization authority [Chia '326 ¶ 0051] receives markup language request [Chia '326 ¶ 0060, Fig. 2 at ref num 200] for network authorization controller to grant access to network resources [Chia '326 ¶ 0066])
Chia '326 does not disclose determining that the HTTP request contains a first header, wherein the first header comprises a first character string identifying the first header as a source header and a second character string identifying the client instance as a source of the HTTP request
However, Chia '326 discloses determining that the request contains information identifying the client instance as a source of the request (checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075])
Chia '326 does not disclose determining that the HTTP request contains a second header comprising a username and password associated with a user of the client instance
However, Chia '326 discloses determining that the request contains a username and password associated with a user of the client instance (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063])
Chia '326 discloses determining that the username, the password, and the client instance identified as the source match an associated credential stored in an authorized users list (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063])
Chia '326 discloses authorizing access to the hosted instance for the client instance (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of 
Further:
Mahaffey '808 discloses a hosted instance hosted by a datacenter, wherein the hosted instance is configured to communicate with one or more client instances generated for one or more client networks, the hosted instance configured to perform operations (auth server 101/328 and target server 114/326, hosted in at least one datacenter [Mahaffey '808 ¶ 0041, 0174, Figs. 1, 3], communicate [Mahaffey '808 ¶ 0056, 0093] with client instances [Mahaffey '808 ¶ 0041, 0174, 0178, 0184-0188] to perform authentication operations)
Mahaffey '808 discloses receiving a hypertext transfer protocol (HTTP) request sent to the hosted instance from a client instance of the one or more client instances (to authenticate, transmits HTTP header including credentials and 'enriched' to include device identifier [Mahaffey '808 ¶ 0068]; "hosted instance" receives a HTTP request enriched with device ID [Mahaffey '808 ¶ 0089])
Mahaffey '808 discloses determining that the HTTP request contains a first header, wherein the first header comprises identifying the client instance as a source of the HTTP request (to authenticate, transmits HTTP header including credentials and 'enriched' to include device identifier [Mahaffey '808 ¶ 0068]; in an embodiment, "requesting client 322 may respond with credentials 304, directly" [Mahaffey '808 ¶ 0093]; the "client" sends the credentials to the target server [see, e.g., Mahaffey '808 ¶ 0098, 0100])
Mahaffey '808 discloses determining that the HTTP request contains a second header comprising a username and password associated with a user of the client instance (to authenticate, transmits HTTP header including credentials, e.g. "a username/password combination" [Mahaffey '808 ¶ 0079, 0068]; in an embodiment, all "user credentials, encryption keys, and other possible objects that are used to authenticate a user, message or other transaction" are stored on the requesting client following initial authentication [Mahaffey '808 ¶ 0092]; in an embodiment, "requesting client 322 may respond with credentials 304, directly" [Mahaffey '808 ¶ 0093]; the "client" sends the credentials to the target server [see, e.g., Mahaffey '808 ¶ 0098, 0100])
Mahaffey '808 discloses determining that the username, the password, and the client instance identified as the source match an associated credential stored in an authorized users list (to authenticate, transmits HTTP header including credentials, e.g. "a username/password combination" [Mahaffey '808 ¶ 0079, 0068]; to authenticate, transmits HTTP header including credentials and 'enriched' to include device identifier [Mahaffey '808 ¶ 0068])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have 
a hosted instance hosted by a datacenter, wherein the hosted instance is configured to communicate with one or more client instances generated for one or more client networks, the hosted instance configured to perform operations
receiving a hypertext transfer protocol (HTTP) request sent to the hosted instance from a client instance of the one or more client instances
determining that the HTTP request contains a first header, wherein the first header comprises identifying the client instance as a source of the HTTP request
determining that the HTTP request contains a second header comprising a username and password associated with a user of the client instance
determining that the username, the password, and the client instance identified as the source match an associated credential stored in an authorized users list
A person having ordinary skill in the art would have been motivated to combine them at least because the device ID enriched headers of Mahaffey '808 would have provided a means of transmitting the device ID (called for by the authentication of Chia '326) while adhering as closely as possible to the ubiquitous HTTP basic authentication scheme protocols for data formatting and transmission.  A person having ordinary skill in the art would have been further motivated to combine them at least because Mahaffey '808 teaches [Mahaffey '808 ¶ 0079, 0068] modifying a authentication scheme using device ID [Chia '326 ¶ 0075, 0059-0063] such as that of Chia '326 to arrive at the claimed invention; because doing so constitutes use of a known technique (enriching HTTP basic authentication headers with additional authentication parameters [Mahaffey '808 ¶ 0079, 0068]) to improve similar devices and/or methods (authentication scheme using device ID [Chia '326 ¶ 0075, 0059-0063]) in the same way; because doing so constitutes applying a known technique (enriching HTTP basic authentication headers with additional authentication parameters [Mahaffey '808 ¶ 0079, 0068]) to known 
Further:
RFC7230 discloses determining that the HTTP request contains a first header, wherein the first header comprises a first character string identifying the first header Field-name and a second character string identifying the Field Value of the HTTP request ("New header fields can be defined such that, when they are understood by a recipient, they might override or enhance the interpretation of previously defined header fields, define preconditions on request evaluation, or refine the meaning of responses." [RFC7230 § 3.2.1]; HTTP headers consist of a colon-separated "Field-Name: Field Value" pair. [RFC7230 § 3.2.4])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified the header of Chia '326 in view of Mahaffey '808 with the Field-name: Field value pair required for HTTP as taught by RFC7230 to arrive at an apparatus, method, and product including:
determining that the HTTP request contains a first header, wherein the first header comprises a first character string identifying the first header as a source header and a second character string identifying the client instance as a source of the HTTP request
A person having ordinary skill in the art would have been motivated to combine them at least because the Field-name: Field value pair format is required for HTTP headers such as the HTTP headers Mahaffey '808 adds to Chia '326.  A person having ordinary skill in the art would have been further motivated to combine them at least because RFC7230 teaches [RFC7230 § 3.2.1, § 3.2.4] modifying a authentication scheme using HTTP headers such as that of Chia '326 in view of Mahaffey '808 to arrive at the claimed invention; because doing so constitutes use of a known technique (formatting HTTP headers to label what they contain [RFC7230 § 3.2.1, § 3.2.4]) to improve similar devices and/or methods (authentication scheme using parameters [Chia '326 ¶ 0075, 0059-0063] in HTTP headers [Mahaffey '808 ¶ 0079, 0068]) in the same way; because doing so constitutes applying a known technique (formatting HTTP headers to label what they contain [RFC7230 § 3.2.1, § 3.2.4]) to known devices and/or methods (authentication scheme using parameters [Chia '326 ¶ 0075, 0059-0063] in HTTP headers [Mahaffey '808 ¶ 0079, 0068]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results.  Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (authentication scheme authenticates device ID [Chia '326 ¶ 0075, 0059-0063] transmitted in enriched HTTP basic authentication headers [Mahaffey '808 ¶ 0079, 0068] formatted to label what they contain [RFC7230 § 3.2.1, § 3.2.4); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion.
Per claim 2 (dependent on claim 1):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 15 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 3 (dependent on claim 1):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 19 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 4 (dependent on claim 1):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 20 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 5 (dependent on claim 1):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Chia '326 discloses the operations comprise determining that the system is enforcing augmented basic access authentication (denies access to untrusted devices [Chia '326 ¶ 0022-0023; ¶ 0080, Fig. 6 at ref num 64; ¶ 0081, Fig. 7 at ref num 74; ¶ 0090, 0094])
Per claim 6 (independent):
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 7 (dependent on claim 6):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 16 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 8 (dependent on claim 7):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 7 above, incorporated herein by reference
Chia '326 discloses updating the authorized users list to associate the username, the password, and the source with the approved user in response to determining that the username, the password, or the client instance, or a combination thereof, do not match the credentials associated with the approved user on the authorized users list (access granted when there is a match in "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; grants or denies access [Chia '326 ¶ 0022-0023; compare Fig. 3 at ref num 35 or Fig. 4 at ref num 44 with Fig. 6 at ref num 64 or Fig. 7 at ref num 74]; registers new devices to database upon successful authentication [Chia '326 ¶ 0059-0066, Fig. 2])
Per claim 9 (dependent on claim 7):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 7 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 15 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 10 (dependent on claim 6):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference
Chia '326 discloses determining that the system is enforcing augmented basic access authentication (denies access to untrusted devices [Chia '326 ¶ 0022-0023; ¶ 0080, Fig. 6 at ref num 64; ¶ 0081, Fig. 7 at ref num 74; ¶ 0090, 0094])
Chia '326 discloses denying access to the hosted instance for the client instance in response to determining that the username, the password, or the client instance, or a combination thereof, do not match the credentials associated with the approved user on the authorized users list (access denied when there is a mismatch in "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; grants or denies access [Chia '326 ¶ 0022-0023; compare Fig. 3 at ref num 35 or Fig. 4 at ref num 44 with Fig. 6 at ref num 64 or Fig. 7 at ref num 74])
Per claim 11 (dependent on claim 6):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 19 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 13 (independent):
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 14 (dependent on claim 13):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
Chia '326 does not disclose determining that the username accompanying the HTTP request, the password accompanying the HTTP request, and the source match 
However, Chia '326 discloses determining that the username accompanying the request, the password accompanying the request, and the source match credentials associated with the approved user on the authorized users list and authorizing access to the hosted instance for the client instance (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; grants or denies access [Chia '326 ¶ 0022-0023; compare Fig. 3 at ref num 35 or Fig. 4 at ref num 44 with Fig. 6 at ref num 64 or Fig. 7 at ref num 74])
Further:
Mahaffey '808 discloses determining that the username accompanying the HTTP request, the password accompanying the HTTP request, and the source match credentials associated with the approved user on the authorized users list and authorizing access to the hosted instance for the client instance (to authenticate, transmits HTTP header including credentials and 'enriched' to include device identifier [Mahaffey '808 ¶ 0068])
For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Chia '326 with the device ID enriched authentication header of Mahaffey '808 to arrive at an apparatus, method, and product including:
determining that the username accompanying the HTTP request, the password accompanying the HTTP request, and the source match credentials associated with the approved user on the authorized users list and authorizing access to the hosted instance for the client instance
Per claim 15 (dependent on claim 14):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 14 above, incorporated herein by reference
Chia '326 does not disclose retrieving one or more pieces of information requested in the HTTP request;  generating an HTTP response; and transmitting the HTTP response and the information requested in the HTTP request to the client instance
Further:
Mahaffey '808 discloses retrieving one or more pieces of information requested in the HTTP request;  generating an HTTP response; and transmitting the HTTP response and the information requested in the HTTP request to the client instance (upon authentication, allows access to target webserver 326, and returns 308 requested page via HTTP [Mahaffey '808 ¶ 0056, 0093, Fig. 3A at ref num 308])
For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Chia '326 with the device ID enriched authentication header of Mahaffey '808 to arrive at an apparatus, method, and product including:
retrieving one or more pieces of information requested in the HTTP request;  generating an HTTP response; and transmitting the HTTP response and the information requested in the HTTP request to the client instance
Per claim 16 (dependent on claim 13):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
Chia '326 discloses determining that the client instance identified as the source does not match credentials associated with the approved user on the authorized users list (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; grants or denies access [Chia '326 ¶ 0022-0023; compare Fig. 3 at ref num 35 or Fig. 4 at ref num 44 with Fig. 6 at ref num 64 or Fig. 7 at ref num 74])
Chia '326 discloses determining that augmented basic access authentication is not being enforced and authorizing access to the hosted instance for the client instance (allows limited access [Chia '326 ¶ 0063-0065, 0055-0056] to non-registered devices [Chia '326 ¶ 0067, Fig. 4] or by  using temporary tokens [Chia '326 ¶ 0072, Fig. 4])
Per claim 17 (dependent on claim 16):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 16 above, incorporated herein by reference
Chia '326 discloses updating the authorized users list to associate the source with the approved user (registers new devices to database [Chia '326 ¶ 0059-0066, Fig. 2])
Per claim 18 (dependent on claim 13):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
Chia '326 discloses determining that the client instance identified as the source does not match credentials associated with the approved user on the authorized users list (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; grants or denies access [Chia '326 ¶ 0022-0023; compare Fig. 3 at ref num 35 or Fig. 4 at ref num 44 with Fig. 6 at ref num 64 or Fig. 7 at ref num 74])
Chia '326 discloses determining that augmented basic access authentication is being enforced and denying access to the hosted instance for the client instance (denies access to untrusted devices [Chia '326 ¶ 0022-0023; ¶ 0080, Fig. 6 at ref num 64; ¶ 0081, Fig. 7 at ref num 74; ¶ 0090, 0094])
Per claim 19 (dependent on claim 13):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
Chia '326 discloses determining whether the client instance is registered as associated with a user on the authorized users list (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; grants or denies access [Chia '326 ¶ 0022-0023; compare Fig. 3 at ref num 35 or Fig. 4 at ref num 44 with Fig. 6 at ref num 64 or Fig. 7 at ref num 74])
Per claim 20 (dependent on claim 13):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
Chia '326 discloses determining that augmented basic access authentication is enabled (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; grants or denies access [Chia '326 ¶ 0022-0023; see also Fig. 3 at ref num 35 or Fig. 4 at ref num 44; denies access to untrusted devices [Chia '326 ¶ 0022-0023; ¶ 0080, Fig. 6 at ref num 64; ¶ 0081, Fig. 7 at ref num 74; ¶ 0090, 0094])
Claim(s) 12 is/are rejected under 35 U.S.C. § 103  as being unpatentable over Chia '326 in view of Mahaffey '808 in view of RFC7230 in view of Applicant's Admitted Prior Art (hereinafter "AAPA").
Per claim 12 (dependent on claim 6):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference
Chia '326 does not disclose the operations comprise generating and logging an authorization failure ticket in response to determining that the username, the password, or the client instance, or a combination thereof, do not match the credentials associated with the approved user on the authorized users list
However, Chia '326 discloses the operations comprise an authorization failure in response to determining that the username, the password, or the client instance, or a combination thereof, do not match the credentials associated with the approved user on the authorized users list (access denied when there is a mismatch in "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056])
Further:
Examiner has taken official notice that it is well known in the art to log failed and successful login attempts.  See, e.g., U.S. Publication 20200358755 to Abdul et al. ¶ 0103; U.S. Publication 20180359259 to Leon ¶ 0073.  By not adequately traversing this finding, Applicant is deemed to have admitted it.  See MPEP § 2144.03.
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Chia '326 with the logging admitted by Applicant to be prior art to arrive at an apparatus, method, and product including:
the operations comprise generating and logging an authorization failure ticket in response to determining that the username, the password, or the client instance, or a combination thereof, do not match the credentials associated with the approved user on the authorized users list
A person having ordinary skill in the art would have been motivated to combine them at least because logging of important security events (such as grants or denials of access) permits auditing that can enhance the security (by determining whether access was incorrectly granted) and the functionality (by determining whether access was incorrectly denied) of the system.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475.  The examiner can normally be reached on MTWRF 7:30-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/THEODORE C PARSONS/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        




    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Because only independent claim 1, but not independent claims 6 and 13, requires the second header, a full rejection of claim 1 is given below.  Abbreviated rejections of claims 6 and 13 are given because the citations that disclose the limitations of claim 1 disclose their limitations as well mutatis mutandis.