DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are pending.
Upon further consideration, the requirement for restriction/election has been withdrawn and claims 1-20 have been examined.

Claim Objections
Claims --4, 5, 6, 7, 13 and 16 are objected to because of the following informalities:  
“the first identifier” and “the second identifier” in line 3 of claim 4 lack antecedent basis.
“the same requestor” in 2nd line from last line of claim 5 should read “a same requestor”.
“the information” in line 1 of claim 6 should read “information”.
“the request” in last line of claim 7 should read “the second request”.
“the protected information” in line 4 of claim 13 lacks antecedent basis and should read “protected information”.
“the information” in line 7 of claim 13 should read “the protected information”.
“the requestor” in last line of claim 16 lacks antecedent basis and should read “a requestor”.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 5 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  Claim 5 recites obtain a first request for access at an interval of time in the future, the first request including proof of successful completion of a first authentication; provide, in response to the first request, an access key; obtain, during the interval of time, a second request including the access key and proof of successful completion of a second authentication; verify the proof of completion of the second authentication; analyze the access key to determine that the first request and the second request are from the same requestor; and allow the second request to be fulfilled.
The claim recites a method of organizing human activity.  The claimed invention is a method that provides an access key in response to obtaining a first request for a subsequent access that includes a proof of successful completion of a first authentication and allows a subsequent second request to be fulfilled upon verifying a proof of completion of a second authentication and determining the two requests are from a same requestor based on analyzing the access key which is a method of managing interactions between people.  Thus, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because the claim does not recite additional elements that integrate the judicial exception into a practical application.  
Claim 5 recites the additional elements of one or more processors and memory that stores computer-executable instructions that, as a result of being executed by the one or more processors, cause the system to perform the steps. However, the “one or more processors” and “memory” are recited at a high-level of generality and generic computer components such that they amount to no 
Considering the claim as a whole, looking at the elements individually and in an ordered combination, does not integrate the abstract idea into a practical application using the considerations set forth above.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional element of “one or more processors” and “memory” are recited at a high-level of generality and generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer system. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
There are no well-understood, routine, and conventional additional elements recited in the claim.
	Thus, the claimed elements, either individually, or in the ordered combination do not add significantly more to the abstract idea.
Dependent claims 6 and 9 further clarify the concept recited in claim 5 however this clarification still falls under the concept recited in claim 5 and does not amount to significantly more than the judicial exception.  Dependent claim 9 recites an additional element of a second computer system however it is recited at a high-level of generality and generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer system. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
Claim 13 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  Claim 13 recites transmit a first request indicating an intent to access the protected information; receive an acknowledgement to access the protected information during a future interval of time; and transmit a second request to access the information during the future interval time, the second request including the received acknowledgement.
The claim recites a method of organizing human activity.  The claimed invention is a method that receives an acknowledgement to subsequently access protected information upon transmitting a first request indicating an intent to access and transmits a subsequent second request including the acknowledgement to access the protected information which is a method of managing interactions between people.  Thus, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because the claim does not recite additional elements that integrate the judicial exception into a practical application.  
Claim 13 recites the additional elements of a non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to perform the steps. However, the “one or more processors” and “a non-transitory computer-readable storage medium” are recited at a high-level of generality and generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer system. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
Dependent claims 14-20 further clarify the concept recited in claim 13 however this clarification still falls under the concept recited in claim 13 and does not amount to significantly more than the judicial exception.  

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 13-15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kitchen (US 9961066).

Claim 13, Kitchen discloses A non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: 
transmit a first request indicating an intent to access the protected information; (e.g. col. 2, ll. 56-59, col. 16, ll. 23-26:  a second request for the resource is received from the client device. The second request includes the first cryptographic token…the proxy server 120 receives as a result of the refresh instruction a second request for the resource from the client device 110. The second request includes the first cryptographic token)
receive an acknowledgement to access the protected information during a future interval of time; and (e.g. col. 2, ll. 65-col. 3, ll. 1, col. 16, ll. 44-48: transmitting a second response including the refresh instruction, a second refresh time, and a second cryptographic token that is not valid until a second predetermined time is reached…the proxy server 120 transmits at operation a second response including the refresh instruction, a second refresh time, and a second cryptographic token that is not valid until a second predetermined time is reached)
transmit a second request to access the information during the future interval time, the second request including the received acknowledgement. (e.g. col. 3, ll. 10-13, col. 17, ll. 7-12: receiving a third request for the resource from the client device, wherein the third request includes at least one of the first cryptographic token and the second cryptographic token...the proxy server 120 receives a third request for the resource from the client device 110 as a result of the second response. The third request includes at least one of the first cryptographic token and the second cryptographic token, depending on which one was last transmitted to the client device 110)

Claim 14, Kitchen discloses The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to include, in the first request, an indication that a requestor is authorized to access the protected information.  (e.g. col. 2, ll. 56-59, col. 16, ll. 23-26)

Claim 15, Kitchen discloses The non-transitory computer-readable storage medium of claim 14, wherein the indication is a token indicating that the requestor is authorized to access the protected information.  (e.g. col. 2, ll. 56-59, col. 16, ll. 23-26)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of  McMurtry (US 20160191528) and further in view of Sondhi (US 20130086669).

Claim 5, Kitchen discloses A system, comprising: 
one or more processors; and memory that stores computer-executable instructions that, as a result of being executed by the one or more processors, cause the system to: 
obtain a first request for access at an interval of time in the future; (e.g. col. 2, ll. 56-59, col. 16, ll. 23-26:  a second request for the resource is received from the client device. The second request includes the first cryptographic token…the proxy server 120 receives as a result of the refresh instruction a second request for the resource from the client device 110. The second request includes the first cryptographic token)
provide, in response to the first request, an access key; (e.g. col. 2, ll. 65-col. 3, ll. 1, col. 16, ll. 44-48: transmitting a second response including the refresh instruction, a second refresh time, and a second cryptographic token that is not valid until a second predetermined time is reached…the proxy server 120 transmits at operation a second response including the refresh instruction, a second refresh time, and a second cryptographic token that is not valid until a second predetermined time is reached)
obtain, during the interval of time, a second request including the access key; (e.g. col. 3, ll. 10-13, col. 17, ll. 7-12: receiving a third request for the resource from the client device, wherein the third request includes at least one of the first cryptographic token and the second cryptographic token...the proxy server 120 receives a third request for the resource from the client device 110 as a result of the second response. The third request includes at least one of the first cryptographic token and the second cryptographic token, depending on which one was last transmitted to the client device 110)
analyze the access key to determine that the first request and the second request are from the same requestor; and allow the second request to be fulfilled. (e.g. col. 3, ll. 16-19: responsive to determining that at least one of the first cryptographic token and the second cryptographic token is valid, fulfilling the third request)
Although Kitchen discloses obtain a first request for access at an interval of time in the future and the first request includes a first cryptographic token (see above), Kitchen does not appear to explicitly disclose but McMurtry discloses the first request including proof of successful completion of a first authentication (e.g. ¶47, 49: embodiment, if the client is successfully authenticated, operation 410 is then performed in which the authentication token is received. As described with reference to FIG. 3, the result of successful authentication is the receipt of an authentication token. That token is passed to Web service 104 to provide proof of the authentication. Web service 104 evaluates the token and verifies that the token is valid…in order for a particular protected resource 106 to be accessed, Web service 104 might require that three particular authentication processes be performed to authenticate client 102 to authentication service 108. As a result, Web service 104 evaluates the token received from client 102 to verify that it contains three claims by authentication service 108, asserting that client 102 has completed all three authentication processes).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by McMurtry into the invention of Kitchen for the purpose of enabling the client to provide proof of successful authentication when requesting access to a protected resource and allowing the service provider to verify that the client has completed all required authentication for accessing the protected resource (McMurtry, ¶47, 49).
Although Kitchen discloses obtain, during the interval of time, a second request including the access key, the second request including the first cryptographic token and the second cryptographic token (see above), Kitchen does not appear to explicitly disclose but Sondhi discloses a second request including proof of successful completion of a second authentication and verify the proof of completion of the second authentication (e.g. ¶13: the request to perform the function associated with the service provider may include an access request. The access request may, in some cases, include a client token indicating that the client is authenticated, a user token indicating that the user is authenticated, and/or an indication of the service provider for which access is being requested.  In some cases, the system may receive an indication that the user and/or the client application have been granted access to the service provider by the access  management service.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Sondhi into the invention of Kitchen-McMurtry for the purpose of enabling the client to provide to the service provider proofs of successful authentications when requesting access to the resource of the service provider thereby increasing the security of the system.

Claims 6 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of  McMurtry (US 20160191528) in view of Sondhi (US 20130086669) and further in view of Divoux (US 20190245848).

Claim 6, Kitchen-McMurtry-Sondhi discloses The system of claim 5, (see above) and does not appear to explicitly disclose but Divoux discloses wherein the information in the access key includes time information indicating the interval of time during which the second request can be fulfilled; and wherein the memory further includes instructions that, as a result of being executed by the one or more processors, cause the system to verify that a current time is within the interval of time. (e.g. ¶202)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Divoux into the invention of Kitchen-McMurtry-Sondhi for the purpose of verifying that the current time is within the time period of validity of the token thereby ensuring that the token is still valid (Divoux, ¶202).

Claim 9, Kitchen-McMurtry-Sondhi discloses The system of claim 5, (see above) and does not appear to explicitly disclose but Divoux discloses wherein the instructions that cause the system to analyze the access key further comprise instructions that, as a result of being executed by the one or more processors, cause the system to provide at least a portion of the access key to a second computer system for verification.  (Divoux, e.g. ¶202)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Divoux into the invention of Kitchen-McMurtry-Sondhi for the purpose of allowing an identity provider to verify the token thereby offloading processing associated with token verification to another system.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of  McMurtry (US 20160191528) in view of Sondhi (US 20130086669) and further in view of Behnck (US 20220035924).

Claim 7, Kitchen-McMurtry-Sondhi discloses The system of claim 5, wherein the instructions that cause the system to allow the second request to be fulfilled (see above) and does not appear to explicitly disclose but Behnck discloses instructions that, as a result of being executed by the one or more processors, cause the system to encrypt a protected resource indicated in the first request with a bearer token included in the access key prior to fulfilling the request. (e.g. ¶13-14)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Behnck into the invention of Kitchen-McMurtry-Sondhi for the purpose of providing only client possessing the token access to the resource thereby protecting the resource from unauthorized access.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of  McMurtry (US 20160191528) in view of Sondhi (US 20130086669) and further in view of  Rapp (WO 2018125158).

Claim 8, Kitchen-McMurtry-Sondhi discloses The system of claim 5, (see above) and does not appear to explicitly disclose but Rapp discloses wherein the access key is encrypted with a public key associated with the system; and wherein the memory further includes instructions that, as a result of being executed by the one or more processors, cause the system to cryptographically verify the access key by at least decrypting the access key with a private key associated with the system.  (e.g. ¶40-41)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Rapp into the invention of Kitchen-McMurtry-Sondhi for the purpose of ensuring the encrypted data can only be decrypted by the private key corresponding to the public key thereby providing confidentiality to the data.

Claims 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of  McMurtry (US 20160191528) in view of Sondhi (US 20130086669) in view of  McBride (US 20120214444) and further in view of Royyuru (US 20170085563).

Claim 10, Kitchen-McMurtry-Sondhi discloses The system of claim 5, (see above) and does not appear to explicitly disclose but McBride discloses wherein the access key is encrypted with a cryptographic key generated based at least in part on a first identifier of a protected resource associated with the first request. (e.g. ¶106, 142-143).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by McBride into the invention of Kitchen-McMurtry-Sondhi for the purpose of protecting the access data using a key that is linked to the service.
Although McBride discloses a second identifier (see above), Kitchen-McMurtry-Sondhi-McBride does not appear to explicitly disclose but Royyuru discloses a second identifier of a client device responsible for providing the first request. (e.g. ¶61)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Royyuru into the invention of Kitchen-McMurtry-Sondhi-McBride for the purpose of protecting the access data using the key that is further linked to the requesting application executed by the device.

Claim 11, Kitchen-McMurtry-Sondhi-McBride-Royyuru discloses The system of claim 10, wherein the second identifier further identifies an application executed by the client device attempting to access the protected resource. (Royyuru, e.g. ¶61, 63).  Same motivation as in claim 10 would apply.


Claims 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of Kishimoto (US 20200076791).

Claim 16, Kitchen discloses The non-transitory computer-readable storage medium of claim 13, (see above) and does not appear to explicitly disclose but Kishimoto discloses wherein the future interval of time is indicated by at least a pair of timestamps indicating a time window during which the requestor can access the protected information. (Kishimoto, e.g. Table 1, ¶40)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Kishimoto into the invention of Kitchen for the purpose of indicating date/time when the token becomes valid and when the token expires thereby specifying the validity of the token (Kishimoto, ¶40).

Claim 17, Kitchen-Kishimoto discloses The non-transitory computer-readable storage medium of claim 16, wherein the instructions that cause the computer system to transmit the second request further include instructions that cause the computer system to include the pair of timestamps in the second request. (Kishimoto, e.g. Table 1, ¶40, 59).  Same motivation as in claim 16 would apply.

Claim 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of McMurtry (US 20160191528).

Claim 18, Kitchen discloses The non-transitory computer-readable storage medium of claim 13, (see above) and does not appear to explicitly disclose but McMurtry discloses wherein the instructions further include instructions that cause the computer system to obtain a first proof of successful completion of a first authentication; and wherein the instructions that cause the computer system to transmit the first request further include instructions that cause the computer system to include the first proof of successful completion of the first authentication in the first request. (e.g. ¶47, 49)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by McMurtry into the invention of Kitchen for the purpose of enabling the client to provide proof of successful authentication when requesting access to a protected resource and allowing the service provider to verify that the client has completed all required authentication for accessing the protected resource (McMurtry, ¶47, 49).

Claims 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kitchen (US 9961066) in view of Sondhi (US 20130086669).

Claim 19, Kitchen discloses The non-transitory computer-readable storage medium of claim 13, (see above) and does not appear to explicitly disclose but Sondhi discloses wherein the instructions further include instructions that cause the computer system to obtain a second proof of successful completion of a second authentication; and wherein the instructions that cause the computer system to transmit the second request further include instructions that cause the computer system to include the first proof of successful completion of the first authentication and the second proof of successful completion of the second authentication in the second request. (e.g. ¶13).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Sondhi into the invention of Kitchen for the purpose of enabling the client to provide to the service provider proofs of successful authentications when requesting access to the resource of the service provider thereby increasing the security of the system.

Claim 20, Kitchen-Sondhi discloses The non-transitory computer-readable storage medium of claim 19, wherein the first request is an Application Programming Interface (API) request. (Kitchen, e.g. col. 3, ll. 33-36)


Allowable Subject Matter
Claims 1-3 are allowed.
The following is an examiner’s statement of reasons for allowance:
None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in independent claim 1: “receiving a first request that indicates an intent to access a resource, the first request including a first bearer token”, “generating an access key to access including information that indicates an interval of time during which the access key is valid and the first bearer token”, “encrypting the access key to obtain an encrypted key”, “providing the encrypted key in response to the first request”, “receiving a second request to access the resource, the second request identifying the resource and comprising the encrypted key and a second bearer token”, “decrypting the encrypted key to result in a decrypted key;”, and “verifying that the second request is received within the interval of time, that the second bearer token indicates authorization to fulfill the second request and that the first bearer token and second bearer token are different” in combination with other limitations as a whole and in the context recited in the claim.
	Dependent claims are allowed as they depend from allowable independent claim.
Claim 4 would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and to overcome the claim objection set forth above.
Claim 12 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 20040236938 discloses The server authenticates the user for the first application based on a userID and password of the user, and the server returns a token of the authentication to the client computer. The client computer uses the token to request a first function performed by the first application. The user subsequently requests a second function performed by the second application. In response, the client computer determines that the user has not yet been authenticated for the second application and sends a request to the server for an authentication ticket for using the second application. In response to the request for the authentication ticket, the server checks the authentication token. If valid, the server returns an authentication ticket to the client computer. The client computer requests the second function to the server. The client computer request for the second function includes the authentication ticket. The server determines that the authentication ticket supplied with the client request is valid before the second application performs the second function.

US 20090300744 discloses the user may submit his or her user credentials (e.g., username and password), which is typical. In an alternative scenario, the user device may also submit a device certificate (or device ID and device password), thereby providing two factors for authentication…when the account authority service receives the credentials from the user device, it authenticates them and, if the credentials satisfy the secure server's security requirements (as determined in a decision operation 314), the account authority service sends a security token to the user device in an operation 320…The user device receives the security token in receiving operation 322 and forwards it to the secure server in a sending operation 324. In a granting operation 326, the secure server interrogates the security token to determine a level of privilege to authorize for the user/device, based on the authentication performed by the account authority service. In one implementation, the secure server interrogates the security token to determine whether both user credentials and device credentials were included in the authentication with the account authority service. If so, the secure server can allow a higher level of privilege to the user via the user device. Otherwise, the secure server can allow a lower level of privilege to the user or allow not access at all.

US 20190007214 discloses The method involves generating (205) first token value that includes a hash value generated by hashing secret key and first set of other values using hash algorithm. The first token value is included (210) in a first cookie. The first cookie is sent to a client device. The first cookie does not include the secret key. A first request for an action to be performed on a first resource that is hosted at an origin server is received (215) from the client device. A second set of one or more other values is determined using the first request. A fourth token value is generated by hashing the secret key and the second set of one or more other values using the hash algorithm. The determination is made that the second token value, the third token value, and the generated fourth token value are equivalent. The first request is sent to the origin server responsive to the determining that the second token value, the third token value, and the generated fourth token value are equivalent.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436