DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination under 37 CFR 1.114
	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this Application after Final Rejection. Since this Application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 11/12/2021 has been entered. 

	Claims 2, 16 and 19 have been canceled and claims 1, 15, 17 and 18 are amended. Claims 1, 3-15 and 17-18 remain pending.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 3-15 and 17-18 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 3-11-15 and 17-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-2, 4-7, 9-16 and 18-20 of allowed U.S. Application No. 16/382,157 (Patent No. not yet issued). Although the claims at issue are not identical, they are not patentably distinct from each other at least because the allowed claims 1, 16 and 18-20 anticipate claims 1, 15 and 17-18 of the instant application.

Claim #
Instant Application
The Allowed Application
Claim #
1
a computer-implemented method comprising: 
receiving, at a client system from a user device, a first access request comprising a first instruction to access a protected resource stored at a resource system;

transmitting, from the client system to an authorisation system, a token request for an access token to be used for accessing the protected resource, in response to the first access request;

receiving, at the client system, an access token in response to the token request, the access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the protected resource from the resource system;

transmitting the access token from the client system to the resource system and, in response, receiving the protected resource; 
storing the access token at a token storage unit of the client system;

receiving and storing, at the token storage unit, an expiry time indicator in response to the token request, wherein the expiry time indicator corresponds to the received access token's time to expire and is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system;

receiving, at the client system from the first user device, a second access request comprising a second instruction to access the protected resource stored at the resource system; 

in response to the second access request, transmitting the stored access token to the resource system for receiving the protected resource; and 

initiating a process to request a new access token within a predefined length of time before the access token expires.

A computer-implemented method comprising:
receiving, at a client system from a user device, a first access request comprising a first instruction to access a protected resource stored at a resource system;

transmitting, from the client system to an authorisation system, a token request for an access token for accessing the protected resource, in response to the first access request;

receiving, at the client system, the access token in response to the token request, the access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the protected resource from the resource system;

storing the access token at a token storage unit of the client system;

receiving a rejection message, at the client system, indicating that the stored access token is not valid for receiving the protected resource;

storing, at the token storage unit of the client system, an invalidation flag associated with the stored access token, in response to receiving the rejection message indicating that the stored access token is not valid for receiving the protected resource; and

determining that the stored access token is associated with the invalidation flag and, in response, preventing the stored access token from being transmitted to the resource system;

in response to the token request, receiving and storing an expiry time indicator in association with the access token at the token storage unit; and

scheduling a predetermined time interval between adjacent executions of token storage maintenance steps performed at the client system, wherein storing the invalidation flag comprises setting the stored expiry time indicator associated with the access token to indicate a time that is before a current time.
1



Allowable Subject Matter
Although the first limitation of claim 12 is rejected below, the second/the alternative limitation of claim 12, “wherein the predicted expiry time is determined by calculating an average of the times indicated by the stored expiry time indicators”, is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
  The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	
 1.	Claims 1, 3-4, 9-15 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Chan, US2015/0350186 A1 in view of Pishinov, US2018/0139192 A1.
  
Per claim 1, Chan discloses a computer-implemented method comprising: 
receiving, at a client system from a user device, a first access request comprising a first instruction to access a protected resource stored at a resource system (the application or service 502 sends an access request for protected resources to the token client 504…The token client 504 requests a username and a password from the user and performs the cryptographic hash function on username.password to determine a hash-based message authentication code of web service credentials.  The token client 504 transmits the hash-based message authentication code of the web service credentials to the token service computer 508 – Chan: par. 0084);
transmitting, from the client system to an authorisation system, a token request for an access token to be used for accessing the protected resource, in response to the first access request (If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084);
receiving, at the client system, an access token in response to the token request, the access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the protected resource from the resource system (If the received hash-based message authentication code of the web service credentials is valid, in step 520, the token service computer 508 transmits a valid access token to the token client 504  – Chan: par. 0084 – Note: a generated valid access token includes a time-to-live or an expiration time – par. 0034);
transmitting the access token from the client system to the resource system and, in response, receiving the protected resource (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token is valid, in step 528, the resource server with access to the protected resources 510 transmits a representation of the requested resources to the token client 504 – Chan: par. 0084); 
storing the access token at a token storage unit of the client system (In step 522, the token client 504 stores the access token in the token cache 506 by providing the cache key.  In step 524, the token cache 506 acknowledges that the access token is stored in the token cache 506 by providing the token client 504 with an acknowledgement - Chan: par. 0084);
Chan is not relied on to explicitly disclose but Pishinov explicitly discloses receiving and storing, at the token storage unit, an expiry time indicator in response to the token request (The host computing device 102, illustrated and described in more detail in FIGS. 6 and 7 and the accompanying text, includes a local cache or token cache 202, a queue 220, an authentication module 104, and several client applications 218A, 218B, 218c, and 218D… The authentication module 104 further maintains the token cache 202.  The token cache 202 includes a plurality of tokens 204 as well as the associated token data.  The token data includes, for example, times of occurrence 206 for each token 204, an acquisition duration 208 for each token, information identifying the associated secure service 210 relating to each token 204, a lifetime 212 of the token 204, and the client application ID 214 of each token 204 – Pishinov: par. 0022 and 0024), wherein the expiry time indicator corresponds to the received access token's time to expire and is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system (Note: a lifetime of the token is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan in view of Pishinov to include receiving and storing, at the token storage unit, an expiry time indicator in response to the token request, wherein the expiry time indicator corresponds to the received access token's time to expire and is indicative of the time at which the corresponding access token will not be valid for obtaining the protected resource from the resource system.
One of ordinary skill in the art would have been motivated because it would allow “[t]o facilitate a more efficient, adaptive token management system,” by which “expiration of the tokens is anticipated and renewal of the tokens is performed in anticipation of the expiration of the tokens” – Pishinov: par. 0014.
Chan further discloses receiving, at the client system from the first user device, a second access request comprising a second instruction to access the protected resource stored at the resource system (the application or service 502 sends an access request for protected resources to the token client 504.  The access request includes a session ID that is mapped to a cache key.  In step 514, the token client 504 sends the cache key to the token cache 506 – Chan: par. 0084 – Note: a second/subsequent access request includes a session ID (previously received during the first access request) which is mapped to the cache key, wherein this mapping is equivalent to instruction for retrieving the respective access token and accordingly the protected resource being requested); 
in response to the second access request, transmitting the stored access token to the resource system for receiving the protected resource (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token is valid, in step 528, the resource server with access to the protected resources 510 transmits a representation of the requested resources to the token client 504. – Chan: par. 0084); and 
Chan in view of Pishinov further discloses initiating a process to request a new access token within a predefined length of time before the access token expires (At operation 302, the authentication module configures the lifetime of the token.  The lifetime may be based on user input, or other factors.  The duration of the lifetime of the token, and thus the time remaining before the token expires, is maintained in the token cache as part of the token data.  This data is relied upon by the authentication module to determine a token renewal request interval for the token – Pishinov: par. 0028).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan in view of Pishinov to include initiating a process to request a new access token within a predefined length of time before the access token expires.
One of ordinary skill in the art would have been motivated because it would allow “[t]o facilitate a more efficient, adaptive token management system,” by which “expiration of the tokens is anticipated and renewal of the tokens is performed in anticipation of the expiration of the tokens” – Pishinov: par. 0014.

Per claim 15, it recites an article of manufacture comprising: 
a non-transitory computer processor readable medium (The processor 120 and memory 122 are hardware.  The memory 122 includes random access memory (RAM) and non-transitory memory, e.g., a non-transitory computer-readable medium such as one or more flash disks or hard drives.  The non-transitory memory may include any tangible computer-readable medium including, for example, magnetic and/or optical disks, flash drives, and the like – Chan: par. 0044); and 
instructions stored on the medium (The token distribution application may be a software application for registering, authenticating, and authorizing client computing devices 102 to use and access network resources provided by the resource server 108.  The token distribution application comprises machine/computer-readable executable instructions …– Chan: par. 0045); 
wherein the instructions are configured to be readable from the medium by the at least one computer processor ([instructions] that are executed by the processor 120 or another processor – Chan: par. 0045) and thereby cause the at least one computer processor to operate so as to perform the method steps as recited in claim 1 above.
Therefore, claim 15 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 17, it recites a computer readable medium comprising instructions which, when executed by a computer, cause the computer to carry out a method at a client system comprising the steps as recited in claim 1. 
Therefore, claim 17 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 18, it recites a client system comprising processing circuitry configured to: 
Therefore, claim 18 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 3, Chan-Pishinov discloses the computer-implemented method of claim 1 wherein the expiry time indicator is indicative of a length of time that the access token will be valid for (At operation 302, the authentication module configures the lifetime of the token.  The lifetime may be based on user input, or other factors.  The duration of the lifetime of the token, and thus the time remaining before the token expires, is maintained in the token cache as part of the token data. This data is relied upon by the authentication module to determine a token renewal request interval for the token… the token renewal request interval is a function of the remaining configurable lifetime of the token and the acquisition duration of the token – Pishinov: par. 0028 - 0029); and 
the method further comprises: determining the received access token's time to expire based on the length of time that the access token will be valid for and a time at which the access token is received at the client system (At 418 the authentication module schedules the next token renewal request interval by evaluating the token's lifetime and the acquisition duration of the token.  This token data is stored in the token cache.  For example, the interval is scheduled to be some amount shorter than the sum of the token's lifetime and the acquisition duration – Pishinov: par. 0037).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan in view of Pishinov to include determining the received access token's time to expire based on the length of time that the access token will be valid for and a time at which the access token is received at the client system.
One of ordinary skill in the art would have been motivated because it would allow “to facilitate a more efficient, adaptive token management system” – Pishinov: par. 0014, wherein the adaptive token management system “utilizes a heuristic approach for auto token renewal to predict the possibility that a token could be needed again later” – Pishinov: par. 0019, “to allow the renewal to complete prior to expiration of the token” – Pishinov: par. 0037. 

Per claim 4, Chan-Pishinov discloses the computer-implemented method of claim 1 wherein the access token is stored at the token storage unit independently of the time indicated by the expiry time indicator (The client computing device transmits the representation of a username and a password to a token service computer for validation by the token service computer.  If the token service computer validates the username and the password, the token service computer generates a token which may include a time-to-live or an expiration time, to the computing device.  After receiving the token, the client computing device may cache the token with the authorization information and the metadata (e.g., a URI) used for obtaining the access token – Chan: par. 0034 – Note: no calculation surrounding the time-to-live or the expiration time is done for storing the access token, i.e., the access token is stored independently of the time indicated by the expiry time indicator); and/or 
wherein storage of the access token at the token storage unit is maintained until a time after the time indicated by the expiry time indicator (the token renewal request interval is a function of the remaining configurable lifetime of the token and the acquisition duration of the token…In some examples the token renewal request interval may be defined by … some other defined amount of time, such as twice the configured lifetime of the token – Pishinov: par. 0029).
The same motivation to modify Chan in view of Pishinov applied in claim 1 above applies here.

Per claim 9, Chan-Pishinov discloses the computer-implemented method of claim 1 further comprising: 
transmitting the access token from the client system to the resource system (the access token is expired, but the token client may not have access to this information.  In step 622, the token client 604 transmits a resource request with the expired access token to the resource server with access to the protected resources 610.  The resource server with access to the protected resources 610 receives the resource request and determines that the access token is expired – Chan: par. 0087) and, in response, receiving a message indicating that the access token is not valid (In step 624, the resource server with access to the protected resources 610 transmits an HTTP response of "401" or "400" to the token client 604.  An HTTP response of 401 indicates that the resource request was unauthorized.  An HTTP response of 400 indicates that the resource request was a bad request – Chan: par. 0087); and 
refreshing the access token, at the token storage unit (Note: equivalent to token cache 606), in response to receiving the message indicating that the access token is not valid (in step 636, the resource server with access to the protected resources 610 may transmit an updated or refreshed access token to the token client 604.  If the response includes the updated access token, the token client 604 stores the updated access token in the token cache 606.  The token cache 606 stores the updated access token and acknowledges to the token client 604 that the updated access token is stored in the token cache 606 – Chan: par. 0088).

Per claim 10, Chan-Pishinov discloses the computer-implemented method of claim 1 comprising: 
receiving, at the client system, a plurality of access tokens from the authorisation system, wherein each of the plurality of access tokens is received in response to a token request transmitted to the authorisation system (In step 512, the application or service 502 sends an access request for protected resources to the token client 504.  The access request includes a session ID that is mapped to a cache key…If this is a first request for protected resources, in step 518, the token client 504 transmits a request for an access token to the token service computer 508 – Chan: par. 0084 – Note: In a cloud or federated computer environment, the client computing device may have to obtain, cache, and utilize a large number of access tokens.  The client computing device includes the token cache to effectively and securely store and manage the access tokens…The token cache provides a secure storage for the client computing device to cache one or more access tokens, store access credentials associated with the one or more access tokens – par. 0020-0021); 
receiving and storing an expiry time indicator in association with each access token received at the client system, wherein each of the stored expiry time indicators is indicative of a time at which the corresponding access token will not be valid (the token service computer generates a token which may include a time-to-live or an expiration time… if …the access token has expired, the resource server notifies the client computing device that a new access token is needed.  The client computing device uses the metadata for obtaining the access token and sends a request for a new access token to the token service computer to replace the invalidated and/or expired access token – Chan: par. 0034-0035).

Per claim 11, Chan-Pishinov discloses the computer-implemented method of claim 10 further comprising: the client system determining a predicted expiry time for the access tokens received from the authorisation system based on the stored expiry time indicators (In the illustrated example, the authentication module also renews the token based upon pending requests or anticipated expiration of the token… The duration of the lifetime of the token, and thus the time remaining before the token expires, is maintained in the token cache as part of the token data. This data is relied upon by the authentication module to determine a token renewal request interval for the token… the token renewal request interval is a function of the remaining configurable lifetime of the token and the acquisition duration of the token – Pishinov: par. 0028-0029 – Note: wherein expiration of the tokens is anticipated and renewal of the tokens is performed in anticipation of the expiration of the tokens – par. 0014).  
The same motivation to modify Chan in view of Pishinov applied to claim 3 above applies here.

Per claim 12, Chan-Pishinov discloses the computer-implemented method of claim 11 further comprising: the client system determining that the predicted expiry time does not meet a predetermined threshold and, in response, not storing further access tokens received from the authorisation system (The authentication module then evaluates whether the token renewal request interval has been reached at operation 306. Once the token renewal request interval is reached, the authentication module evaluates whether there are pending requests for the token from client applications at operation 308. [0033] If there are no pending requests, the authentication module determines at 309 whether the cached token has been keep valid for longer than a threshold time. In some examples, the threshold time is referred to as the maximum time to keep a cached token valid. This threshold time is a configurable parameter that may be based on system requirements, and may be specific to the particular token, to the particular type of token, or to the particular data associated with the token — Pishinov: par. 0032-0033 — Note: while the cached token is not older than the threshold time, it is maintained in the cache and therefore no refresh request is submitted. As a consequence and inherently, no new access token is received and/or stored) and/or wherein the predicted expiry time is determined by calculating an average of the times indicated by the stored expiry time indicators (Note: this limitation is not required in the claimed scope).
The same motivation to modify Chan in view of Pishinov applied to claim 3 above applies here.

Per claim 13, Chan-Pishinov discloses the computer-implemented method of claim 1 comprising: 
receiving, at the client system from the first user device, a plurality of access requests subsequent to the first access request, each of the plurality of subsequent access requests comprising a subsequent instruction to access a respective protected resource stored at the resource system (Each client application 218 is identified by a client application identifier (ID) 214.  The authentication module manages requests 216 for tokens 204, as well as the associated token data.  As the requests are received from the client applications 218, the pending requests are maintained by the authentication module 104 in order in the queue 220…The authentication module 104 further maintains the token cache 202.  The token cache 202 includes a plurality of tokens 204 as well as the associated token data.  The token data includes, for example, times of occurrence 206 for each token 204, an acquisition duration 208 for each token, information identifying the associated secure service 210 relating to each token 204, a lifetime 212 of the token 204, and the client application ID 214 of each token 204 – Pishinov: par. 0023-0024 – Note: times of occurrence 206 for each token 204 are received and updated in the token cache per each (subsequent) request).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan in view of Pishinov to include receiving, at the client system from the first user device, a plurality of access requests subsequent to the first access request, each of the plurality of subsequent access requests comprising a subsequent instruction to access a respective protected resource stored at the resource system.
One of ordinary skill in the art would have been motivated because it would allow to issue “only one request to the secure service, or other authentication system, per unique authentication data by queuing requests” to reduce “network traffic and the load on the secure service” by “using a local cache to store and deliver previously-issued tokens are satisfied from the cache and do not result in a remote service call (e.g., to the secure service)” – Pishinov: par. 0016.
Chan further discloses in response to the subsequent access request, transmitting the stored access token to the resource system from the client system for receiving the respective protected resource (Using the cache key, in step 616, the token cache 606 provides a token metadata and may provide an access token to the token client 604…in step 634, the token client 604 transmits a resource request to the resource server with access to the protected resources 610.  The resource request includes a copy of the access token – Chan: par. 0085).

Per claim 14, Chan-Pishinov discloses the computer-implemented method of claim 1 comprising: 
receiving, at the client system (Note: equivalent to token client) from each of a plurality of user devices , an access request comprising an instruction to access a respective protected resource stored at a resource system (In step 512, the application or service 502 sends an access request for protected resources to the token client 504.  The access request includes a session ID that is mapped to a cache key.  In step 514, the token client 504 sends the cache key to the token cache 506 – Chan: par. 0084 – Note: sessionID is read as a subsequent instruction that facilitates providing a token metadata and an access token to the token client, wherein the token client 118 includes a token cache 204 to store access tokens and associated data and information and the token cache 204 may store one or more access tokens, one or more credential hash values, and one or more token metadata – par. 0053); 
transmitting, from the client system to an authorisation system, a token request for an access token to be used for accessing the respective protected resource, in response to each of the access requests received from the plurality of user devices (The token client 504 transmits the hash-based message authentication code of the web service credentials to the token service computer 508 – Chan: par. 0084);
receiving, at the client system, an access token in response to each of the token requests (If the received hash-based message authentication code of the web service credentials is valid, in step 520, the token service computer 508 transmits a valid access token to the token client 504 – Chan: par. 0084), each access token having a corresponding time to expire indicative of a time at which the access token will not be valid for obtaining the respective protected resource from the resource system (The access token may be … expired if a time-to-live of the access token is reached - Chan: par. 0068 – Note: the expired access token is not valid for obtaining the respective protected resource from the resource system); 
transmitting each of the access tokens from the client system to the resource system and, in response, receiving the respective protected resource (in step 526, the token client 504 transmits a resource request to the resource server with access to the protected resources 510.  The resource request includes a copy of the access token that is bound to the resource request.  If the access token is valid, in step 528, the resource server with access to the protected resources 510 transmits a representation of the requested resources to the token client 504 – Chan: par. 0084); 
storing each of access tokens at the token storage unit (In step 522, the token client 504 stores the access token in the token cache 506 by providing the cache key… Optionally, in step 528, the resource server with access to the protected resources 510 and/or the token service computer 508 may transmit an updated or refreshed access token to the token client 504.  If the response includes the updated access token, in step 530, the token client 504 stores the updated access token in the token cache 506 – Chan: par. 0084).

2.	Claims 5-8 are is rejected under 35 U.S.C. 103 as being unpatentable over Chan, US2015/0350186 A1 in view of Pishinov, US2018/0139192A1 as applied in claim 1 above, further in view of Threlkeld, US10715514B1.

Per claim 5, Chan-Pishinov discloses the computer-implemented method of claim 1.
Chan-Pishinov is not relied on to disclose but Threlkeld discloses further comprising token storage maintenance steps performed by the client system comprising: 
comparing the time indicated by the stored expiry time indicator with a current time (the authentication module may verify the HMAC.  The HMAC may be verified by generating a new HMAC using the key and checking if it matches the HMAC provided in the request.  Additionally, once the HMAC has been verified to be authentic, the expiration time for the HMAC may be compared against the system clock.  If the expiration time of the HMAC code is earlier than the service's current system time, it may indicate that the HMAC code has expired and that the requestor does not have access to the requested resource – Threlkeld: col. 3, lines 48-58 – Note: wherein after HMAC code has expired, the token management service may generate a new security token (e.g., HMAC) and the new security token may be provided to a token repository that stores security tokens).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan-Pishinov further in view of Threlkeld to include further comprising token storage maintenance steps performed by the client system comprising: comparing the time indicated by the stored expiry time indicator with a current time.
One of ordinary skill in the art would have been motivated because it would allow to “determine when an event occurs and perform custom logic in response to the event being triggered” (e.g., an event trigger may, for example, be the system's date/time exceeding the date/time of an expiration time) and to “provide an indication to the token management service that the security token associated with a role should be re-generated” – Threlkeld: col. 5, lines 17-28, so that “the existing security token may be synchronously invalidated (e.g., as part of detecting the security token should be re-generated) and the new security token may be asynchronously generated” – Threlkeld: col. 5, lines 49-53. 
Chan-Threlkeld-Pishinov further disclose deleting the access token corresponding with the stored expiry time if the time indicated by the stored expiry time indicator is after the current time and, optionally, wherein the token storage maintenance steps are executed intermittently (If the threshold time has been exceeded at 309, it is determined that the token is stale and no longer needed by any client applications.  The token is then cleared from the token cache, and the renewal cycle is terminated at operation 310) – Pishinov: par. 0034).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chan-Threlkeld further in view of Pishinov to include deleting the access token corresponding with the stored expiry time if the time indicated by the stored expiry time indicator is after the current time and, optionally, wherein the token storage maintenance steps are executed intermittently.
One of ordinary skill in the art would have been motivated because it would allow “maintaining a token having a configurable lifetime and associated token data in a local cache” – Pishinov: par. 0003. 

Per claim 6, Chan-Pishinov-Threlkeld discloses the computer-implemented method of claim 5, wherein the token storage maintenance steps are executed according to a predetermined schedule (At operation 302, the authentication module configures the lifetime of the token.  The lifetime may be based on user input, or other factors.  The duration of the lifetime of the token, and thus the time remaining before the token expires, is maintained in the token cache as part of the token data.  This data is relied upon by the authentication module to determine a token renewal request interval for the token – Pishinov: par. 0028).
The same motivation to modify Chan in view of Pishinov applied in claims 5 above applies here.

Per claim 7, Chan-Pishinov-Threlkeld discloses the computer-implemented method of claim 6, wherein the predetermined scheduled defines a time interval between adjacent executions of the token storage maintenance steps wherein, optionally, the time interval is configurable at the client system based on a user input received at the client system (At operation 302, the authentication module configures the lifetime of the token.  The lifetime may be based on user input, or other factors.  The duration of the lifetime of the token, and thus the time remaining before the token expires, is maintained in the token cache as part of the token data.  This data is relied upon by the authentication module to determine a token renewal request interval for the token – Pishinov: par. 0028) and/or wherein the time interval is configurable at the client system based on monitored performance of the client system (The centralized management of the tokens for the client applications (e.g., through an authentication module) reduces processor load and reduces network bandwidth usage at least because requests for token renewals (e.g., from a secure token service) are distributed over time rather than simply in response to requests from the client applications.  This results in improved user interaction experience – Pishinov: par. 0015).
The same motivation to modify Chan in view of Pishinov applied in claims 1 and 3 above applies here.

Per claim 8, Chan-Pishinov discloses the computer-implemented method of claim 1.
Chan generally discloses “based on oAuth, the token refresh module 210 may follow the oAuth specification to refresh the access token.  According to oAuth, a current token may be used to obtain a refreshed token …At a particular interval, the token refresh module 210 may execute in order to keep a session associated with the access token active.  Thus, the oAuth access token may be used to access protected resources without interruption” – Chan: par. 0069.
Chan-Pishinov is not relied on to explicitly disclose but Threlkeld discloses further comprising: the client system comparing the time indicated by the stored expiry time indicator with a current time (the authentication module may verify the HMAC.  The HMAC may be verified by generating a new HMAC using the key and checking if it matches the HMAC provided in the request.  Additionally, once the HMAC has been verified to be authentic, the expiration time for the HMAC may be compared against the system clock.  If the expiration time of the HMAC code is earlier than the service's current system time, it may indicate that the HMAC code has expired and that the requestor does not have access to the requested resource – Threlkeld: col. 3, lines 48-58 – Note: wherein after HMAC code has expired, the token management service may generate a new security token (e.g., HMAC) and the new security token may be provided to a token repository that stores security tokens).
The same motivation to modify Chan-Pishinov further in view of Threlkeld applied in claim 5 above applies here.
Chan in view of Threlkeld further discloses refreshing the access token if the time indicated by the stored expiry time indicator is after the current time (If the access token is invalidated and/or expired, the token refresh module 210 uses the token metadata to obtain a new access token…The token refresh module 210 uses the token metadata to present a request for a new access token to the token service computer 104 and generate an access token parameter map for determining where an access token is provided in a response from the token service computer 104.  The token refresh module 210 transmits an access token request to the token service computer 104.  The token service computer 104 verifies the credential information in the access token request and if the credential information is valid, transmits a response with an access token to the token refresh module 210.  The token refresh module 210 retrieves the access token using the access token parameter map and stores the access token in the token cache 204 – Chan: par. 0068).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/Examiner, Art Unit 2494