DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 07/13/2021.
In the instant Amendment: Claims 1-3, 5-6, 9-11, 13-15, 17-18 have been amended and claims 1, 9 and 13 are independent claims. Claims 1-20 have been examined and are pending. This Action is made FINAL.          
Response to Arguments
Applicants' arguments in the instant Amendment, filed on 07/13/2021, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant Argues: Hinton and Yeddula fail to disclose “in response to receiving a request from a second client, the request including the second token, and in response to validating the second client against the table, transmitting by one or more processing units, the at least one long-term protected resource to the second client” of amended claim 1. See Remarks at 10 (emphasis added). 
The examiner respectfully disagrees because these arguments are not persuasive. 
Applicant’s amendment added the term “second client” and reasoned that “claim 1 [as amended now] requires the authorization system to ‘transmit… the at least one long-term protected resources’ of a ‘first client’ to specifically authorized ‘second clients’ ” after transfer of the token from the first client to the second client and successful validation of the second client.  Id. at 10 (emphasis added). In contrast to applicant’s assertions, Yeddula teaches a first user transferring an access token to a second user, the See Yeddula ¶¶ [0105], [0128] (“The transferable access token can be [ ] transferred to another user, such as a second user associated with second communication device 504. At step S634, the authorization computer 614 can determine whether the interaction between the resource provider and the second user of the second communication device 604 is authorized. Additionally, the authorization computer 614 can determine whether the transferable access token has enough associated interaction value to complete the interaction.) (emphasis added). Thus, Yeddula teaches a second user receiving a token from a first user, and uses the second token to request access or resources from an authentication system. Accordingly, the combination of Hinton (e.g., FIG. 5 and ¶¶ [0022]-[0024], [0026]) and Yeddula as discussed above teach “in response to receiving a request from a second client, the request including the second token, and in response to validating the second client against the table, transmitting by one or more processing units, the at least one long-term protected resource to the second client” of amended claim 1.
In conclusion, applicant’s argument are unpersuasive and the rejection of claim 1 is maintained. Similarly, rejection of independent claims 9 and 13, which recite similar matter to claim 1, is also maintained.  
The applicant can contact the Examiner for suggestions regarding the current application. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 6, 8, 9, 10, 12, 13, 14, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hinton et al. (“Hinton,” US 20090205032, published Aug. 13, 2009) in view of Yeddula et al. (“Yeddula,” US 20190349360, filed May 10 2018). 
Regarding claim 1, Hinton discloses a computer-implemented method comprising: 
assigning, by one or more processing units, a first token to authorize a first client to access at least one protected resource of a resource owner, wherein the first token depends on an access session between an authorization system and the first client (Hinton FIGs 1, 5, [0020]-[0021], [0023]. More generally, a mobile device may also be considered to be operated in a “disconnected” mode from the identity provider itself. In this case, the mobile device may be deemed to be operating in an “identity provider-disconnected mode.” In general, the token is used to assert the user's authenticated identity (and/or associated attributes) to service provider partners. In connected mode, the application typically is able to leverage the network to request from the identity provider a fresh token, e.g., as generated at request time for the use at the appropriate connected application.); 
Hinton FIGs 1, 5, [0020]-[0021], [0023], [0026]. More generally, a mobile device may also be considered to be operated in a “disconnected” mode from the identity provider itself. In this case, the mobile device may be deemed to be operating in an “identity provider-disconnected mode.” In general, the token is used to assert the user's authenticated identity (and/or associated attributes) to service provider partners. As one of ordinary skill will appreciate, the token is used by the mobile device 500 when the mobile device needs to provide a token (or an equivalent) to authenticate itself in connection with some identity provider-disconnected mode operation. This token is sometimes referred to herein as a “long term' token to contrast that it is usable (theoretically) during time periods when the mobile device is not then connected to the identity provider.), and
wherein the second token is stored, according to the first client, in a table of the authorization system (Hinton FIGs 1, 5, 6,  [0023], [0026]. According to one embodiment, and as illustrated in FIG. 5, the mobile device user obtains a “long term' token 505 from a given identity provider/STS 502. The token 505 is useful to facilitate identity and privilege assertion to other parties. In general, the token is used to assert the user's authenticated identity (and/or associated attributes) to service provider partners. As one of ordinary skill will appreciate, the token is used by the mobile device 500 when the mobile device needs to provide a token (or an equivalent) to authenticate itself in connection with some identity provider-disconnected mode operation. In particular, [ ] the trust broker may interact with the original token issuer (identity provider/STS 606) by making an explicit validation request to the STS 606, passing the token that was received from the disconnected application 604. In this case, the token issuer performs additional checking (e.g., is the mobile device actually disconnected, has the device been shut down for some reason, or the like) before returning to the trust broker 608 more detailed information about the device and the device user's status.);
in response to receiving a request from a [second] client, and in response to validating the [second] client against the table, transmitting, by the one or more processing units, the at least one long-term protected resource to the [second] client (Hinton FIG. 5, [0022]-[0024], [0026]. As used herein, the "disconnected application" 110 is a computer program, process or module, or set of such components, that provide a given function, such as providing access to a facility, providing access to a resource, enabling purchase of a given product or service, providing a subscription to a service, or the like. According to one embodiment, and as illustrated in FIG. 5, the mobile device user obtains a “long term' token. Preferably, the token is used to obtain authentication (or otherwise to assert the user's authenticated identity) when the mobile device is operating in an identity provider-disconnected mode environment. At this point, the mobile device (and, in particular, some program or process executable thereon) makes a resource request to the disconnected application 604. The long term token is included with or otherwise associated with this resource request. As noted above, the “resource request' should be broadly construed to cover any type of access, use or other request, depending on the functionality provided by the disconnected application. In particular, [ ] the trust broker may interact with the original token issuer (identity provider/STS 606) by making an explicit validation request to the STS 606, passing the token that was received from the disconnected application 604. In this case, the token issuer performs additional checking (e.g., is the mobile device actually disconnected, has the device been shut down for some reason, or the like) before returning to the trust broker 608 more detailed information about the device and the device user's status.). 
Hinton does not explicitly disclose: wherein a scope of authorization of the first token is determined by receiving a set of authorization options from the resource owner, the set of authorization options represented graphically within a user interface and selectable by a user;  [assigning a second token] by the one or more processing units and based on the assigning of the first token, and in response to receiving a request from a second client,  the request including the second token. 
However, in an analogous art, Yeddula discloses a method, comprising: 
wherein a scope of authorization of the first token is determined by receiving a set of authorization options from the resource owner (Yeddula FIG. 2, [0060]. [T]he authorization computer may determine that the transferable access token “ 12345 ” has an interaction value of “ $ 30.00 , ” generate two transferable access tokens ( e.g. , “ 49142 " and 02913 ” ) , and associate the interaction value $ 10.00 with the first transferable access token “ 49142 " and the interaction value $ 20.00 with the second transferable access token " 02913. ”.), 
the set of authorization options represented graphically within a user interface and selectable by a user (Yeddula FIG. 2, [0059]-[0060]. This may involve receiving and interpreting input from the user via the data input / output 206, such as the selection of a particular transferable access token or group of transferable access tokens . As an example, a user could drag their finger over GUI elements (displayed on a touch screen ) corresponding to two distinct transferable access tokens , such that the transferable access tokens are clearly selected ( e.g. , as indicated by a selection glow or other relevant visual effect ). The transferable access token application 216 can be used by the processor 202 to generate a transferable access token combination message comprising the selected transferable access tokens.  A user can select a transferable access token using GUI elements , select a button that indicates that the user wishes to split the transferable access token , and indicate how the user wants to split the access token [as the user may combine or split tokens based on monetary amounts].); 
assigning, by the one or more processing units and based on the assigning of the first token, a second token (Yeddula FIG. 2, [0060]. [T]he authorization computer may determine that the transferable access token “ 12345 ” has an interaction value of “ $ 30.00 , ” generate two transferable access tokens ( e.g. , “ 49142 " and 02913 ” ) , and associate the interaction value $ 10.00 with the first transferable access token “ 49142 " and the interaction value $ 20.00 with the second transferable access token " 02913. ”),  
and in response to receiving a request from a second client,  the request including the second token (Yeddula ¶¶ [0105], [0128]. The transferable access token can be [ ] transferred to another user, such as a second user associated with second communication device 504. At step S634, the authorization computer 614 can determine whether the interaction between the resource provider and the second user of the second communication device 604 is authorized. Additionally, the authorization computer 614 can determine whether the transferable access token has enough associated interaction value to complete the interaction.). 
See Yeddula [0060].)
Regarding claim 2, Hinton and Yeddula disclose the method of claim 1. Hinton further discloses wherein the at least one long-term protected resource is a part of the at least one protected resource (Hinton FIGs 1, 5, [0023]. In general, the token is used to assert the user's authenticated identity (and/or associated attributes) to service provider partners. As one of ordinary skill will appreciate, the token is used by the mobile device 500 when the mobile device needs to provide a token (or an equivalent) to authenticate itself in connection with some identity provider-disconnected mode operation. This token is sometimes referred to herein as a “long term' token to contrast that it is usable (theoretically) during time periods when the mobile device is not then connected to the identity provider.).  
Yeddula further discloses wherein the part comprises account information of the resource owner in the first client (Yeddula [0106]. For example, as part of provisioning a transferable interaction token with interaction value equal to $ 100.00, the clearing and settlement process may involve the transfer of $ 100.00 from a payment account associated with a first user of the first communication device 402 and a payment account associated with the resource provider.). 
The motivation is the same as that of claim 1 above. 
Regarding claim 6, Hinton and Yeddula disclose the method of claim 1. Hinton further discloses:  
in response to the assigning of the first token or the second token, request the at least one long-term protected resource on the device (Hinton FIGs 1, 5, [0020]-[0021], [0024]. More generally, a mobile device may also be considered to be operated in a “disconnected” mode from the identity provider itself. In this case, the mobile device may be deemed to be operating in an “identity provider-disconnected mode.” At this point, the mobile device (and, in particular, some program or process executable thereon) makes a resource request to the disconnected application 604. The long term token is included with or otherwise associated with this resource request. As noted above, the “resource request' should be broadly construed to cover any type of access, use or other request, depending on the functionality provided by the disconnected application.); 
obtain the at least one long-term protected resource from the device (Hinton FIG. 1, [0022]-[0023]. As used herein, the “disconnected application' 110 is a computer program, process or module, or set of such components, that provide a given function, such as providing access to a facility, providing access to a resource, enabling purchase of a given product or service, providing a subscription to a service, or the like. Preferably, the token is used to obtain authentication (or otherwise to assert the user's authenticated identity) when the mobile device is operating in an identity provider-disconnected mode environment.), and 
storing the at least one obtained long-term protected resource in the resource database (Hinton FIG. 1, [0022]-[0023]. As used herein, the “disconnected application' 110 is a computer program, process or module, or set of such components, that provide a given function, such as providing access to a facility, providing access to a resource, enabling purchase of a given product or service, providing a subscription to a service, or the like. Preferably, the token is used to obtain authentication (or otherwise to assert the user's authenticated identity) when the mobile device is operating in an identity provider-disconnected mode environment. [e.g., the token can be used to authenticate a user/device for accessing a software subscription.] ).
Yeddula further discloses wherein: the protected resource is hosted by a device separated from the authorization system (Yeddula FIG. 2, [0050]. The system 100 can comprise a first user 102, a second user 104, a first communication device 106, a second communication device 108, a portable device 110, an access device 112, a resource provider computer 114, a transport computer 116, a remote server computer 118, an authorization computer 120, a communications gateway 122, and a token vault 124.); and
the authorization system comprises a resource collector module and a resource database, the resource collector module being adapted to (Yeddula FIG. 1, [0024], [0066]. A "resource" may refer to something that may be used by an entity or transferred between entities.  Examples of resources include goods, services, information, and/or access to restricted locations. The authorization computer may comprise [ ] an access token database 306, [ ] an access token module 312, an authorization module 314, a risk analysis module 316, and an encryption module 318.): 
The motivation is the same as that of claim 1 above. 
Regarding claim 8, Hinton and Yeddula disclose the method of claim 1. Hinton further discloses wherein a lifetime of the second token is set to be longer than a lifetime of the first token (Hinton [0023]. In connected mode, the application typically is able to leverage the network to request from the identity provider a fresh token, e.g., as generated at request time for the use at the appropriate connected application. According to one embodiment, and as illustrated in FIG. 5, the mobile device user obtains a “long term' token 505. Preferably, the token is used to obtain authentication (or otherwise to assert the user's authenticated identity) when the mobile device is operating in an identity provider-disconnected mode environment. The duration of the token may be set in various timeframes, such as one (1) day, one (1) week, or the like.); and 
wherein the first token is prioritized over the second token until the access session is terminated (Hinton [0023]. This token is sometimes referred to herein as a “long term' token to contrast that it is usable (theoretically) during time periods when the mobile device is not then connected to the identity provider. Typically, the token is not used when the mobile device is operating in connected mode, i.e. when the mobile device is connected to the identity provider. In connected mode, the application typically is able to leverage the network to request from the identity provider a fresh token, e.g., as generated at request time for the use at the appropriate connected application. The token that is used in identity provider-disconnected mode as described herein may not be associated with the same level of privileges as provided with a one-time-use token generated and used in connected mode.).  
Regarding claim 9, claim 9 is directed to a system corresponding to the method of claim 1. Claim 9 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 10, claim 10 is directed to a system corresponding to the method of claim 2. Claim 10 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 12, claim 12 is directed to a system corresponding to the method of claim 8. Claim 12 is similar in scope to claim 8 and is therefore rejected under similar rationale. 
Regarding claim 13, claim 13 is directed to a computer program product corresponding to the system of claim 1. Claim 13 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 14, claim 14 is directed to a computer program product corresponding to the system of claim 2. Claim 14 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 18, claim 18 is directed to a computer program product corresponding to the system of claim 6. Claim 18 is similar in scope to claim 6 and is therefore rejected under similar rationale. 
Claims 3, 4, 7, 11, 15, 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hinton et al. (“Hinton,” US 20090205032, published Aug. 13, 2009) in view of Yeddula et al. (“Yeddula,” US 20190349360, filed May 10 2018) and McEnroe et al. (“McEnroe,” US 20070203714, published Aug. 30, 2017). 
Regarding claim 3, Hinton and Yeddula disclose the method of claim 1. Yeddula discloses a second client (Yeddula ¶¶ [0105], [0128]. The transferable access token can be [ ] transferred to another user, such as a second user associated with second communication device 504. At step S634, the authorization computer 614 can determine whether the interaction between the resource provider and the second user of the second communication device 604 is authorized. Additionally, the authorization computer 614 can determine whether the transferable access token has enough associated interaction value to complete the interaction.). 
Hinton and Yeddula do not explicitly disclose: determining, by the one or more processing units, whether a further client has been granted by the resource owner to access the at least one long-term protected resource; and in response to determining that the further client has been granted, sharing, by one or more processing units of the second client, the second token with the further client has been granted, sharing, by one or more processing units of the client, the second token with the further client; and storing the second token, according to the further client, in the table of the authorization system, wherein the second token authorizes access to a subset of the at least one long-term protected resource.  
However, in an analogous art, McEnroe discloses a method comprising the steps of determining, by one or more processing units, whether a further client has been McEnroe FIGs 5, 7, [0063], [0070]. The first type of token is assigned to a first client (block 508), such as by assigning the HD token 202(1) to client device 106(1). A second client then attempts to consume content that would cause the viewing system to exceed the allocated bandwidth (block 510). Further, these tokens represent the maximum amount of bandwidth allocated to the viewing system 104. Therefore, if the client device 106(N) was to consume content, that content consumption may exceed the bandwidth allocated by the con tent provider 102. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). A variety of other examples are also contemplated, such as [ ]a permanent token that permits consumption of the additional amount of content based on a subscription, and so on.); and 
storing the second token, according to the further client, in the table of the authorization system (McEnroe [0041]. The manager client device 106(1), for instance, may maintain a token listing 204 in storage 122 which lists which tokens 202(1)-202(4) have been assigned to which respective client devices 106(1)-106(4). In the illustrated example, because client device 106(N) does not include one of the tokens 202(1)-202(N), the client device 106(N) is not authorized to consume content 110(c) from the content provider 102.); and 
wherein the second token authorizes access to a subset of the at least one long-term protected resource (McEnroe [0070]. TA variety of other examples are also contemplated, such as for purchase of a temporary token for a limited period, a permanent token that permits consumption of the additional amount of content based on a subscription, and so on.)
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of McEnroe with teachings of Hinton and Yeddula to include the steps of: determining, by one or more processing units, whether a further client has been granted by the resource owner to access the at least one long-term protected resource; and in response to determining that the further client has been granted, sharing, by one or more processing units of the client, the second token with the further client has been granted, sharing, by one or more processing units of the client, the second token with the further client; and storing the second token, according to the further client, in the table of the authorization system, wherein the second token authorizes access to a subset of the at least one long-term protected resource, to provide users with a means for assigning access tokens to additional users and/or devices according to online content purchases and network resources needs.  (See McEnroe [0070].)
Regarding claim 4, Hinton, Yeddula and McEnroe disclose the method of claim 3. McEnroe further discloses: in response to receiving from the further client a further request including the second token and validating the further client against the table, providing, by one or more processing units, the at least one long-term protected resource to the further client (McEnroe FIGs 5, 7, [0041], [0070]. The manager client device 106(1), for instance, may maintain a token listing 204 in storage 122 which lists which tokens 202(1)-202(4) have been assigned to which respective client devices 106(1)-106(4). In the illustrated example, because client device 106(N) does not include one of the tokens 202(1)-202(N), the client device 106(N) is not authorized to consume content 110(c) from the content provider 102. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). A variety of other examples are also contemplated, such as [ ]a permanent token that permits consumption of the additional amount of content based on a Subscription, and so on.). 
The motivation is the same as that of claim 3 above. 
Regarding claim 7, Hinton, and Yeddula disclose the method of claim 6. McEnroe further discloses in response to a trigger to update the at least one long-term protected resource, requesting, by one or more processing units, the at least one updated long-term protected resource on the device (McEnroe FIG. 6, [0070]. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). The response may be formed in a variety of ways. For example, the response may be a token that permits consumption of a particular content item (e.g., a VOD movie), consumption of a content stream for a designated amount of time (e.g., to permit the client device 106(N) to consume a content stream from different television channels), and so on. );
obtaining, by one or more processing units, the at least one updated long-term protected resource from the device (McEnroe FIG. 6, [0070]. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). The response may be formed in a variety of ways. For example, the response may be a token that permits consumption of a particular content item (e.g., a VOD movie), consumption of a content stream for a designated amount of time (e.g., to permit the client device 106(N) to consume a content stream from different television channels), and so on. ); and  
storing, by one or more processing units, the at least one updated long-term protected resource (McEnroe FIG. 2, [0055]. Therefore, the [sporting] event may be streamed to the remote client device 106(N) from the manager client device 106(1), [ ] e.g., streaming content from storage 122 of the manager client device 106(1) to the remote client device 106(N). [i.e., the content is available at a manager client device 106(1) such as mobile phones, game consoles, or other devices. See [0032].]).  
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of McEnroe with teachings of Hinton, Yeddula and Saxman to include: in response to a trigger to update the at least one long-term protected resource, requesting, by one or more processing units, the at least one updated long-term protected resource on the device; obtaining, by one or more processing units, the at least one updated long-term protected resource from the device; and Page 3 of 9Appl. No. 16/143,540 Reply to Office Action of December 3, 2020storing, by one or more processing units, the at least one updated long-term protected resource, to provide users with a means for assigning access tokens to additional users and/or devices according to online content purchases and network resources needs.  (See McEnroe [0070].). The Th
Regarding claim 11, Hinton and Yeddula disclose the method of claim 9. McEnroe further discloses generating, by the first client, a client-specific resource based on the at least one long-term protected resource (McEnroe FIG. 2, [0055]. Therefore, the [sporting] event may be streamed to the remote client device 106(N) from the manager client device 106(1), [ ] e.g., streaming content from storage 122 of the manager client device 106(1) to the remote client device 106(N). [i.e., the content is available at a manager client device 106(1) such as mobile phones, game consoles, or other devices. See [0032].]); and  P201707408US01Page 38 of 42
presenting, by the second client, at least one of the at least one long-term protected resource and the generated client-specific resource(McEnroe FIG. 6, [0070]. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). The response may be formed in a variety of ways. For example, the response may be a token that permits consumption of a particular content item (e.g., a VOD movie), consumption of a content stream for a designated amount of time (e.g., to permit the client device 106(N) to consume a content stream from different television channels), and so on. ).  
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of McEnroe with teachings of Hinton and Yeddula to include: generating, by one or more processing units, a client-specific resource based on the at least one long-term protected resource wherein the second token authorizes access to a subset of the at least one long-term protected resource, presenting, by one or more processing units, at least one of the at least one long-term protected resource and the generated client-specific resource, to provide users with a means for assigning access tokens to additional users and/or devices See McEnroe [0070].). 
Regarding claim 15, claim 15 is directed to a computer program product corresponding to the system of claim 3. Claim 15 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Regarding claim 16, claim 16 is directed to a computer program product corresponding to the system of claim 4. Claim 16 is similar in scope to claim 4 and is therefore rejected under similar rationale. 
Regarding claim 19, claim 19 is directed to a computer program product corresponding to the system of claim 7. Claim 19 is similar in scope to claim 7 and is therefore rejected under similar rationale. 
Claims 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Hinton et al. (“Hinton,” US 20090205032, published Aug. 13, 2009) in view of Yeddula et al. (“Yeddula,” US 20190349360, filed May 10 2018), McEnroe et al. (“McEnroe,” US 20070203714, published Aug. 30, 2017) and Saxman et al. (“Saxman,” US 20140026193, published Jan 23, 2014). 
Regarding claim 5, Hinton, Yeddula and McEnroe disclose the method of claim 3. Yeddula further discloses: 
receiving, by the one or more processing units, a request from the resource owner to revoke access to the protected resource by the second client (Yeddula FIG. 5, [0105], [0115], [0117]. The transferable access token can be [ ] transferred to another user, such as a second user associated with second communication device 504. At step S524, the authorization computer 514 can revoke the transferable access tokens included in the transferable access token split or combination message. Revoking the transferable access tokens may comprise flagging the transferable access tokens in the access token database as revoked, updating a revocation status field in a transferable access token database entry, or deleting the record from the access token database. The first communication device 502 may also delete the revoked transferable access tokens from the secure memory element.); 
Hinton and Yeddula do not explicitly disclose: updating the table of the authorization system to reflect the revoked access for the device without invalidating the second token; receiving, from the device, an access request for the protected resource; and in response to querying the table and determining the second client is not authorized, denying access to the protected resource by the device.
However, in an analogous art, Saxman discloses a method comprising the steps of:  
updating the table of the authorization system to reflect the revoked access for the device without invalidating the second token (Saxman FIG. 2, [0080], [0086] – [0087]. When the movement exceeds (618) the threshold amount, the personal device 106 revokes (620) the access privileges corresponding to the access token. The revocation is transmitted (620) to the credential server 102. Once the credential server 102 receives the revocation, the credential server 102 will deny (614) access in response to all subsequent requests to validate (612). In some implementations, a permanent access token 226 is stored on the personal user device 106, and the permanent token is transmitted (708) to the credential server. When the credential server 102 receives the credentials from the personal user device 106, the credential server 102 creates a temporary access token 322 with appropriate privileges to access the personal information 114. [Note that is it the temporary token that is subject to expiration time and/or location restraints. Also note that the “second token” does not depend on access session, per claim 1.].); 
receiving, from the device, an access request for the protected resource (Saxman [0059]. After receiving the request, the personal user device 106 provides (604) user credentials to the credential server 102. In some implementations, the credentials are supplied by the user 110 using the user interface 206 of the personal user device 106 (e.g., user ID and password). In some implementations, a permanent access token 226 is stored on the personal user device 106, and the permanent token is transmitted (604) to the credential server.); and 
in response to querying the table and determining the second client is not authorized, denying access to the protected resource by the device (Saxman [0060], [0064] – [0065], [0069]. When the credential server 102 receives the credentials from the personal user device 106, the credential server 102 creates a temporary access token 322 with appropriate privileges to access the personal information 114. The credential server 102 looks up the temporary access token 322 in its token database 522. Several different scenarios can occur, including:  The temporary access token 322 exists in the database 522, but all privileges have been revoked; The temporary access token 322 exists in the database 522, but the specific portion of information 114 sought is outside the scope of privileges associated with the access token 322. The credential server 102 then confirms (614) or denies (614) access to the personal information 114. In some implementations, the response is a simple yes/no. [Note: while the permanent token is valid, an temporary access token can be issued to the device. But access is denied when the temporary access token has expired or outside of privileges granted]. ). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Saxman with teachings of Hinton and Yeddula to include: receiving a request to revoke access, by the device, to the protected resource; updating the table of the authorization system to reflect the revoked access for the device without invalidating the second token; receiving, from the device, an access request for the protected resource; and in response to querying the table and determining the second token is valid, denying access to the protected resource by the device, to provide users with a means for assigning temporary access tokens with specified access privileges and deny access when user device moves away beyond a threshold distance from the designated location or premise.  (See Saxman [0080].).
Regarding claim 17, claim 17 is directed to a computer program product corresponding to the method of claim 5. Claim 17 is similar in scope to claim 5 and is therefore rejected under similar rationale. 
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Hinton et al. (“Hinton,” US 20090205032, published Aug. 13, 2009) in view of Yeddula et al. (“Yeddula,” US 20190349360, filed May 10 2018), McEnroe et al. (“McEnroe,” US 20070203714, published Aug. 30, 2017) and Yu (“Yu,” US 20130276086, published Oct. 17, 2013).  
Regarding claim 20, Hinton Yeddulla, and McEnroe disclose the method of claim 3.  McEnroe further discloses wherein, in response to receiving from the further client a further request including the second token and validating the second token against the table (McEnroe FIGs 5, 7, [0041], [0043], [0063]. The manager client device 106(1), for instance, may maintain a token listing 204 in storage 122 which lists which tokens 202(1)-202(4) have been assigned to which respective client devices 106(1)-106(4). [I]n order to permit client device 106(N) to also consume content, the HD token 202(1) may be changed into a plurality of tokens 206(1)-206(T) that permit the client devices that are assigned the tokens to consume content having lesser bandwidth than that corresponding to the HD token 202(1). The first type of token is assigned to a first client (block 508), such as by assigning the HD token 202(1) to client device 106(1). A second client then attempts to consume content that would cause the viewing system to exceed the allocated bandwidth (block 510). [However, as per [0043], sometimes token characteristics may be changed to accommodate the second client. An appropriate token is issued to the second client, allowing content access while not exceeding the allocated bandwidth].); and 
Hinton, Yeddula, and McEnroe do not explicitly disclose: determining the further client is revoked;  denying, by one or more processing units, the at least one long-term protected resource to the further client. 
However, in an analogous art, Yu discloses method comprising the step of determining the further client is revoked;  denying, by one or more processing units, the at least one long-term protected resource to the further client (Yu [0051], [0056]. If the client computer 102 determines, in operation 214 that a token is not included in the application access request and/or that the token is invalid, the method 200 can proceed to operation 218. In operation 218, the client computer 102 can deny access to the application. As such, the client computer 102 can communicate with the target application and/or the requestor to indicate that the token possessed by the requestor has been revoked.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Yu with the teachings of Hinton Yeddula and McEnroe to include the steps of: receiving a request from the resource owner and revoke the associated second token, to provide users with a means for granting, updating or revoking registration/access of applications and services. (See Yu [0026]).









Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961.  The examiner can normally be reached on Monday to Friday, 9 AM - 6  PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  
Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/EDWARD LONG/
Examiner, Art Unit 2439


/LUU T PHAM/               Supervisory Patent Examiner, Art Unit 2439