DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2021-09-15 has been entered.

Response to Amendment
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in reply to papers filed on 2021-09-15. Claims 1-10, 12-18, 20 are pending, following cancellation of claims 11, 19. Claims 1, 6, 13 is/are independent.

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.
Applicant’s arguments have been fully considered but are moot in view of the new ground(s) of rejection.
With respect to claim(s) 1 (see page(s) 9-10 of Applicant’s Remarks), Applicant argues that the prior art of record (in particular, U.S. Publication 20120039326 to Chia et al. (hereinafter "Chia '326") in view of U.S. Publication 20140189808 to Mahaffey et al. (hereinafter "Mahaffey '808") in view of R. Fielding (ed.) and J. Reschke (ed.), "RFC7230: 
"Where a client engages in a secure session with a server, headers in the request-response messages exchanged may specify a secure protocol, and convey state information, such as the identity of the client and the authorizations or permissions applicable to the client, …" [Mayo '148 ¶ 0030].
It would have been obvious to a person of ordinary skill in the art reading Mayo '148 to use its techniques to pass the parameters of Chia '326 and Mahaffey '808 in HTTP extension headers as claimed.  Accordingly, Applicant's argument is unpersuasive.
Applicant’s arguments with respect to the remaining claim(s) is/are based on Applicant’s arguments with respect to claim(s) 1 and have been considered as detailed above.

Claim Objections
Claim(s) 13-20 is/are objected to because of the following informalities: The examiner suggests the following corrections:
Claim 13:
Amend the claim to read, in part, as follows "and
claims 14-20 are objected to for the reasons presented above with respect to objected claims 13 and in view of their dependence thereon.

Summary of Claim Rejections under 35 U.S.C. § 103
The following table summarizes the rejections set forth in detail below of the claims over the prior art.

Claim No.
Chia '326 in view of Mahaffey '808 in view of RFC7230 in view of Mayo '148
Chia '326 in view of Mahaffey '808 in view of RFC7230 in view of Mayo '148 in view of AAPA
1
[Wingdings font/0xFC]

2
[Wingdings font/0xFC]

3
[Wingdings font/0xFC]

4
[Wingdings font/0xFC]

5
[Wingdings font/0xFC]

6
[Wingdings font/0xFC]

7
[Wingdings font/0xFC]

8
[Wingdings font/0xFC]

9
[Wingdings font/0xFC]

10
[Wingdings font/0xFC]

12

[Wingdings font/0xFC]
13
[Wingdings font/0xFC]

14
[Wingdings font/0xFC]

15
[Wingdings font/0xFC]

16
[Wingdings font/0xFC]

17
[Wingdings font/0xFC]

18
[Wingdings font/0xFC]

20
[Wingdings font/0xFC]




Claim Rejections - 35 U.S.C. § 103
The following is a quotation of the appropriate paragraphs of AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of AIA  35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly 
Claim(s) 1-10, 13-18, 20 is/are rejected under 35 U.S.C. § 103    pre-AIA  35 U.S.C. § 103(a) as being unpatentable over U.S. Publication 20120039326 to Chia et al. (hereinafter "Chia '326") in view of U.S. Publication 20140189808 to Mahaffey et al. (hereinafter "Mahaffey '808") in view of R. Fielding (ed.) and J. Reschke (ed.), "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", Internet Engineering Task Force (IETF) (June 2014) (hereinafter "RFC7230") in view of U.S. Publication 20050204148 to Mayo et al. (hereinafter "Mayo '148").  Chia '326 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).    Mahaffey '808 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).  RFC7230is prior art to the claims under 35 U.S.C. § 102(a)(1).  Mayo '148 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).
Per claim 1 (independent):
Chia '326 discloses a system (system for authentication and access control [Chia '326 ¶ 0059, 0063-0065])
Chia '326 does not disclose a hosted instance hosted by a datacenter, wherein the hosted instance is configured to communicate with one or more client instances generated for one or more client networks, the hosted instance configured to perform operations
Chia '326 does not disclose receiving a hypertext transfer protocol (HTTP) request sent to the hosted instance from a client instance of the one or more client instances
However, Chia '326 discloses receiving a request sent to the hosted instance from a client instance of the one or more client instances (provides improvement to HTTP basic authentication [Chia '326 ¶ 0003]; network authorization authority 
Chia '326 does not disclose determining that the HTTP request contains a first header, wherein the first header comprises a first character string identifying the first header as a source header and a second character string identifying the client instance as a source of the HTTP request
However, Chia '326 discloses determining that the request contains information identifying the client instance as a source of the request (checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075])
Chia '326 does not disclose the first character string identifies an authentication protocol by which credentials are authorized
Chia '326 does not disclose determining that the HTTP request contains a second header comprising a username and password associated with a user of the client instance
However, Chia '326 discloses determining that the request contains a username and password associated with a user of the client instance (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063])
Chia '326 discloses authorizing access to the hosted instance for the client instance (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063])
Further:
Mahaffey '808 discloses a hosted instance hosted by a datacenter, wherein the hosted instance is configured to communicate with one or more client instances generated for one or more client networks, the hosted instance configured to perform operations (auth server 101/328 and target server 114/326, hosted in at least one datacenter [Mahaffey '808 ¶ 0041, 0174, Figs. 1, 3], communicate [Mahaffey '808 ¶ 0056, 0093] with client instances [Mahaffey '808 ¶ 0041, 0174, 0178, 0184-0188] to perform authentication operations)
Mahaffey '808 discloses receiving a hypertext transfer protocol (HTTP) request sent to the hosted instance from a client instance of the one or more client instances (to authenticate, transmits HTTP header including credentials and 'enriched' to include device identifier [Mahaffey '808 ¶ 0068]; "hosted instance" receives a HTTP request enriched with device ID [Mahaffey '808 ¶ 0089])
comprises identifying the client instance as a source of the HTTP request (to authenticate, transmits HTTP header including credentials and 'enriched' to include device identifier [Mahaffey '808 ¶ 0068]; in an embodiment, "requesting client 322 may respond with credentials 304, directly" [Mahaffey '808 ¶ 0093]; the "client" sends the credentials to the target server [see, e.g., Mahaffey '808 ¶ 0098, 0100])
Mahaffey '808 discloses determining that the HTTP request contains a second header comprising a username and password associated with a user of the client instance (to authenticate, transmits HTTP header including credentials, e.g. "a username/password combination" [Mahaffey '808 ¶ 0079, 0068]; in an embodiment, all "user credentials, encryption keys, and other possible objects that are used to authenticate a user, message or other transaction" are stored on the requesting client following initial authentication [Mahaffey '808 ¶ 0092]; in an embodiment, "requesting client 322 may respond with credentials 304, directly" [Mahaffey '808 ¶ 0093]; the "client" sends the credentials to the target server [see, e.g., Mahaffey '808 ¶ 0098, 0100])
Mahaffey '808 discloses determining that the username, the password, and the client instance identified as the source match an associated credential stored in an authorized users list (to authenticate, transmits HTTP header including credentials, e.g. "a username/password combination" [Mahaffey '808 ¶ 0079, 0068]; to authenticate, transmits HTTP header including credentials and 'enriched' to include device identifier [Mahaffey '808 ¶ 0068])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Chia '326 with the device ID enriched authentication headers of Mahaffey '808 to arrive at an apparatus, method, and product including:
a hosted instance hosted by a datacenter, wherein the hosted instance is configured to communicate with one or more client instances generated for one or more client networks, the hosted instance configured to perform operations
receiving a hypertext transfer protocol (HTTP) request sent to the hosted instance from a client instance of the one or more client instances
determining that the HTTP request contains a first header, wherein the first header comprises identifying the client instance as a source of the HTTP request
determining that the HTTP request contains a second header comprising a username and password associated with a user of the client instance
determining that the username, the password, and the client instance identified as the source match an associated credential stored in an authorized users list

Further:
RFC7230 discloses determining that the HTTP request contains a first header, wherein the first header comprises a first character string identifying the first header Field-name and a second character string identifying the Field Value of the HTTP request ("New header fields can be defined such that, when they are understood by a recipient, they might override or enhance the interpretation of previously defined header fields, define preconditions on request evaluation, or refine the meaning of responses." [RFC7230 § 3.2.1]; HTTP headers consist of a colon-separated "Field-Name: Field Value" pair. [RFC7230 § 3.2.4])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified the header of Chia '326 in view of Mahaffey '808 with the Field-name: Field value pair required for HTTP as taught by RFC7230 to arrive at an apparatus, method, and product including:
determining that the HTTP request contains a first header, wherein the first header comprises a first character string identifying the first header as a source header and a second character string identifying the client instance as a source of the HTTP request
A person having ordinary skill in the art would have been motivated to combine them at least because the Field-name: Field value pair format is required for HTTP headers such as the HTTP headers Mahaffey '808 adds to Chia '326.  A person having ordinary skill in the art would have been further motivated to combine them at least because RFC7230 teaches [RFC7230 § 3.2.1, § 3.2.4] modifying a authentication scheme using HTTP headers such as that of Chia '326 in view of Mahaffey '808 to arrive at the claimed invention; because doing so constitutes use of a known technique (formatting HTTP headers to label what they contain [RFC7230 § 3.2.1, § 3.2.4]) to improve similar devices and/or methods (authentication scheme using parameters 
Further:
Mayo '148 discloses the first character string identifies an authentication protocol by which credentials are authorized ("Where a client engages in a secure session with a server, headers in the request-response messages exchanged may specify a secure protocol, and convey state information, such as the identity of the client and the authorizations or permissions applicable to the client, …" [Mayo '148 ¶ 0030])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Chia '326 with the extension headers for authentication of Mayo '148 to arrive at an apparatus, method, and product including:

A person having ordinary skill in the art would have been motivated to combine them at least because the extension headers for authentication of Mayo '148 would have provided a means of transmitting the device ID (called for by the authentication of Chia '326) and authentication protocol information using the extension header technique well known in the art for conveying information via HTTP messages.  A person having ordinary skill in the art would have been further motivated to combine them at least because Mayo '148 teaches [Mayo '148 ¶ 0030] modifying a authentication scheme using device ID [Chia '326 ¶ 0075, 0059-0063] such as that of Chia '326 to arrive at the claimed invention; because doing so constitutes use of a known technique (extension headers for authentication [Mayo '148 ¶ 0030]) to improve similar devices and/or methods (authentication scheme using device ID [Chia '326 ¶ 0075, 0059-0063]) in the same way; because doing so constitutes applying a known technique (extension headers for authentication [Mayo '148 ¶ 0030]) to known devices and/or methods (authentication scheme using device ID [Chia '326 ¶ 0075, 0059-0063]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results.  Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (authentication scheme authenticates device ID [Chia '326 ¶ 0075, 0059-0063] transmitted via extension headers for authentication [Mayo '148 ¶ 0030]); (3) one of ordinary skill in the art would have recognized that the results 
Per claim 2 (dependent on claim 1):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 15 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 3 (dependent on claim 1):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 19 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 4 (dependent on claim 1):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 20 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 5 (dependent on claim 1):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Chia '326 discloses the operations comprise determining that the system is enforcing augmented basic access authentication (denies access to untrusted devices [Chia '326 ¶ 0022-0023; ¶ 0080, Fig. 6 at ref num 64; ¶ 0081, Fig. 7 at ref num 74; ¶ 0090, 0094])
Per claim 6 (independent):
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 7 (dependent on claim 6):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 16 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 8 (dependent on claim 7):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 7 above, incorporated herein by reference
Chia '326 discloses updating the authorized users list to associate the username, the password, and the source with the approved user in response to determining that the 
Per claim 9 (dependent on claim 7):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 7 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 15 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 10 (dependent on claim 6):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference
Chia '326 discloses determining that the system is enforcing augmented basic access authentication (denies access to untrusted devices [Chia '326 ¶ 0022-0023; ¶ 0080, Fig. 6 at ref num 64; ¶ 0081, Fig. 7 at ref num 74; ¶ 0090, 0094])
Chia '326 discloses denying access to the hosted instance for the client instance in response to determining that the username, the password, or the client instance, or a combination thereof, do not match the credentials associated with the approved user on the authorized users list (access denied when there is a mismatch in "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; grants or denies access [Chia '326 ¶ 0022-0023; compare Fig. 3 at ref num 35 or Fig. 4 at ref num 44 with Fig. 6 at ref num 64 or Fig. 7 at ref num 74])
Per claim 13 (independent):
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 14 (dependent on claim 13):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
Chia '326 does not disclose determining that a username accompanying the HTTP request, a password accompanying the HTTP
However, Chia '326 discloses determining that a username accompanying the request, a password accompanying the request, and the source match credentials associated with the approved user on the authorized users list and authorizing access to the hosted instance for the client instance (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; grants or denies access [Chia '326 ¶ 0022-0023; compare Fig. 3 at ref num 35 or Fig. 4 at ref num 44 with Fig. 6 at ref num 64 or Fig. 7 at ref num 74])
Further:
Mahaffey '808 discloses determining that a username accompanying the HTTP request, a password accompanying the HTTP request, and the source match credentials associated with the approved user on the authorized users list and authorizing access to the hosted instance for the client instance (to authenticate, transmits HTTP header including credentials and 'enriched' to include device identifier [Mahaffey '808 ¶ 0068])
For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Chia '326 with the device ID enriched authentication header of Mahaffey '808 to arrive at an apparatus, method, and product including:
determining that a username accompanying the HTTP request, a password accompanying the HTTP request, and the source match credentials associated with the approved user on the authorized users list and authorizing access to the hosted instance for the client instance
Per claim 15 (dependent on claim 14):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 14 above, incorporated herein by reference
Chia '326 does not disclose retrieving one or more pieces of information requested in the HTTP request;  generating an HTTP response; and transmitting the HTTP response and the information requested in the HTTP request to the client instance
Further:
Mahaffey '808 discloses retrieving one or more pieces of information requested in the HTTP request;  generating an HTTP response; and transmitting the HTTP response and 
For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Chia '326 with the device ID enriched authentication header of Mahaffey '808 to arrive at an apparatus, method, and product including:
retrieving one or more pieces of information requested in the HTTP request;  generating an HTTP response; and transmitting the HTTP response and the information requested in the HTTP request to the client instance
Per claim 16 (dependent on claim 13):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
Chia '326 discloses determining that the client instance identified as the source does not match credentials associated with the approved user on the authorized users list (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; grants or denies access [Chia '326 ¶ 0022-0023; compare Fig. 3 at ref num 35 or Fig. 4 at ref num 44 with Fig. 6 at ref num 64 or Fig. 7 at ref num 74])
Chia '326 discloses determining that augmented basic access authentication is not being enforced and authorizing access to the hosted instance for the client instance (allows limited access [Chia '326 ¶ 0063-0065, 0055-0056] to non-registered devices [Chia '326 ¶ 0067, Fig. 4] or by  using temporary tokens [Chia '326 ¶ 0072, Fig. 4])
Per claim 17 (dependent on claim 16):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 16 above, incorporated herein by reference
Chia '326 discloses updating the authorized users list to associate the source with the approved user (registers new devices to database [Chia '326 ¶ 0059-0066, Fig. 2])
Per claim 18 (dependent on claim 13):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
Chia '326 discloses determining that the client instance identified as the source does not match credentials associated with the approved user on the authorized users list 
Chia '326 discloses determining that augmented basic access authentication is being enforced and denying access to the hosted instance for the client instance (denies access to untrusted devices [Chia '326 ¶ 0022-0023; ¶ 0080, Fig. 6 at ref num 64; ¶ 0081, Fig. 7 at ref num 74; ¶ 0090, 0094])
Per claim 20 (dependent on claim 13):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
Chia '326 discloses determining that augmented basic access authentication is enabled (determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056]; checks "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; grants or denies access [Chia '326 ¶ 0022-0023; see also Fig. 3 at ref num 35 or Fig. 4 at ref num 44; denies access to untrusted devices [Chia '326 ¶ 0022-0023; ¶ 0080, Fig. 6 at ref num 64; ¶ 0081, Fig. 7 at ref num 74; ¶ 0090, 0094])
Claim(s) 12 is/are rejected under 35 U.S.C. § 103  as being unpatentable over Chia '326 in view of Mahaffey '808 in view of RFC7230 in view of Applicant's Admitted Prior Art (hereinafter "AAPA").
Per claim 12 (dependent on claim 6):
Chia '326 in view of Mahaffey '808 in view of RFC7230 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference
Chia '326 does not disclose the operations comprise generating and logging an authorization failure ticket in response to determining that the username, the password, or the client instance, or a combination thereof, do not match the credentials associated with the approved user on the authorized users list
However, Chia '326 discloses the operations comprise an authorization failure in response to determining that the username, the password, or the client instance, or a combination thereof, do not match the credentials associated with the approved user on the authorized users list (access denied when there is a mismatch in "the registered information at the database of the user such as userId, deviceId and password together with the valid token" [Chia '326 ¶ 0075, 0059-0063]; determines access according to whether device ID is trusted, semi-trusted, or non-trusted [Chia '326 ¶ 0055-0056])
Further:
Examiner has taken official notice that it is well known in the art to log failed and successful login attempts.  See, e.g., U.S. Publication 20200358755 to Abdul et al. ¶ 0103; U.S. Publication 20180359259 to Leon ¶ 0073.  By not adequately traversing this finding, Applicant is deemed to have admitted it.  See MPEP § 2144.03.
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Chia '326 with the logging admitted by Applicant to be prior art to arrive at an apparatus, method, and product including:
the operations comprise generating and logging an authorization failure ticket in response to determining that the username, the password, or the client instance, or a combination thereof, do not match the credentials associated with the approved user on the authorized users list
A person having ordinary skill in the art would have been motivated to combine them at least because logging of important security events (such as grants or denials of access) permits auditing that can enhance the security (by determining whether access was incorrectly granted) and the functionality (by determining whether access was incorrectly denied) of the system.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
U.S. Publication 20140245372 to Elias et al. (hereinafter "Elias '372") discloses ("…the action can specify the HTTP authentication method (e.g., HTTP BASIC, HTTP DIGEST, etc.) and the access credentials (e.g., account name and the password), and the HTTP request can be updated to include this information (e.g., in one or more headers of the HTTP request)." [Elias '372 ¶ 0018, 0015])
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475.  The examiner can normally be reached on MTWRF 7:30-4:30.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THEODORE C PARSONS/Primary Examiner, Art Unit 2494