DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA 
This Office Action is in response to the Amendment filed on 11/05/2021.
Claims 1-20 have been examined and are pending in this application. Claims 1, 8 and 16 are independent.
Response to Arguments/Remarks
As to the rejection to 16-20 under U.S.C. 101, the rejections are withdrawn based on the amendment to the independent claim 16.
As to the double patenting rejections, rejections over reference Application No. 16/670,878, has been withdrawn as scope of the claims of the instant application and scope of the claims of the reference application have been changed based on the amendments to the instant application and the amendments to the reference application.
As to the double patenting rejections, rejections over reference Application No. 16/670,864 and rejections over reference Application No. 16/670,878 have been maintained as the amendment to the claims did not differentiate the scope of the claims for the scope of the reference applications. Please see updated double patenting rejection in the rejection section below.
Applicant’s arguments with respect to prior-art rejections to claims 1-20, filed on 11/05/2021, have been considered but are moot because the arguments do not apply to any 
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).

Claim 1-3, 8, 10, 11, and 16-18 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-3, 4, 22-27, and 30, respectively, of U.S. Application No. 16/670,864, and over claims 1, 4, 8, 9, 11, 13, 15, 18, and 20, of Application No. 16/670,878. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the reference claims. 
This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.
The following claims are presented side by side for comparison. The comparison shows how the method claims of the instant application is anticipated by the claims of reference. In the claims of the instant application encompass a scope where additional or secondary token is required by the service provider to provide a specific resource that is controlled by policy and evaluation of the request and the status variables. Whereas, all the claims of the reference applications also encompass a scope that requires similar process without a significant difference.

Instant Application 16/670,863
Reference Application 16/670,864
Claim 1. In a computing environment, a method of authenticating computing entities at an identity provider, the method comprising:
providing a first access token to an entity for use by the entity in obtaining resources from a resource provider;
causing the entity to pass the first access token to the resource provider, wherein in response to rejecting the first access token, the resource provider is configured to send response information to the entity, indicating rejection of the first access token and a reason for the rejection based on enforcing policy;
receiving the response information from the entity, the response information from the entity having been provided to the entity from the resource;  and
providing a second access token to the entity, the second access token being provided to mitigate the rejection based on the reason for the rejection indicated in the response information, such that the second access token is used by the entity to obtain the resources from the resource provider.


2. (Original) The method of claim 1, wherein the response information indicates that a higher level of authentication than was used to obtain the first access token is required for the entity to obtain the resources from the resource provider.
Claim 3. The method of claim 1, wherein the response information indicates the policy with respect to at least one of user state changes, client state changes, policy state changes, conditional access, location, or behavior patterns has been enforced.

receiving, by the resource provider computer system, a request for resources from the entity and an access token from the entity, the access token having been obtained by the entity from the identity provider computer system as a result of the entity authenticating with the identity provider computer system;
evaluating, by the resource provider computer system, the request with respect to the policy; and
responding, by the resource provider computer system, to the request based on the evaluating the request with respect to the policy.

2.  The method of claim 1, wherein the policy comprises location based restrictions.

 Claim 3. The method of claim 2, wherein the location based restrictions specify that the resource provider computer system should allow access to a particular set of resources when the entity attempts to access the particular set of resources from an intranet but prevents access when the entity attempts to access the particular set of resources from a network external to the intranet. 

Claim 4. The method of claim 2, wherein the location based restrictions specify that the resource provider computer system should allow access to a particular set of resources when the entity attempts to access the particular set of resources from an intranet with an access token obtained using with a first level of authentication but requires a token obtained using an access token obtained with a different second level of authentication to allow access to the particular set of resources when the entity attempts to access the 

receiving a first access token in a request for resources from an entity for use by the entity in obtaining the resources from the resource provider, the first access token having been previously provided to the entity by an identity provider configured to authenticate the entity and enforce token issuance policy;
determining that the request for resources cannot be granted based on the first access token, as a result of the resource provider enforcing policy at the resource provider;
rejecting the request for resources from the entity;
sending response information to the entity, the response information providing information about why the request for resources was not granted causing the entity to pass the response information to the identity provider, wherein when the identity provider receives the response information, the identity provider is configured to authenticate the entity again and generate a second access token to 
in response to receiving the second access token from the entity, granting the entity access to the resources, the second token having been previously provided to the entity by the identity provider.
Claim 10. The method of claim 8, wherein the response information indicates that a higher level of authentication than was used to obtain the first access token is required for the entity to obtain the resources from the resource provider. 

Claim 11. The method of claim 8, wherein the response information indicates the policy with respect to at least one of user state changes, client state changes, policy state changes, conditional access, location, or behavior patterns has been enforced.

Claim 16. In a computing environment, a system for enforcing system policy, the system comprising: 

provide first access tokens to entities used by the entities in obtaining resources from resource providers based on enforcing token issuance policy; and 
a resource provider computing system including at least one processor and at least one hardware storage device stored thereon second computer-executable instructions, when executed, the second computer executable instructions configure the resource provider to:
receive the first access tokens from entities in requests for resources from the entities;
 determine whether or not the requests for resources can be granted based on the first access tokens, as a result of the resource provider enforcing policy at the resource provider; and 
in response to determining that a particular request from a particular entity among the 
reject the particular request from the particular entity; and 
send response information to the particular entity, the response information providing information about why the particular request for resources was not granted, so that the response information can be later provided to the identity provider; and 
wherein the identity provider computing system is further configured to: 
receive response information from the particular entity; 
authenticate the particular entity again and generate a second access token to mitigate the rejection based on the information about why the request for resources was not granted; and 
provide the second access token to the particular entity causing the particular entity to pass the second access token to the resource provider; 
wherein the resource provider is further configured to: 
receive the second access token from the particular entity; 

grant the particular entity access to the resources.

17. (Currently Amended) The system of claim 16, wherein the response information indicates that a higher level of authentication than was used to obtain the particular first access token is required for the entity to obtain the resources from the resource provider.

18. (Original) The system of claim 16, wherein the response information indicates the policy with respect to at least one of user state changes, client state changes, policy state changes, conditional access, location, or behavior patterns has been enforced.

19. (Original) The system of claim 16, wherein the response information indicates policy previously provided by the identity provider to the resource provider has been enforced.

20. (Original) The system of claim 16, wherein the response information indicates policy 

a processor; and
a hardware storage device that stores computer-executable instructions that are executable by the processor to cause the resource provider computer system to at least:
receive the policy from the identity provider computer system, the policy being related to an entity that authenticates using the identity provider computer system, wherein the resource provider computer system receiving the policy is performed based on the entity providing consent that the resource provider computer system receive the policy from the identity provider computer system;
receive a request for resources from the entity and an access token from the entity, the access token having been obtained by the entity from the identity provider computer system as a result of the entity authenticating with the identity provider computer system;

respond to the request based on the evaluating the request with respect to the policy.

23. (New) The resource provider computer system of claim 22, wherein the policy comprises location based restrictions, and wherein the location based restrictions specify that the resource provider computer system should allow access to a particular set of resources when the entity attempts to access the particular set of resources from an intranet but prevents access when the entity attempts to access the particular set of resources from a network external to the intranet.
Claim 23. The method of claim 22, wherein the location based restrictions specify that the resource provider computer system should allow access to a particular set of resources when the entity attempts to access the particular set of resources from a intranet but prevents access when the entity attempts to access the particular set of resources from a network external to the intranet. 

Claim 24. The method of claim 13, wherein the location based restrictions specify that the resource provider computer system should allow access to a particular set of resources when the entity attempts to access the particular set of resources from an intranet with an access token obtained using with a first level of authentication but requires a token obtained using an access token obtained with a different second level of authentication to allow access to the particular set of resources when the entity attempts to access the particular set of resources from a network external to the intranet. 
25. The resource provider computer system of claim 22, wherein the policy comprises requirements with respect to behavioral pattern policy indicating requirements to be enforced when an entity attempting to access resources at the resource provider computer system exhibits behavioral patterns that exceed a threshold variation from previous behavioral patterns.

26. The resource provider computer system of claim 25, wherein the policy requires a token 

27. The resource provider computer system of claim 22, wherein the receiving the policy from the identity provider computer system is performed as a result of the resource provider computer system subscribing to the identity provider computer system for events.

an identity provider computing system, including at least one processor and at least one hardware storage device stored thereon first computer-executable instructions, when executed, the first computer-executable instructions configure the identity provider to: 
provide first access tokens to entities used by the entities in obtaining resources from resource providers based on enforcing token issuance policy; and 
a resource provider computing system including at least one processor and at least one hardware storage device stored thereon second computer-executable instructions, when executed, the second computer executable instructions configure the resource provider to:
receive the first access tokens from entities in requests for resources from the entities;
 determine whether or not the requests for resources can be granted based on the first access 
in response to determining that a particular request from a particular entity among the requests corresponding to a particular first access token cannot be granted, 
reject the particular request from the particular entity; and 
send response information to the particular entity, the response information providing information about why the particular request for resources was not granted, so that the response information can be later provided to the identity provider; and 
wherein the identity provider computing system is further configured to: 
receive response information from the particular entity; 
authenticate the particular entity again and generate a second access token to mitigate the rejection based on the information about why the request for resources was not granted; and 
provide the second access token to the particular entity causing the particular entity to pass the second access token to the resource provider; 

receive the second access token from the particular entity; 
determine that the particular request for resources from the particular entity can be granted; and 
grant the particular entity access to the resources.

Claim 17. The system of claim 16, wherein the response information indicates that a higher level of authentication than was used to obtain the first access token is required for the entity to obtain the resources from the resource provider. 

Claim 18. The system of claim 16, wherein the response information indicates the policy with respect to at least one of user state changes, client state changes, policy state changes, conditional access, location, or behavior patterns has been enforced.

receive the policy from the identity provider computer system, the policy being related to an entity that authenticates using the identity provider computer system, wherein the resource provider computer system receiving the policy is performed based on the entity providing consent that the resource provider computer system receive the policy from the identity provider computer system;
receive a request for resources from the entity and an access token from the entity, the access token having been obtained by the entity from the identity provider computer system as a result of 
evaluate the request with respect to the policy; and
respond to the request based on the evaluating the request with respect to the policy



Instant Application 16/670,863
Reference Application 16/670,878

providing a first access token to an entity for use by the entity in obtaining resources from a resource provider;
causing the entity to pass the first access token to the resource provider, wherein in response to rejecting the first access token, the resource provider is configured to send response information to the entity, indicating rejection of the first access token and a reason for the rejection based on enforcing policy;
receiving the response information from the entity, the response information from the entity having been provided to the entity from the resource;  and
providing a second access token to the entity, the second access token being provided to mitigate the rejection based on the reason for the rejection indicated in the response information, such that the second access token is used by the entity to obtain the resources from the resource provider.




Claim 4. The computing system of claim 1, wherein the capability information indicates that the entity is capable of handling access token rejections for least one of user state changes, client state changes, policy state changes, conditional access conditions being met, location of the entity, or behavior patterns by the entity.
Claim 8. In a computing environment, a method of enforcing policy at a resource provider, the method comprising:
receiving a first access token in a request for resources from an entity for use by the entity in obtaining the resources from the resource provider, the first access token having been previously provided to the entity by an identity provider configured to authenticate the entity and enforce token issuance policy;
determining that the request for resources cannot be granted based on the first access token, as a result of the resource provider enforcing policy at the resource provider;
rejecting the request for resources from the entity;
sending response information to the entity, the response information providing information about why the request for resources was not granted 
in response to receiving the second access token from the entity, granting the entity access to the resources, the second token having been previously provided to the entity by the identity provider.

Claim 10. The method of claim 8, wherein the response information indicates that a higher level of authentication than was used to obtain the first access token is required for the entity to obtain the resources from the resource provider. 

Claim 11. The method of claim 8, wherein the response information indicates the policy with respect to at least one of user state changes, client state changes, policy state changes, conditional 




Claim 11. The method of claim 8, wherein the capability information indicates that the entity is capable of handling access token rejections indicating rejections for least one of user state changes, client state changes, policy state changes, conditional access conditions being met, location of the entity, or behavior patterns by the entity. 

Claim 13. The method of claim 8, further comprising: receiving an access token rejection according the certain capabilities, the access token rejection comprising response information; using the response information, requesting a new access token from the identity provider computer system; receiving the new access token from the identity provider computer system; and using the new access token to obtain the resources from the resource provider computer system.

an identity provider computing system, including at least one processor and at least one hardware storage device stored thereon first computer-executable instructions, when executed, the first computer-executable instructions configure the identity provider to: 
provide first access tokens to entities used by the entities in obtaining resources from resource providers based on enforcing token issuance policy; and 
a resource provider computing system including at least one processor and at least one hardware storage device stored thereon second computer-executable instructions, when executed, the second computer executable instructions configure the resource provider to:
receive the first access tokens from entities in requests for resources from the entities;
 determine whether or not the requests for resources can be granted based on the first access 
in response to determining that a particular request from a particular entity among the requests corresponding to a particular first access token cannot be granted, 
reject the particular request from the particular entity; and 
send response information to the particular entity, the response information providing information about why the particular request for resources was not granted, so that the response information can be later provided to the identity provider; and 
wherein the identity provider computing system is further configured to: 
receive response information from the particular entity; 
authenticate the particular entity again and generate a second access token to mitigate the rejection based on the information about why the request for resources was not granted; and 
provide the second access token to the particular entity causing the particular entity to pass the second access token to the resource provider; 

receive the second access token from the particular entity; 
determine that the particular request for resources from the particular entity can be granted; and 
grant the particular entity access to the resources.

Claim 17. The system of claim 16, wherein the response information indicates that a higher level of authentication than was used to obtain the first access token is required for the entity to obtain the resources from the resource provider. 

Claim 18. The system of claim 16, wherein the response information indicates the policy with respect to at least one of user state changes, client state changes, policy state changes, conditional access, location, or behavior patterns has been enforced.


Claim 17. The method of claim 15, wherein the capability information indicates that the entity is capable of handling certain types of access token rejections. 

Claim 18. The method of claim 15, wherein the capability information indicates that the entity is 

20. The method of claim 15, further comprising: sending an access token rejection according the certain capabilities, the access token rejection comprising response information; receiving a new request for the resources and a new access token having been obtained by the entity from the identity provider using the response information; and as a result of receiving the new access token, providing the resources.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kruse et al (“Kruse,” US 10,243,945, patented on 03/26/2019), in view of Rhadhakrishnan et al (“Rhadhakrishnan,” US 2013/0047213, published on 02/21/2013), and further in view of Miller et al (“Miller,” US 10,958,653, filed on 06/27/2017).
As to claim 1, Kurse teaches in a computing environment, a method of authenticating computing entities at an identity provider (Kruse: col 9, lines 1-67, col 11, line 14-62; Fig 2, 3, a system and method for providing user access to a resource verifying access token and udder a policy management of resource service provider), the method comprising:
providing a first access token to an entity for use by the entity in obtaining resources from a resource provider (Kruse: col 9, lines 1-67, col 10, lines 48-66; Fig 2, 3, teaches that upon user request, an identity verification provider [i.e. identify provider] generates an identity verification provider token [i.e. first access token] for making resource access request to a service provider [i.e. resource provider] for accessing a specific recourse that are stored and provided access to under the a policy management);
causing the entity to pass the first access token to the resource provider (Kruse: col 10, lines 1-66, col 11, lines 1-62; Fig 2, 3, user presented the identity verification provider token [[i.e. first access token] to the service provider, and service provider verify the validity of the token).
response information [ ] having been provided to the entity from the resource provider (Kruse: col 10, lines 47-66, col 11, lines 1-62; Fig 2, 3 after sending the identity verification provider token [[i.e. first access token], user receives a service token [i.e. response information]);  and
second access token is used by the entity to obtain the resources from the resource provider (Kruse: col 10, lines 1-66, col 11, lines 1-62; Fig 2, 3, user presents a service token [i.e. second access token], to the service provider for the service provider for accessing the requested resource/service).
While Kurse teaching of receiving a token from identity provider and getting a response from service provider after presenting the first token requesting an access to the resource, as addressed above, Kurse does not explicitly teach the limitations, receiving the 
However, in an analogous art, Rhadhakrishnan teaches receiving the response information from the entity, the response information from the entity [ ] (Rhadhakrishnan: pars 0003, 0085-0088, the system determine if the first token submitted by user has all the attributes for accessing the requested resource, if not the system send a respond back for a token that contains that the particular missing attributes for accessing the requested resource. The token provider receives the needs for a token that include the missing attributes to access the recourse, and generates a new or second token); and
providing a second access token to the entity, the second access token being provided (Rhadhakrishnan: pars 0003, 0085-0088 receives and uses a second token for obtaining access to risk-sensitive resources that required the higher level access token with necessary attributes).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rhadhakrishnan with the method/system of Kurse for the benefit of providing a user with a means for having the service provider using a second token for allowing access to the controlled or risk-sensitive resource that requires a secondary token submission by the user upon receiving from a token provider for added security (Rhadhakrishnan: pars 0003, 0085-0088). 
Kurse or Rhadhakrishnan does not explicitly teach the limitations, wherein in response to rejecting the first access token, the resource provider is configured to send response information to the entity, indicating rejection of the first access token and a reason for the rejection based on enforcing policy; and second access token being provided to mitigate the rejection based on the reason for the rejection indicated in the response information.
However, in an analogous art, Miller teaches wherein in response to rejecting the first access token, the resource provider is configured to send response information to the entity, indicating rejection of the first access token and a reason for the rejection based on enforcing policy (Miller: col 19, lines 22-67; Fig 7, a response is sent with detail information of the access token denial/disapproval and with indication of what type or kind of token is needed for the requested access request);
second access token being provided to mitigate the rejection based on the reason for the rejection indicated in the response information (Miller: col 19, lines 22-67; Fig 7, receiving a second security token by transmitting a request to a computing resource service provider for a security token associated with the system and indicate a permissive mode of operation. Requests access to the computing resource using the second security token, and the request may be fulfilled by a computing resource service provider based on the token verification associated with second set of permissions);.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Miller with the method/system of Kurse and Rhadhakrishnan for the benefit of providing a user with a means for receiving a response of with detail information of the access token denial/disapproval and with indication of what type or kind of token is needed for the requested access request (Miller: col 19, lines 33-53). 
As to claim 2, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 1, 
Kurse and Rhadhakrishnan further teaches wherein the response information indicates that a higher level of authentication than was used to obtain the first access token is required for the entity to obtain the resources from the resource provider (Kruse: col 10, lines 1-66, col 11, lines 1-62; the service provider performs a service token [i.e. an access token] validation, in addition to the initial token for allowing the user the requested resource/service. Rhadhakrishnan: pars 0003, 0080, 0085-0088, second token is used to access the requested resource that required the set of required attributes and the set of provided attributes if there are missing attributes [i.e. higher level resource and higher level token authentication]. An extra layers of authentication or extra authentication information associated with user before resource provider grants access to the requested resource).
As to claim 3, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 1, 
Rhadhakrishnan and Miller further teaches wherein the response information indicates the policy with respect to at least one of user state changes, client state changes, policy state changes, conditional access, location, or behavior patterns has been enforced (Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, a token provider receives the needs for a token that include the missing attributes to access the recourse, and generates a new or second token. An extra layer of authentication/token verification is needed. Miller: col 19, lines 22-67, second token provides access to resources with second mode of operation).
As to claim 4, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 1, 
Rhadhakrishnan further teaches wherein the response information indicates policy previously provided by the identity provider to the resource provider has been enforced (Rhadhakrishnan: pars 0003, 0085-0088, verify based on the token verification policy to determine if any required attributes is missing that need a second token for accessing requested resource).
As to claim 5, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 1, 
Rhadhakrishnan further teaches wherein the response information indicates policy previously provided by a subscription service to the resource provider has been enforced (Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, verify based on the token verification policy to determine if any required attributes is missing that need a second token for accessing requested resource. An extra layer of authentication/token verification is needed based on user age, social security number information, location, etc).
As to claim 6, the combination of Kurse, Rhadhakrishnan, and Miller teaches Kurse and Rhadhakrishnan teaches the method of claim 1, 
Rhadhakrishnan further teaches wherein the response information includes information consumable by the entity in addition to information consumable by the identity provider (Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, an extra layer of authentication/token verification is needed based on user age, social security number information, location, etc. The new token with the required information is presented by the user, and resource provider validate/authenticate to provide the requested resource).
As to claim 7, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 1, 
Rhadhakrishnan further teaches wherein the response information is provided as a result of the policy indicating that the response information is required when enforcing the policy (Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, a token provider receives the needs for a token that include the missing attributes to access the recourse, and generates a new or second token for an extra layer of authentication/token verification).
As to claim 8, Kurse teaches in a computing environment, a method of enforcing policy at a resource provider  (Kruse: col 9, lines 1-67, col 11, line 14-62; Fig 2, 3, a system and method for providing user access to a resource verifying access token and udder a policy management of resource service provider),the method comprising:
receiving a first access token in a request for resources from an entity for use by the entity in obtaining the resources from the resource provider (Kruse: col 9, lines 1-67, col 10, lines 48-66; Fig 2, 3, teaches that upon user request an identity verification provider [i.e. identify provider] generates an identity verification provider token for making resource access request to a service provider [i.e. resource provider] for accessing a specific recourse that are stored and provided access to under the a policy management), the first access token having been previously provided to the entity by an identity provider configured to authenticate the entity and enforce token issuance policy (Kruse: col 5, lines 50-65, col 9, lines 1-67, col 10, lines 48-66, col 17, lines 5-13, a user provides a username and password to the identity verification provider, and the identity verification provider determines whether the provided password matches an identity corresponding to the username that was provided);
(Kruse: col 10, lines 47-66, col 11, lines 1-62; Fig 2, 3 after sending the identity verification provider token [[i.e. first access token], user receives a service token [i.e. response information]);  and
in response to receiving the second access token from the entity, granting the entity access to the resources (Kruse: col 10, lines 1-66, col 11, lines 1-62; Fig 2, 3, user presents a service token [i.e. second access token], to the service provider for the service provider for accessing the requested resource/service).
While Kurse teaching of receiving a token from identity provider and getting a response from service provider after presenting the first token requesting an access to the resource, as addressed above, Kurse does not explicitly teach the limitations, determining that the request for resources cannot be granted based on the first access token, as a result of the resource provider enforcing policy at the resource provider; rejecting the request for resources from the entity; causing the entity to pass the response information to the identity provider, wherein when the identity provider receives the response information, the identity provider is configured to authenticate the entity again and generate a second access token; and the second token having been previously provided to the entity by the identity provider.
However, in an analogous art, Rhadhakrishnan teaches determining that the request for resources cannot be granted based on the first access token, as a result of the resource provider enforcing policy at the resource provider; rejecting the request for resources from the entity; causing the entity to pass the response information to the identity provider, wherein when the identity provider receives the response information (Rhadhakrishnan: pars 0003, 0085-0088, the system determine if the first token submitted by user has all the attributes for accessing the requested resource, if not the system send a respond back for a token that contains that the particular missing attributes for accessing the requested resource. The token provider receives the needs for a token that include the missing attributes to access the recourse, and generates a new or second token.)
the identity provider is configured to authenticate the entity again and generate a second access token; and the second token having been previously provided to the entity by the identity provider (Rhadhakrishnan: pars 0003, 0085-0088 receives and uses a second token for obtaining access to risk-sensitive resources that required the higher level access token with necessary attributes).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Rhadhakrishnan with the method/system of Kurse for the benefit of providing a user with a means for having the service provider using a second token for allowing access to the controlled or risk-sensitive resource that requires a secondary token submission by the user upon receiving from a token provider for added security (Rhadhakrishnan: pars 0003, 0085-0088). 
Kurse or Rhadhakrishnan does not explicitly teach the limitations, the response information providing information about why the request for resources was not granted; and second access token to mitigate the rejection based on the information about why the request for resources was not granted.
However, in an analogous art, Miller teaches the response information providing information about why the request for resources was not granted (Miller: col 19, lines 22-67; Fig 7, a response is sent with detail information of the access token denial/disapproval and with indication of what type or kind of token is needed for the requested access request);
second access token to mitigate the rejection based on the information about why the request for resources was not granted (Miller: col 19, lines 22-67; Fig 7, receiving a second security token by transmitting a request to a computing resource service provider for a security token associated with the system and indicate a permissive mode of operation. Requests access to the computing resource using the second security token, and the request may be fulfilled by a computing resource service provider based on the token verification associated with second set of permissions);.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Miller with the method/system of Kurse and Rhadhakrishnan for the benefit of providing a user with a means for receiving a response of with detail information of the access token denial/disapproval and with indication of what type or kind of token is needed for the requested access request (Miller: col 19, lines 33-53). 
As to claim 9, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 8, 
Kurse and Rhadhakrishnan further teaches further comprising, receiving a second access token from the entity, the second access token having been issued from the identity provider to the entity as a result of the response information (Kruse: col 10, lines 1-66, col 11, lines 1-62; the service provider performs a service token [i.e. an access token] validation, in addition to the initial token for allowing the user the requested resource/service. Rhadhakrishnan: pars 0003, 0080, 0085-0088, second token is used to access the requested resource that required the set of required attributes and the set of provided attributes. An extra layers of authentication or extra authentication information associated with user before resource provider grants access to the requested resource).
As to claim 10, the combination of Kurse, Rhadhakrishnan, and Mller teaches the method of claim 8, 
Kurse and Rhadhakrishnan further teaches wherein the response information indicates that a higher level of authentication than was used to obtain the first access token is required for the entity to obtain the resources from the resource provider (Kruse: col 10, lines 1-66, col 11, lines 1-62; the service provider performs a service token [i.e. an access token] validation, in addition to the initial token for allowing the user the requested resource/service. Rhadhakrishnan: pars 0003, 0080, 0085-0088, second token is used to access the requested resource that required the set of required attributes and the set of provided attributes if there are missing attributes [i.e. higher level resource and higher level token authentication]. An extra layers of authentication or extra authentication information associated with user before resource provider grants access to the requested resource).
As to claim 11, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 8, 
Rhadhakrishnan and Miller further teaches wherein the response information indicates the policy with respect to at least one of user state changes, client state changes, policy state changes, conditional access, location, or behavior patterns has been enforced (Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, a token provider receives the needs for a token that include the missing attributes to access the recourse, and generates a new or second token. An extra layer of authentication/token verification is needed based on user age, social security number information, location, etc Miller: col 19, lines 22-67, second token provides access to resources with second mode of operation).
As to claim 12, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 8, 
Rhadhakrishnan further teaches wherein the response information indicates policy previously provided by the identity provider to the resource provider has been enforced (Rhadhakrishnan: pars 0003, 0085-0088, verify based on the token verification policy to determine if any required attributes is missing that need a second token for accessing requested resource).
As to claim 13, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 8, 
Rhadhakrishnan further teaches wherein the response information indicates policy previously provided by a subscription service to the resource provider has been enforced (Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, verify based on the token verification policy to determine if any required attributes is missing that need a second token for accessing requested resource. An extra layer of authentication/token verification is needed based on user age, social security number information, location, etc).
As to claim 14, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 8, 
(Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, an extra layer of authentication/token verification is needed based on user age, social security number information, location, etc. The new token with the required information is presented by the user, and resource provider validate/authenticate to provide the requested resource).
As to claim 15, the combination of Kurse, Rhadhakrishnan, and Miller teaches the method of claim 8, 
Rhadhakrishnan further teaches wherein the response information is provided as a result of the policy indicating that the response information is required when enforcing the policy (Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, a token provider receives the needs for a token that include the missing attributes to access the recourse, and generates a new or second token for an extra layer of authentication/token verification).
As to claim 16, Kurse teaches in a computing environment, a system for enforcing system policy (Kruse: col 9, lines 1-67, col 11, line 14-62; Fig 2, 3, a system and method for providing user access to a resource verifying access token and udder a policy management of resource service provider), the system comprising: 
an identity provider computing system, including at least one processor and at least one hardware storage device stored thereon first computer-executable instructions, when executed, the first computer-executable instructions configure the identity provider to: 
provide first access tokens to entities used by the entities in obtaining resources from resource providers based on enforcing token issuance policy; and 
(Kruse: col 9, lines 1-67, col 10, lines 48-66; Fig 2, 3, teaches that upon user request, an identity verification provider [i.e. identify provider] generates an identity verification provider token [i.e. first access token] for making resource access request to a service provider [i.e. resource provider] for accessing a specific recourse that are stored and provided access to under the a policy management);
a resource provider computing system including at least one processor and at least one hardware storage device stored thereon second computer-executable instructions, when executed, the second computer executable instructions configure the resource provider to:
receive the first access tokens from entities in requests for resources from the entities (Kruse: col 10, lines 1-66, col 11, lines 1-62; Fig 2, 3, user presented the identity verification provider token [[i.e. first access token] to the service provider, and service provider verify the validity of the token);
send response information to the particular entity(Kruse: col 10, lines 47-66, col 11, lines 1-62; Fig 2, 3 after sending the identity verification provider token [[i.e. first access token], user receives a service token [i.e. response information]); and
provide the second access token to the particular entity causing the particular entity to pass the second access token to the resource provider; grant the particular entity access to the resources (Kruse: col 10, lines 1-66, col 11, lines 1-62; Fig 2, 3, user presents a service token [i.e. second access token], to the service provider for the service provider for accessing the requested resource/service).
While Kurse teaching of receiving a token from identity provider and getting a response from service provider after presenting the first token requesting an access to the resource, as addressed above, Kurse does not explicitly teach the limitations, determine based on the first access tokens, as a result of the resource provider enforcing policy at the resource provider; and in response to determining that a particular request from a particular entity among the requests corresponding to a particular first access token cannot be granted, reject the particular request from the particular entity; and wherein the identity provider computing system is further configured to: receive response information from the particular entity;  authenticate the particular entity again and generate a second access token.
However, in an analogous art, Rhadhakrishnan teaches determine whether or not the requests for resources can be granted based on the first access tokens, as a result of the resource provider enforcing policy at the resource provider; and in response to determining that a particular request from a particular entity among the requests corresponding to a particular first access token cannot be granted, reject the particular request from the particular entity (Rhadhakrishnan: pars 0003, 0085-0088, the system determine if the first token submitted by user has all the attributes for accessing the requested resource, if not the system send a respond back for a token that contains that the particular missing attributes for accessing the requested resource. The token provider receives the needs for a token that include the missing attributes to access the recourse, and generates a new or second token.)
wherein the identity provider computing system is further configured to: receive response information from the particular entity;  authenticate the particular entity again and generate a second access token (Rhadhakrishnan: pars 0003, 0085-0088 receives and uses a second token for obtaining access to risk-sensitive resources that required the higher level access token with necessary attributes).
before the effective filing date of the claimed invention to combine the teachings of Rhadhakrishnan with the method/system of Kurse for the benefit of providing a user with a means for having the service provider using a second token for allowing access to the controlled or risk-sensitive resource that requires a secondary token submission by the user upon receiving from a token provider for added security (Rhadhakrishnan: pars 0003, 0085-0088). 
Kurse or Rhadhakrishnan does not explicitly teach the limitations, the response information providing information about why the particular request for resources was not granted, so that the response information can be later provided to the identity provider; and second access token to mitigate the rejection based on the information about why the request for resources was not granted.
However, in an analogous art, Miller teaches the response information providing information about why the particular request for resources was not granted, so that the response information can be later provided to the identity provider (Miller: col 19, lines 22-67; Fig 7, a response is sent with detail information of the access token denial/disapproval and with indication of what type or kind of token is needed for the requested access request);
second access token to mitigate the rejection based on the information about why the request for resources was not granted (Miller: col 19, lines 22-67; Fig 7, receiving a second security token by transmitting a request to a computing resource service provider for a security token associated with the system and indicate a permissive mode of operation. Requests access to the computing resource using the second security token, and the request may be fulfilled by a computing resource service provider based on the token verification associated with second set of permissions);.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Miller with the method/system of Kurse and Rhadhakrishnan for the benefit of providing a user with a means for receiving a response of with detail information of the access token denial/disapproval and with indication of what type or kind of token is needed for the requested access request (Miller: col 19, lines 33-53). 
As to claim 17, the combination of Kurse, Rhadhakrishnan, and miller teaches the system of claim 16, 
Kurse and Rhadhakrishnan further teaches wherein the response information indicates that a higher level of authentication than was used to obtain the particular first access token is required for the entity to obtain the resources from the resource provider (Kruse: col 10, lines 1-66, col 11, lines 1-62; the service provider performs a service token [i.e. an access token] validation, in addition to the initial token for allowing the user the requested resource/service. Rhadhakrishnan: pars 0003, 0080, 0085-0088, second token is used to access the requested resource that required the set of required attributes and the set of provided attributes if there are missing attributes [i.e. higher level resource and higher level token authentication]. An extra layers of authentication or extra authentication information associated with user before resource provider grants access to the requested resource).
As to claim 18, the combination of Kurse, Rhadhakrishnan, and Miller teaches the system of claim 16, 
Rhadhakrishnanand and Miller further teaches wherein the response information indicates the policy with respect to at least one of user state changes, client state changes, policy state changes, conditional access, location, or behavior patterns has been enforced (Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, a token provider receives the needs for a token that include the missing attributes to access the recourse, and generates a new or second token. An extra layer of authentication/token verification is needed based on user age, social security number information, location, etc. Miller: col 19, lines 22-67, second token provides access to resources with second mode of operation).
As to claim 19, the combination of Kurse, Rhadhakrishnan, and Miller teaches the system of claim 16, 
Rhadhakrishnan further teaches wherein the response information indicates policy previously provided by the identity provider to the resource provider has been enforced (Rhadhakrishnan: pars 0003, 0085-0088, verify based on the token verification policy to determine if any required attributes is missing that need a second token for accessing requested resource).
As to claim 20, the combination of Kurse, Rhadhakrishnan, and Miller teaches the system of claim 16, 
Rhadhakrishnan further teaches wherein the response information indicates policy previously provided by a subscription service to the resource provider has been enforced (Rhadhakrishnan: pars 0003, 0080, 0085-0088, 0115, verify based on the token verification policy to determine if any required attributes is missing that need a second token for accessing requested resource. An extra layer of authentication/token verification is needed based on user age, social security number information, location, etc).
Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jahangir Kabir whose telephone number is (571) 270-3355.  The examiner can normally be reached on 9:00- 5:00 Mon-Thu.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax number for the organization where this application or proceeding is assigned is 571-273-8300.


/JAHANGIR KABIR/             Primary Examiner, Art Unit 2439