Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-7, 11-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhargava et al. (US 2017/0324749) hereafter Bhargava in view of Justin et al. (US 2018/0113896) hereafter Justin.
1. Bhargava discloses a method comprising: 
(figs 2-3, S310-S320 and associated text; see also para 20); 
responsive to receiving the first request, determining, by the token relay system, that the client is known to the token relay system (para 25-27); 
verifying, by the token relay system, that the client is authorized to request the access token based on information in the received first request (para 25-27); 
responsive to verifying that the client is authorized to request the access token, transmitting, from the token relay system to a token issuer system, a second request requesting the access token on behalf of the client (figs 2-3, S330-S340 and associated text); 
receiving, by the token relay system from the token issuer system, an access token issued by the token issuer system in response to the second request (figs 2-3, S350 and associated text); and 
communicating, by the token relay system to the client, the access token received by the token relay system from the token issuer system, wherein the access token communicated to the client enables the client to access the resource (figs 2-3, S360-S370 and associated text).
Bhargava does not explicitly disclose wherein the first request comprises scope information identifying one or more authorization scopes associated with the requested access token.  However, in analogous art, Justin discloses synchronizing data across multiple instances of an application in a cloud including wherein the first request comprises scope information identifying one or more authorization scopes associated with the requested access token (figs 5-7 and corresponding text; see para 65-67, a request to update these credentials lands on (is received by) one of the nodes, that node updates the database for the requested operation of updating the credentials. However, the other nodes are unaware of this request and of the update database resulting from the request … node A can update the oAuth token (which is used only between nodes and not exposed outside) with a new scope to the other nodes … oAuth specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials).  It would have been obvious to a person of ordinary skill in the art before the effective filing date to modify the implementation of Bhargava with the implementation of Justin in order to allow for synchronization of credentials/tokens across multiple instances of an application in the cloud (para 4).

2. Bhargava and Justin disclose the method of claim 1 wherein the client is a non-confidential client (Bhargava, figs 2-3 and corresponding text, client’s capabilities are not known, just that the user is authenticated therefore client device is not to be trusted (non-confidential)).

3. Bhargava and Justin disclose the method of claim 1 wherein the client is an application executed by a browser (Bhargava, para 12).

4. Bhargava and Justin disclose the method of claim 3 wherein the application is a JavaScript application (Bhargava, para 14-15).

5. Bhargava and Justin disclose the method of claim 1 further comprising, using, by the client, the access token to access the resource (Bhargava, figs 2-3, S370 and associated text).

6. Bhargava and Justin disclose the method of claim 5 wherein the resource is a REST resource (para 32-35, 65-67).

7. Bhargava and Justin disclose the method of claim 1 wherein: the first request includes information identifying a scope for the access token; and the access token received by the token relay system from the token issuer system is for the scope identified in the first request (Bhargava, para 25, username/password are information identifying a scope; para 28, corresponding secret key indicates scope along with the received token; see also para 33).

11. Bhargava and Justin disclose the method of claim 1 wherein the first request is received by the token relay system as part of an authenticated user session (Bhargava, figs 2-3, S310-S320 and associated text).

12. Bhargava and Justin disclose the method of claim 1 wherein the token issuer system is a server configured to issue tokens according to OAuth standard (Bhargava, para 28; see also fig 2 and associated text).

Claims 13-17 are similar in scope to claims 1-5, 7, 11, 12 and are rejected under similar rationale.

Claim 20 is similar in scope to claims 1-5, 7, 11, 12 and are rejected under similar rationale.

Claims 8-10, 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhargava and Justin as applied to claim 1 above, and further in view of Hay et al. (US 2011/0162072) hereafter Hay.
8. Bhargava and Justin disclose the method of claim 1 wherein the first request comprises: information identifying a scope for which the access token is requested (para 25, 28); information identifying an origin for the client (para 25, HTTP uses source address); and single sign-on information for a session during which the first request is generated by the client (para 25, 28).
Bhargava and Justin do not explicitly disclose an anti-CSRF (Cross Site Request Forgery) token. However, in an analogous art, Hay discloses vulnerability of computer software applications to attacks including an anti-CSRF (Cross Site Request Forgery) token (para 3). It would have been obvious to a person of ordinary skill in the art before the effective filing date to modify the implementation of Bhargava and Justin with the implementation of Hay in order to prevent cross-site request forgery and to test whether a website is adequately protected (para 2-4).

(Hay, para 3); and verifying, by the token relay system, that the client is allowed to request a token for the scope identified in the first request (figs 4-6, User:Service corresponding information must exist for the token request).

10. The method of claim 8 wherein the anti-CSRF token encodes an identifier identifying the client from whom the first request is received by the token relay system (Hay, para 2-4).

Claims 18-19 are similar in scope to claims 8-10 and are rejected under similar rationale.

Response to Arguments
Applicant’s arguments, filed 06/11/2021, with respect to the rejection(s) of claim(s) 1-5, 7, 11-17 under 35 USC 102 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Bhargava in view of Justin.

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES R TURCHEN whose telephone number is (571)270-1378.  The examiner can normally be reached on Monday-Friday: 7-3.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JAMES R TURCHEN/Primary Examiner, Art Unit 2439