DETAILED ACTION
This Final Office Action is in response to amendment filed on 08/18/2021. Claims 1, 17 and 31 have been amended. Claims 1-12, 16-29 and 31-36 remain pending in the application. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings filed on 06/19/2017 are accepted.

Response to Arguments 
Applicant’s arguments, see Applicant Remarks, Pages 10 and 11, regarding the newly added limitation “assigning, scores to individual elements of the plurality of elements, combining the scores to generate a second score, assigning, by the computing device, an authentication level to the request based on the combined score”, filed 08/18/2021, with respect to the rejection(s) of claim(s) 1, 17 and 31 under 35 U.S.C 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of the newly found prior art: Samuels et. al. (US 8788419 B2), hereinafter Samuels, in addition to the previously cited prior arts. Please see detailed rejection below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-6 and 9-10, 12 and 31-36 are rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan et. al. (US 20160094531 A1) (IDS), hereinafter .

Regarding claim 1 (Currently Amended), Unnikrishnan teaches a method (Unnikrishnan [0003] “…the present disclosure comprises a device having a memory and a processor.”, [0004] “a computer-readable storage device, having instructions thereon, which when executed on a process cause the processor to execute a process.”, [0016] "FIG. 1 illustrates an overview of a system 100 that may be used to grant access to secured resources of a network...a network may be a distributed environment that includes resources shared by more than one client such as a cloud- computing environment."): 
receiving, by a computing device, a request from a client device to access a resource (Unnikrishnan [0030] "Once an authentication component 104 (i.e. computing device) receives an access request from a client", [0025] "client 102 may issue an access request for access to network resource 110"); 
determining, by the computing device, context information that corresponds[ing] to the request and comprises a plurality of elements (Unnikrishnan [0030] "…component 104 by inspecting a user string or header of the access request.", "user string or header" corresponds to "context information", where the request includes plurality of elements, including data string to indicate the type of authentication the client is able to authenticate, version of the authentication protocol supported, previous challenges, etc., as disclosed in [0029-0030]); 
[based on the authentication level]  (Unnikrishnan [0030] “Before generating a challenge to the client's access request, the authentication component 104 may check whether the client 102 has issued a response to a previous challenge”, [0031] "The authentication component generates an authentication challenge to authenticate a client for access to a secured resource"), 
the authentication challenge comprises an initial token issued from the computing device (Unnikrishnan [0031] “Parameters of the authentication challenge may vary…The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102”, [0033] “The authentication challenge is designed to be short lived and the authentication component 104 may also maintain state information in a manner that is opaque to the client 102, for example within an authentication session cookie or the encrypted context parameter of the challenge that ensures the challenge is short lived.”, where the data challenge opaque to the client may be authentication cookie included in the challenge as disclosed in [0054], where cookie corresponds to the initial token, where the authentication challenge was generated and issued by the authentication device, i.e. computing device), 
identification of one or more authentication services, and authentication parameters (Unnikrishnan [0030] “…the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol”, [0031] “The authentication component generates an authentication challenge to authenticate a client for access to a secured resource…The authentication challenge is presented in a flexible format that can be tailored to a specific type of authentication (or multiple types of authentication) (i.e. authentication service) …Parameters of the authentication challenge may vary, for example, depending on the application that the client 102 is running or the type of authentication the authentication protocol is determining. The challenge contains information about the requested enforcement criteria to aid the client 102 in determining an authentication credential being requested by the authentication component 104. The challenge includes information that would allow the client 102 to easily locate the authentication credential required to authenticate the client 102 such as data related to an issuer of an authentication credential as an example. The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102. This includes secured data that is opaque to the client 102 (e.g., encrypted data). Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below:”, [0032], examiner asserts that the authentication component would identify a specific authentication protocol for the client device 102, and the authentication parameters/challenge-specific data would aid/allow the client to locate/identify/determine the authentication credentials, to authenticate the client device, where identifying the authentication credentials, flexible format that can be tailored to a specific type of authentication or multiple types of authentications, etc., correspond to knowledge of the authentication protocol and authentication service(s) required),
receiving, by the computing device, [an updated token] from the client device in response to transmission of the authentication challenge to the client device (Unnikrishnan discloses in [0050] that after receiving challenge, Figure 2 (206) illustrates receiving the challenge response from client 102 to the authentication component 104, where the response includes Auth.Token as disclosed in the table in [0051] “The authentication component 104 evaluates the authentication response once it is received. The response may be evaluated based on rules established by the authentication protocol of the authentication component 104. The authentication component 104 evaluates the response to determine that the response is authentication protocol compliant, for example, determining whether the response includes protocol identification in the header or a user substring appended to the response.”), 
[the updated token generated by inclusion in the initial token of] an indication of authentication of a user of the client device to one or more authentication services, the authentication being accomplished with use of the at least one authentication protocol and the authentication parameters of the challenge response (Unnikrishnan discloses in [0050] that after receiving challenge, Figure 2 (206) illustrates the challenge response from client 102 to the authentication component 104, where the response includes Auth.Token, [0051] “The authentication component 104 evaluates the authentication response once it is received. The response may be evaluated based on rules established by the authentication protocol of the authentication component 104. The authentication component 104 evaluates the response to determine that the response is authentication protocol compliant, for example, determining whether the response includes protocol identification in the header or a user substring appended to the response.”, where the response indicates/includes identified protocol which is determined to be authentication protocol complaint by the authentication server, the challenge response further includes authentication parameters, e.g. nonce in table [0031] 1.1. “Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below: TABLE-US-00001 TABLE 1.1 Challenge field Value Nonce A unique value issued by the server in its challenge. The client is expected to return this value to the server in its signed response in order to perform authentication. The nonce is also persisted within the encrypted context parameter.”), and 
the indication being included in the initial token by the one or more authentication services as a part of a response to an authentication request from the client device made in response to the authentication challenge (Unnikrishnan discloses in [0031] that the authentication challenge is tailored to specific type of authentication or multiple authentications, corresponding to the authentication service, which the client has to address in its challenge response in order to be granted access, where the authentication server, as disclosed in [051], evaluates the response and determines that the response is authentication protocol is complaint, where the response include the cookie to be checked and evaluated as disclosed in Figure 2 (206) and [0051] ); and 
[as indicated by the updated token] (Unnikrishnan discloses in Figure 2 the validation process based on the challenge response (206) from the client based on the response, as indicated in the response, which includes the identified protocol being compliant as disclosed in [0051], accordingly and subsequently provide access to resources as disclosed in [0060], where the response has to address “tailored to a specific type of authentication (or multiple types of authentication)”, corresponding to authentication services in order to perform authentication and subsequently the client be granted access to resources).
While Unnikrishnan discloses in [0058] updating opaque data/authentication session cookie for client to use for subsequent access, which suppresses the process of performing an authentication challenge on the client, Unnikrishnan further discloses receiving from the client/computing device a challenge response (206) in response to transmission of the authentication challenge, where the response is illustrated in [0050] as “TABLE-US-00006 Authorization: PKeyAuth AuthToken="<signed JWT>", Context="<same value as in the challenge>", Version="1.0", however, Unnikrishnan does not explicitly disclose that the received from the client/computing device is an updated token.
Veeraraghavan from analogues field of invention discloses an updated token and  receiving, by the computing device, an updated token from the client device in response to transmission of the authentication challenge to the client device (Veeraraghavan discloses in Figure 4 augmented/updated token (Figure 4 (314)) being received by the client/user, where such augmented/updated token (Figure 4 (400)) is further received by the RP-STS from the client/user/computing device, where the further  augmented/updated token (Figure 4 (316)) is eventually received from the client/user/computing device by the service 102, [0027] “The original token may contain sufficient claims, i.e. authentication and privileges, to satisfy the needs of the service 102, or it may not. A process known as claims augmentation can be used to provide any missing claims or to provide supplemental claims which will support authentication and/or authorization of the client. As part of the augmentation process an augmentation request 310 containing the original security token is sent to each claims provider 106 which is registered with the IP-STS 104. Each claims provider will add to the security token those claims which it can assert about the user.”, [0029] “The fully augmented security token is returned to the client 100 as a part of the authorization response 314 to authorization request 304.”, [0033] “The client 100 …supplies the security token generated by the IP-STS 104.”, where the service 102, i.e. computing device, eventually receives augmented token (316), i.e. updated tokens, in response to the authentication request/challenge (302) that identify which claims to be used for authentication and needed for the client (100) to acquire from the IP-STS and RP-STS domains in order for the client to be granted access as disclosed in [0024, 0029]).
the updated token generated by inclusion in the initial token of an indication of authentication of a user of the client device to one or more authentication services,  (Veeraraghavan discloses in [0027] “The original token (initial token) may contain sufficient claims, i.e. authentication and privileges, to satisfy the needs of the service 102, or it may not. A process known as claims augmentation can be used to provide any missing claims or to provide supplemental claims which will support authentication and/or authorization of the client”, where the augmentation to update the original token, corresponding to the initial token, indicates the authentication and authorization, i.e. authentication service, required by the client in nodes for the service 102 to grant access as disclosed in [0024, 0029]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).
	Unnikrishnan in view of Veeraraghavan does not disclose the remaining limitations.
Badri discloses assigning [to individual elements of plurality of elements ] (Badri teaches a dynamic authentication in a system [0004], “multi-level and/or a multi-factor authentication system, and is enhanced through a self-learning process”, [0005] “a self-adaptive secure authentication system”, Badri [0044]“…each user can be assigned a default score index based on one or more attributes…Once the input 270 is received by the user track/feedback system 240, the user track/feedback system 240 can change the score index for each user from the previous default score index…the previous default score index can be changed based on an actual location or expected location in which access may be requested by the user…the score index can be defined as an authentication level, for example, which can require two or more biometric identifiers, for example, fingerprint, Iris recognition, and face detection, as shown in FIG. 5.”, where the attributes, e.g. user location, time and authenticator used as disclosed in [0051], which are an attributes of the access request, correspond to plurality of elements context information, where the score is dynamically changed and determined based on the attributes, See Figure 3 and Figure 4 illustrating attributes, authentication levels associated with scores);
assigning, by the computing device, an authentication level to the request based on the [combined] score (Badri discloses [0006] “assigning a score index to each of the one or more users in the authentication system for one or more services, the score index representing a security level and corresponding authentication required to access each of the one or more services; inputting each request for services from the one or more users into the authentication system to continuously update the score index for each of the one or more users, each of the requests including one or more authenticators or biometric identifiers for the requested service”, [0044, 0047] and Figure 5 further discloses score corresponding to authentication level, where the score is based on a plurality of attributes/elements associated with the user, such as location and time, frequency of access, as disclosed in [0045-0046]),
generating, by the computing device, an authentication challenge based on the authentication level (Badri [0044] discloses the system generating authentication challenges based on the score and authentication level, where the user is required to address these authentication challenges, “the score index can be defined as an authentication level, for example, which can require two or more biometric identifiers, for example, fingerprint, Iris recognition, and face detection, as shown in FIG. 5.”, Figure 3 and [0053-0054] requiring the user to reach the target authentication level).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Veeraraghavan to incorporate the teaching of Badri to utilize the above feature, with the motivation of enhancing the authentication system through a self-learning process, as recognized by (Badri [0004-0005]).
While the Unnikrishnan in view of Veeraraghavan and Badri disclose the aforementioned limitations. Badri further discloses assigning a score to a plurality of elements associated with the request, e.g. user location, time, frequency of access, and dynamically changing the score based on the aforementioned elements, however, Unnikrishnan in view of Veeraraghavan and Badri does not disclose assigning a score for each element and combining the individual scores into a combined score. Emphases in italic.
assigning, by the computing device, a score to individual elements of the plurality of elements, combining the scores to generate a second score and assigning, by the computing device, an authentication level to the request based on the combined score (Samuels discloses receiving a request with a plurality of attributes/elements, and calculating a score for the individual elements, then combing the scores, i.e. second/combined score, by taking the weighted average as disclosed in Col. 9 line 20-31, in order to eventually determine the authentication level, i.e. whether the system would require additional authentication, Col. 2 line 37-50 “The login request includes several attributes, including in an embodiment an Internet protocol (IP) or other Internet network address for the remote site, a browser ID for the user's browser, the time of day, and the time since the last logon. The improbability of individual attributes of the current login request is calculated, and a composite score is created that measures the improbability of several of the attributes. If the composite score exceeds a threshold of improbability, an additional authentication method is required before the user receives access to the Internet banking host site. In an alternative embodiment, the user receives access to the web site, but has to satisfy the additional authentication requirement before receiving access to particular transaction pages.”, where the individual scores are illustrated in Figure 4, and a combined score).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Veeraraghavan to incorporate the teaching of Samuels to utilize the above feature, with 

Regarding claim 2 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 1, further comprising saving the initial token-by the computing device (Unnikrishnan [0062] “An exemplary authentication component 104 protects authentication artifacts from being misused. As an example, the authentication component 104 may tie an authentication artifact to a client that the authentication artifact was initially issued to. In an example where a device of a client seeks access to multiple secured resources”, examiner asserts that protecting authentication artifacts, which stems from the initial cookies used by the authentication component 104 and connecting them to clients means that the authenticating component 104 is storing the artifacts which stems from the initial token).  

Regarding claim 3 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 1, further comprising, by the computing device: identifying an authentication service for executing at least one authentication scheme; and including the identification of the authentication service in the authentication parameters (Unnikrishnan [0030] “…the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol”, [0031] “The authentication component generates an authentication challenge to authenticate a client for access to a secured resource…The authentication challenge is presented in a flexible format that can be tailored to a specific type of authentication (i.e. authentication service) (or multiple types of authentication)…Parameters of the authentication challenge may vary, for example, depending on the application that the client 102 is running or the type of authentication the authentication protocol is determining. The challenge contains information about the requested enforcement criteria to aid the client 102 in determining an authentication credential being requested by the authentication component 104. The challenge includes information that would allow the client 102 to easily locate the authentication credential required to authenticate the client 102 such as data related to an issuer of an authentication credential as an example. The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102. This includes secured data that is opaque to the client 102 (e.g., encrypted data). Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below:”, [0032] , examiner asserts that the authentication component would identify a specific authentication protocol for the client device 102, and the authentication parameters/challenge-specific data would aid/allow the client to locate/identify/determine the authentication credentials, to authenticate the client device, where identifying the authentication credentials, etc., correspond to knowledge of the authentication protocol and service required).

Regarding claim 4 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 3, further comprising: 
Unnikrishnan does not explicitly and collectively disclose the remaining limitations. 
Veeraraghavan discloses upon receipt of the authentication challenge, transmitting, by the client device, an authentication request comprising the initial token (Veeraraghavan Figure 4, after receiving the auth. Request 302, i.e. authentication challenge, informing the client 100 which claims/privileges and authorizations are required, the client transmits authentication requests, including auth. Request 400, which comprises the original token and additional claims provided by IP-STS104); 
receiving, by client device, the updated token which comprises an assertion indicating a status of user authentication upon execution of the at least one authentication scheme (Veeraraghavan [0025-0027] Figure 4, illustrates receiving by the client, PR token, which indicates assertion that the client is authorized and privileged for a service, where the assertion of augmenting the original tokens with claim/privileges/authorization is performed upon authenticating one or more claim providers 106 with the client, i.e. executing authentication scheme with the client 100).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 5 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches The method according to claim 4, further comprising: determining, by the client device, upon receipt of the [updated token], whether all authentication schemes included in the identified authentication protocol have been executed (Unnikrishnan [0059] “After update of the data opaque to the client/authentication session cookie, the client 102 or the authentication component 104 may require additional levels of authentication. For example, in a case where a device authentication was performed during an initial authentication challenge, a user authentication of the client 102 may still need to be performed (or alternatively another form of authentication such as service or process authentication etc., may need be performed).”); and 
upon determining that all authentication schemes included in the identified authentication protocol have been executed (Unnikrishnan [0021] “…security authorization may include but are not limited to an authentication artifact (e.g. an authentication cookie, single sign-on token, etc.), an access token, a cryptographic hash of data, a cryptographic signature of data or a certificate. The client 102 may present the security authorization to a network resource (i.e. transmitting token) to be granted access to the network resource.”, [0068] “Once the authentication component evaluates the response the challenge, flow proceeds to operation 310 where the client receives a validation result from the authentication component. The validation result may include an authentication artifact if the client is authenticated by the authentication component.”, [0069] “312 where the client attempts to access another resource using an issued authentication artifact.”), 
Unnikrishnan discloses in [0021] The client 102 may present the security authorization to a network resource (i.e. transmitting authorization) to be granted access to the network resource, however, Unnikrishnan does not explicitly disclose updated token and transmitting the updated token to the resource service. Emphasis in italic.
Veeraraghavan discloses upon determining that all authentication schemes included in the identified authentication protocol have been executed, transmitting the updated token to the computing device (Veeraraghavan discloses in [0033-0034] Figure 4 (316) “This token is then presented 316 to the service which verifies the token and provides service 318 as described above.”, where the transmitting is performed upon authenticating with all the appropriate claims that have been identified in the request as disclosed in [0024]).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 6 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 5,
While Unnikrishnan discloses the aforementioned limitations, including authentication protocols, however Unnikrishnan does not explicitly disclose updated token.
Veeraraghavan teaches further comprising, by the computing device, granting the request for accessing the resource upon determining that the one or more assertions included in the updated token satisfy the identified authentication protocol (Veeraraghavan further discloses in Figure 4 and [0025, 0033-0034] the updated/augmented token received from one or more claim providers 106 and 202 in Figure 4 which enable clients accessing services as discussed above in claim 1., where [0024] “this original request, or subsequent interaction with the service, may identify which claim or claims could be used for authentication. The client 100 sends authentication request 304 to the IP-STS 104 asking that a security token be generated containing appropriate claims.”, where the appropriate claims required for authentication is required for granting access has to be asserted in the augmented token, where the authentication protocol is referred to the authentication protocol required for each claim provider in order to issue the claim to the client).  
authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 9 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 6, further comprising, by the computing device: determining whether a timestamp associated with the [updated token] is within a threshold time limit; and granting the request for accessing the resource upon determining that the timestamp is within the threshold time limit (Unnikrishnan [0054-0055] “As examples of parameters that the authentication component 104 validates in the Context parameter or authentication session cookie, the authentication component 104 may include evaluation such as: Check whether the challenge has expired including validation of the timestamp”, where the challenge includes the artifact (e.g., single sign-on cookie or authentication token), which correspond to the token, examiner asserts that setting a timestamp and expiration time correspond to setting a threshold at which the timestamp expires, and validation of the artifact and timestamp for authentication means that access would only be allowed if the timestamp hasn’t expired).

Veeraraghavan discloses the concept of updated token as discussed above in claim 1. Rationale and motivation in claim 1 apply.

Regarding claim 10 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 5, further comprising upon determining that all authentication schemes included in the identified authentication protocol have not been executed, [transmitting the updated token to a given authentication service] (Unnikrishnan [0059] “After update of the data opaque to the client/authentication session cookie, the client 102 or the authentication component 104 may require additional levels of authentication. For example, in a case where a device authentication was performed during an initial authentication challenge, a user authentication of the client 102 may still need to be performed (or alternatively another form of authentication (i.e. second authentication service) such as service or process authentication etc., may need be performed). In this instance, flow proceeds to operation 210 where an additional authentication request is sent by the client 102 and received at the authentication component 104…the client 102 may present the authentication artifact along with the authentication request to an authentication component that originally issued the authentication artifact.”, examiner notes that the “authentication artifact along with the authentication request to an authentication component that originally issued the authentication artifact”).

Veeraraghavan discloses upon determining that all authentication schemes included in the identified authentication protocol have not been executed, transmitting the updated token to a second authentication service (Veeraraghavan discloses in [0033-034] and figure 4 (400) transmitting augmented token to claim provider 202 in order to enable client access to service in second domain, where the Veeraraghavan discloses in [0024] identifying “appropriate claims” for accessing the service, and Figure 4 illustrates the claim providers 106 and 202 are required to authenticate with the client and update/augment the token accordingly, in order for the client to be granted access to service, where the different claim providers are providing authentication services, examiner asserts that the client is aware that 106 has not provided all the claims/privileges/authorizations identified in [0024], therefore the client seek another claim providers 202 as authentication service to authenticate with the client and to be indicated in the augmented/updated token)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 12 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 1, wherein the request comprises user information identifying the user (Unnikrishnan discloses in [0059] that the request may include “a user authentication of the client 102 …authentication request including identifying that the client 102 provided an authentication artifact proving that the client 102 has already been authenticated.”, where a request identifying that a client provides authentication artifacts establishing that the client is authenticated, corresponds to user information).  

Regarding claim 31 (Currently Amended), Unnikrishnan teaches a computing system, comprising: a processor; and a non-transitory computer-readable storage medium comprising programming instructions that are configured to cause the processor to implement a method for authenticating a user in the computing system, (Unnikrishnan [0003] “…the present disclosure comprises a device having a memory and a processor.”, [0004] “a computer-readable storage device, having instructions thereon, which when executed on a process cause the processor to execute a process.”, [0016] "FIG. 1 illustrates an overview of a system 100 that may be used to grant access to secured resources of a network...a network may be a distributed environment that includes resources shared by more than one client such as a cloud- computing environment.") wherein the programming instructions comprise instructions to: 
(Unnikrishnan [0030] "Once an authentication component 104 (i.e. computing device) receives an access request from a client", [0025] "client 102 may issue an access request for access to network resource 110"); 
determine context information that corresponds[[ing]] to the request and comprises a plurality of elements (Unnikrishnan [0030] "…component 104 by inspecting a user string or header of the access request.", "user string or header" corresponds to "context information" where the request includes plurality of elements, including data string to indicate the type of authentication the client is able to authenticate, version of the authentication protocol supported, previous challenges, etc., as disclosed in [0029-0030]); 
generate an authentication challenge [in accordance with the authentication level] (Unnikrishnan [0030] “Before generating a challenge to the client's access request, the authentication component 104 may check whether the client 102 has issued a response to a previous challenge”, [0031] "The authentication component generates an authentication challenge to authenticate a client for access to a secured resource"), 
the authentication challenge comprises an initial token issued from the computing device (Unnikrishnan [0031] “Parameters of the authentication challenge may vary…The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102”, [0033] “The authentication challenge is designed to be short lived and the authentication component 104 may also maintain state information in a manner that is opaque to the client 102, for example within an authentication session cookie or the encrypted context parameter of the challenge that ensures the challenge is short lived.”, where the data challenge opaque to the client may be authentication cookie included in the challenge as disclosed in [0054], where cookie corresponds to the initial token, where the authentication challenge was generated and issued by the authentication device, i.e. computing device), 
identification of one or more authentication services, and authentication parameters; (Unnikrishnan [0030] “…the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol”, [0031] “The authentication component generates an authentication challenge to authenticate a client for access to a secured resource…The authentication challenge is presented in a flexible format that can be tailored to a specific type of authentication (or multiple types of authentication) (i.e. authentication service) …Parameters of the authentication challenge may vary, for example, depending on the application that the client 102 is running or the type of authentication the authentication protocol is determining. The challenge contains information about the requested enforcement criteria to aid the client 102 in determining an authentication credential being requested by the authentication component 104. The challenge includes information that would allow the client 102 to easily locate the authentication credential required to authenticate the client 102 such as data related to an issuer of an authentication credential as an example. The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102. This includes secured data that is opaque to the client 102 (e.g., encrypted data). Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below:”, [0032], examiner asserts that the authentication component would identify a specific authentication protocol for the client device 102, and the authentication parameters/challenge-specific data would aid/allow the client to locate/identify/determine the authentication credentials, to authenticate the client device, where identifying the authentication credentials, flexible format that can be tailored to a specific type of authentication or multiple types of authentications, etc., correspond to knowledge of the authentication protocol and authentication service(s) required)
receive an [updated token] from the client device in response to transmission of the authentication challenge to the client device (Unnikrishnan discloses in [0050] that after receiving challenge, Figure 2 (206) illustrates receiving the challenge response from client 102 to the authentication component 104, where the response includes Auth.Token as disclosed in the table in [0051] “The authentication component 104 evaluates the authentication response once it is received. The response may be evaluated based on rules established by the authentication protocol of the authentication component 104. The authentication component 104 evaluates the response to determine that the response is authentication protocol compliant, for example, determining whether the response includes protocol identification in the header or a user substring appended to the response.”), 
[the updated token generated by inclusion in the initial token] of an indication of authentication of a user of the client device to the one or more authentication services, the authentication being accomplished with use of the at least one authentication protocol and the authentication parameters of the challenge response (Unnikrishnan discloses in [0050] that after receiving challenge, Figure 2 (206) illustrates the challenge response from client 102 to the authentication component 104, where the response includes Auth.Token, [0051] “The authentication component 104 evaluates the authentication response once it is received. The response may be evaluated based on rules established by the authentication protocol of the authentication component 104. The authentication component 104 evaluates the response to determine that the response is authentication protocol compliant, for example, determining whether the response includes protocol identification in the header or a user substring appended to the response.”, where the response indicates/includes identified protocol which is determined to be authentication protocol complaint by the authentication server, the challenge response further includes authentication parameters, e.g. nonce in table [0031] 1.1. “Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below: TABLE-US-00001 TABLE 1.1 Challenge field Value Nonce A unique value issued by the server in its challenge. The client is expected to return this value to the server in its signed response in order to perform authentication. The nonce is also persisted within the encrypted context parameter.”), and 
(Unnikrishnan discloses in [0031] that the authentication challenge is tailored to specific type of authentication or multiple authentications, corresponding to the authentication service, which the client has to address in its challenge response in order to be granted access, where the authentication server, as disclosed in [051], evaluates the response and determines that the response is authentication protocol is complaint, where the response include a cookie to be checked and evaluated as disclosed in Figure 2 (206) and [0051] ); and 
provide the client device with access to the resource based on the authentication of the user of the client device to the one or more authentication services [as indicated by the updated token] (Unnikrishnan discloses in Figure 2 the validation process based on the challenge response (206) from the client based on the response which includes the identified protocol being compliant as disclosed in [0051], accordingly and subsequently provide access to resources as disclosed in [0060], where the response has to address “tailored to a specific type of authentication (or multiple types of authentication)”, corresponding to authentication services in order to perform authentication and subsequently the client be granted access to resources).
While Unnikrishnan discloses in [0058] updating opaque data/authentication session cookie for client to use for subsequent access, which suppresses the process of performing an authentication challenge on the client, Unnikrishnan further discloses receiving from the client/computing device a challenge response (206) in response to transmission of the authentication challenge, where the response is illustrated in [0050] as “TABLE-US-00006 Authorization: PKeyAuth AuthToken="<signed JWT>", Context="<same value as in the challenge>", Version="1.0", however, Unnikrishnan does not explicitly disclose that the received from the client/computing device is an updated token.
Veeraraghavan from analogues field of invention disclose receive from the computing device an updated token from the client device in response to transmission of the authentication challenge to the client device (Veeraraghavan discloses in Figure 4 augmented/updated token (Figure 4 (314)) being received by the client/user, where such augmented/updated token (Figure 4 (400)) is further received by the RP-STS from the client/user/computing device, where the further  augmented/updated token (Figure 4 (316)) is eventually received from the client/user/computing device by the service 102, [0027] “The original token may contain sufficient claims, i.e. authentication and privileges, to satisfy the needs of the service 102, or it may not. A process known as claims augmentation can be used to provide any missing claims or to provide supplemental claims which will support authentication and/or authorization of the client. As part of the augmentation process an augmentation request 310 containing the original security token is sent to each claims provider 106 which is registered with the IP-STS 104. Each claims provider will add to the security token those claims which it can assert about the user.”, [0029] “The fully augmented security token is returned to the client 100 as a part of the authorization response 314 to authorization request 304.”, [0033] “The client 100 …supplies the security token generated by the IP-STS 104.”, where the service 102, i.e. computing device, eventually receives augmented token (316), i.e. updated tokens, in response to the authentication request/challenge (302) that identify which claims to be used for authentication and needed for the client (100) to acquire from the IP-STS and RP-STS domains in order for the client to be granted access as disclosed in [0024, 0029]).
the updated token generated by inclusion in the initial token of an indication of authentication of a user of the client device to the one or more authentication services, authentication of the user of the client device to the one or more authentication services as indicated by the updated token (Veeraraghavan discloses in [0027] “The original token (initial token) may contain sufficient claims, i.e. authentication and privileges, to satisfy the needs of the service 102, or it may not. A process known as claims augmentation can be used to provide any missing claims or to provide supplemental claims which will support authentication and/or authorization of the client”, where the augmentation to update the original token, corresponding to the initial token, indicates the authentication and authorization, i.e. authentication service, required by the client in nodes for the service 102 to grant access as disclosed in [0024, 0029]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).
Unnikrishnan in view of Veeraraghavan does not disclose the remaining limitations.
Badri discloses assign s [to individual elements of plurality of elements] (Badri teaches a dynamic authentication system [0004], “multi-level and/or a multi-factor authentication system, and is enhanced through a self-learning process”, [0005] “a self-adaptive secure authentication system”, Badri [0044]“…each user can be assigned a default score index based on one or more attributes…Once the input 270 is received by the user track/feedback system 240, the user track/feedback system 240 can change the score index for each user from the previous default score index…the previous default score index can be changed based on an actual location or expected location in which access may be requested by the user…the score index can be defined as an authentication level, for example, which can require two or more biometric identifiers, for example, fingerprint, Iris recognition, and face detection, as shown in FIG. 5.”, where the attributes, e.g. user location, time and authenticator used as disclosed in [0051], which are attributes of the access request, correspond to plurality of elements context information, where the score is dynamically changed and determined based on the attribute, See Figure 3 and Figure 4 illustrating attribute, authentication levels associated with scores);
[combined] score (Badri discloses [0006] “assigning a score index to each of the one or more users in the authentication system for one or more services, the score index representing a security level and corresponding authentication required to access each of the one or more services; inputting each request for services from the one or more users into the authentication system to continuously update the score index for each of the one or more users, each of the requests including one or more authenticators or biometric identifiers for the requested service”, [0044] further discloses score corresponding to authentication level, where the score is based on a plurality of attributes/elements associated with the user, such as location and time, frequency of access, as disclosed in [0045-0046]);
generate an authentication challenge in accordance with the authentication level (Badri [0044] discloses the system generating authentication challenges based on the score and authentication level, where the user is required to address these authentication challenges, “the score index can be defined as an authentication level, for example, which can require two or more biometric identifiers, for example, fingerprint, Iris recognition, and face detection, as shown in FIG. 5.”, Figure 3 and [0053-0054] requiring the user to reach the target authentication level).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Veeraraghavan to incorporate the teaching of Badri to utilize the above feature, with the 
While the Unnikrishnan in view of Veeraraghavan and Badri disclose the aforementioned limitations. Badri further discloses assigning a score to a plurality of elements associated with the request, e.g. user location, time, frequency of access, and dynamically changing the score based on the aforementioned elements and determining the authentication level accordingly, however, Unnikrishnan in view of Veeraraghavan and Badri does not disclose assigning a score for each element and combining the individual scores into a combined score. Emphasis in italic.
Samuels discloses assign scores to individual elements of plurality of elements, combining the scores to generate a combined score and assign an authentication level to the request based on the combined score (Samuels discloses receiving a request with a plurality of attributes/elements, and calculating a score for the individual elements, then combing the scores, by taking the weighted average as disclosed in Col. 9 line 20-31, in order to eventually determine the authentication level, i.e. whether the system would require additional authentication, Col. 2 line 37-50 “The login request includes several attributes, including in an embodiment an Internet protocol (IP) or other Internet network address for the remote site, a browser ID for the user's browser, the time of day, and the time since the last logon. The improbability of individual attributes of the current login request is calculated, and a composite score is created that measures the improbability of several of the attributes. If the composite score exceeds a threshold of improbability, an additional authentication method is required before the user receives access to the Internet banking host site. In an alternative embodiment, the user receives access to the web site, but has to satisfy the additional authentication requirement before receiving access to particular transaction pages.”, where the individual scores are illustrated in Figure 4, and a combined score).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Veeraraghavan and Badri to incorporate the teaching of Samuels to utilize the above feature, with the motivation of providing a quantitative measure of how improbable, or anomalous, the user's login statistics are from the historical statistics for the user., as recognized by (Samuels Col. 9 line 20-31).

Regarding claim 32 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the computing system according to claim 31, wherein the programming instructions further comprise instructions to cause the client device to:
Unnikrishnan does not explicitly and collectively disclose the remaining limitations. 
 Veeraraghavan teaches transmit an authentication request that comprises the initial token (Veeraraghavan Figure 4, after receiving the auth. Request 302, i.e. authentication challenge, informing the client 100 which claims/privileges and authorizations are required, the client transmits authentication requests, including auth. Request 400, which comprises the original token and additional claims provided by IP-STS104); and 
receive the updated token that comprises an assertion indicating a status of user authentication upon execution of the at least one authentication scheme (Veeraraghavan [0025-0027] Figure 4, illustrates receiving by the client, PR token, which indicates assertion that the client is authorized and privileged for a service, where the assertion of augmenting the original tokens with claim/privileges/authorization is performed upon authenticating one or more claim providers 106 with the client, i.e. executing authentication scheme with the client 100).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).
  
Regarding claim 33 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the computing system according to claim 31, wherein the programming instructions further comprise instructions to cause the client device to: 
[updated token], whether all authentication schemes included in the identified authentication protocol have been executed (Unnikrishnan [0059] “After update of the data opaque to the client/authentication session cookie, the client 102 or the authentication component 104 may require additional levels of authentication. For example, in a case where a device authentication was performed during an initial authentication challenge, a user authentication of the client 102 may still need to be performed (or alternatively another form of authentication such as service or process authentication etc., may need be performed).”); and 
upon determining that all authentication schemes included in the identified authentication protocol have been executed, [transmit the updated token to the processor] (Unnikrishnan [0021] “…security authorization may include but are not limited to an authentication artifact (e.g. an authentication cookie, single sign-on token, etc.), an access token, a cryptographic hash of data, a cryptographic signature of data or a certificate. The client 102 may present the security authorization to a network resource (i.e. transmitting token) to be granted access to the network resource.”, [0068] “Once the authentication component evaluates the response the challenge, flow proceeds to operation 310 where the client receives a validation result from the authentication component. The validation result may include an authentication artifact if the client is authenticated by the authentication component.”, [0069] “312 where the client attempts to access another resource using an issued authentication artifact.”).  

Veeraraghavan discloses updated token and upon determining that all authentication schemes included in the identified authentication protocol have been executed, transmit the updated token to the processor (Veeraraghavan discloses in [0033-0034] Figure 4 (316) “This token is then presented 316 to the service which verifies the token and provides service 318 as described above.”, where the transmitting is performed upon authenticating with all the appropriate claims that have been identified in the request as disclosed in [0024]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 34 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the computing system according to claim 32, wherein the programming instructions further comprise instructions to cause the processor to grant the access request for accessing the resource upon determining [updated token] satisfy the identified authentication protocol (Unnikrishnan [0069] “operation 312 where the client attempts to access another resource using an issued authentication artifact…When both the client and the authentication artifact are validated, flow may proceed to operation 314 where the client is granted access to the secured resource.”). 
Unnikrishnan does not disclose updated token
Veeraraghavan discloses the updated token as discussed above in claim 32. Rationale and motivation of claim 32 applies.

Regarding claim 35 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method according to claim 1, 
Unnikrishnan does not disclose the remaining limitations.
Veeraraghavan discloses wherein the initial token includes information specifying performance of an execution of the at least one authentication protocol by the one or more authentication services (Veeraraghavan discloses in [0027-0029] and Figure 4 augmenting the original/initial token by a number of claim providers attesting to the user’s authenticity, such that the original/initial token will include claims, i.e. authentication and/or authorization of the client indicating that the client has been authenticated via an authentication protocol/scheme e.g. [0025] (i.e. password, biometric scan, magnetic card swipe, etc.)).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 36 (Previously Presented) Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method according to claim 1, 
Unnikrishnan teaches in e.g. [0031] authenticating device presenting to the client a challenge indicating the required type of authentications and protocols to be performed, in response the client provides a response which is evaluated to determine whether it indicates that the response is authentication protocol compliant. Therefore, Unnikrishnan discloses the indication comprises assertion indicating compliance, i.e. the client has utilized the required protocol and scheme to authenticate. However, Unnikrishnan does not disclose that the indication is in the context of the updated token.
 Veeraraghavan teaches wherein the indication comprises an assertion indicating a status of user authentication upon execution of at least one authentication scheme (Veeraraghavan discloses in e.g. [0025, 0027] Figure 4 the updated token 406 comprises the original token augmented with claims/privileges indicating that the client has been authenticated with the claim providers 106 and 202, such that when the client transmit 316 the augmented token to the service, the service is able to evaluate that the authentication has been performed between the client the claim providers 106 and 202, [0025] “the user will interact with the claims provider 106 to supply the required criteria (i.e. password, biometric scan, magnetic card swipe, etc.). Once the user has supplied the proper information, the claims provider 106 will generate and populate a security token containing the claims which the selected claims provider 106 can assert about the user.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Claim 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan, Veeraraghavan, Badri, Samuels and further in view of Orozco et. al. (US 9935934 B1), hereinafter Orozco.

Regarding claim 7 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 6, further comprising, 
Unnikrishnan in view of Veeraraghavan, Badri and Samuels does not disclose that such token are discarded after access is granted.
Orozco from analogues field of invention teaches by the computing device, discarding the updated token upon granting the request for accessing the resource (Orozco Col. 9 line 35-45 “upon the expiration time threshold being satisfied (e.g., the time or time period for which the third-party resource access token can be used to access the third-party resource, has been reached or met), the third-party resource access token is removed from the token repository.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Veeraraghavan, Badri and Samuels to incorporate the teaching of Orozco to discard tokens from the resource service after granting access, with the motivation of enhancing security, protection and controlling authorization access to resources by setting a threshold time allowed for when the access token is available and then removed, as recognized by (Orozco Col. 9 line 35-45).

 Regarding claim 8 (Previously Presented), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 6, further comprising, 
Unnikrishnan in view of Veeraraghavan, Badri and Samuels does not disclose that such token are discarded after access is granted.
Orozco from analogues field of invention teaches by the computing device, discarding the initial token upon granting the request for accessing the resource (Orozco Col. 9 line 35-45 “upon the expiration time threshold being satisfied (e.g., the time or time period for which the third-party resource access token can be used to access the third-party resource, has been reached or met), the third-party resource access token is removed from the token repository.”).
removed, as recognized by (Orozco Col. 9 line 35-45).
  
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan in view of Veeraraghavan, Badri Samuels and further in view of McMurtry et. al. (US 20160191528 A1), hereinafter McMurtry.

Regarding claim 11. (Previously Presented) Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 1, 
Unnikrishnan discloses initial token and Veeraraghavan discloses the original token, which eventually is augmented/updated with authorization indicating authentication of the client with claim providers, however, Unnikrishnan in view of Veeraraghavan and Badri do not explicitly teach the remaining limitations.
McMurtry from analogues field of invention teaches wherein the initial token comprises an initial assertion indicating successful authentication of one or more authentication credentials included in the access request (McMurtry discloses in [0054] Figure 5 the access request (512) to resources protected resources interfaced by web service, web service response to the client 102 as shown in Figure 5 (514), indicating that it considered the user credentials and additional credentials and authentication may be required as disclosed in [0030-0032] and Figure 2 (204-208). Examiner notes that Figure 2 (204) is the first initial authentication to determine whether additional credentials/authentication is required, if so, then proceed to step Figure (204) by sending a response to the client as shown in [0054] Figure 5 (514) directing the client to the authentication service to completed authentication, [0032] discloses “quality of the credentials already included with the request…”. Examiner asserts that the sending a response from the web service Figure 5 (514) directing the client in Figure 5 (102) to the authentication service (108) seeking additional authentication correspond to initial token indicating success of initial credentials.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Veeraraghavan, Badri and Samuels to incorporate the teaching of McMurtry to utilize authentication of initial credentials and authentication, with the motivation of enhancing security and controlling access to web services and protection of resources, as recognized by (McMurtry, [0005, 0030-0032]).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan in view of Veeraraghavan, Badri and Samuels, further in view of Zhu et. al. (US 20180227288 A1), hereinafter Zhu.
Regarding claim 16 (Original), Unnikrishnan in view of Veeraraghavan, Badri and Samuels teaches the method of claim 1, 
 the aforementioned limitations and further teaches accessing secured network resources (Unnikrishnan Figure 1, Abstract), however, Unnikrishnan in view of Veeraraghavan, Badri and Samuels does not disclose that one example of secured/protected resources include self-service password reset service.
Zhu from analogues field of intentioned teaches wherein the resource is a self-service password reset service (Zhu [0015] and Figure 2 user requesting “a password reset service”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Veeraraghavan, Badri and Samuels to incorporate the teaching of Zhu to utilize password reset service, with the motivation of resetting passwords by users to enhance security and mitigate breaches, as recognized by (Zhu [0001, 0005]).

 Claim 17-19 and 27-29 are rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan in view of Badri and Samuels.
 
Regarding claim 17. (Currently Amended) Unnikrishnan teaches a computing system, comprising: a processor; and a non-transitory computer-readable storage medium comprising programming instructions that are configured to cause the processor to implement a method for authenticating a user in the computing system (Unnikrishnan [0003] “…the present disclosure comprises a device having a memory and a processor.”, [0004] “a computer-readable storage device, having instructions thereon, which when executed on a process cause the processor to execute a process.”, [0016] "FIG. 1 illustrates an overview of a system 100 that may be used to grant access to secured resources of a network...a network may be a distributed environment that includes resources shared by more than one client such as a cloud- computing environment.", examiner notes that authentication component 104 corresponding to a service for authentication), 
wherein the programming instructions comprise instructions to: 
receive, from a computing device associated with a user, an access request to access a resource associated with a resource service (Unnikrishnan [0030] "Once an authentication component 104 receives an access request from a client (i.e. computing device)", [0025] " client 102 may issue an access request for access to network resource 110"); 
determine context information that corresponds[ing] to the access request and comprises a plurality of elements (Unnikrishnan [0030] "…component 104 by inspecting a user string or header of the access request.", "user string or header" corresponds to "context information", where the request includes plurality of elements, including data string to indicate the type of authentication the client is able to authenticate, version of the authentication protocol supported, previous challenges, etc., as disclosed in [0029-0030]); 
[use the authentication level to] identify an authentication protocol to authenticate the user, wherein the authentication protocol comprises at least one authentication scheme (Unnikrishnan [0029] “…the client 102 may append a user agent string or special data string in the access request to indicate that it is able to authenticate using the authentication protocol, for example receive challenges issued by an authentication protocol...the client 102 may also specify the version of the authentication protocol supported by it in its access request to the authentication component 104.”, where the authentication component uses the information in the string indicating a corresponding authentication protocol, Unnikrishnan further discloses [0030] "the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol.”, [0054] “…the authentication component 104 may apply policy rules set by the authentication protocol or administrator to the data included in or with the authentication challenge.”); 
generate an authentication challenge (Unnikrishnan [0031] "The authentication component generates an authentication challenge to authenticate a client for access to a secured resource"), 
wherein the authentication challenge comprises an initial token and authentication parameters corresponding to the identified authentication protocol (Unnikrishnan [0031] “Parameters of the authentication challenge may vary…The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102”, [0033] “[0033] The authentication challenge is designed to be short lived and the authentication component 104 may also maintain state information in a manner that is opaque to the client 102, for example within an authentication session cookie or the encrypted context parameter of the challenge that ensures the challenge is short lived.”, where the data challenge opaque to the client may be authentication cookie included in the challenge as disclosed in [0054], where cookie corresponds to the initial token); and 
transmit the authentication challenge to the computing device (Unnikrishnan [0025] “…the client 102 was authenticated by a challenge issued by the authentication component 104").  
While Unnikrishnan discloses the aforementioned limitations, where Unnikrishnan discloses in [0019] As examples, the authentication component 104 may perform complex authentication where one or more levels of authentication are enforced using multiple pieces of enforcement criteria, however, Unnikrishnan does not disclose the authentication level assigned to the user at the time of the request.
Badri from analogues field of invention teaches assign s [to individual elements of plurality of elements ] (Badri teaches a dynamic authentication system [0004], “multi-level and/or a multi-factor authentication system, and is enhanced through a self-learning process”, [0005] “a self-adaptive secure authentication system”, Badri [0044]“…each user can be assigned a default score index based on one or more attributes…Once the input 270 is received by the user track/feedback system 240, the user track/feedback system 240 can change the score index for each user from the previous default score index…the previous default score index can be changed based on an actual location or expected location in which access may be requested by the user…the score index can be defined as an authentication level, for example, which can require two or more biometric identifiers, for example, fingerprint, Iris recognition, and face detection, as shown in FIG. 5.”, where the attribute, e.g. user location, , time and authenticator used as disclosed in [0051], which are  attributes of the access request, correspond to plurality of context information, where the score is dynamically changed and determined based on the attributes, See Figure 3 and Figure 4 illustrating attributes, authentication levels associated with scores),
assign an authentication level to the access request based on the [combined] score (Badri discloses [0006] “assigning a score index to each of the one or more users in the authentication system for one or more services, the score index representing a security level and corresponding authentication required to access each of the one or more services; inputting each request for services from the one or more users into the authentication system to continuously update the score index for each of the one or more users, each of the requests including one or more authenticators or biometric identifiers for the requested service”, [0044] further discloses score corresponding to authentication level, where the score is based on a plurality of attributes/elements associated with the user, such as location and time, frequency of access, as disclosed in [0045-0046]);
use the authentication level to identify an authentication protocol to authenticate the user, wherein the authentication protocol comprises at least one authentication scheme (Badri [0044] discloses the system generating authentication levels based on the score, where the user is required to address these authentication level, “the score index can be defined as an authentication level, for example, which can require two or more biometric identifiers, for example, fingerprint, Iris recognition, and face detection, as shown in FIG. 5.”, Figure 3 and [0053-0054] requiring the user to reach the target authentication level, where the protocol/authentication scheme is shown in e.g. Figure 5-7, voice, fingerprint, iris, etc.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Badri to utilize the above feature, with the motivation of enhancing the authentication system through a self-learning process, as recognized by (Badri [0004-0005]).
While the Unnikrishnan in view of Badri disclose the aforementioned limitations. Badri further discloses assigning a score to a plurality of elements associated with the request, e.g. user location, time, frequency of access, and dynamicly changing the score based on the aforementioned elements, however, Unnikrishnan in view of Badri does not disclose assigning a score for each element and combining the individual scores into a combined score. Emphasis in italic.
Samuels discloses assign scores to individual elements of the plurality of elements, combining the scores to generate a combined score and assigning an authentication level to the request based on the combined score (Samuels discloses receiving a request with a plurality of attributes/elements, and calculating a score for the individual elements, then combing the scores, by taking the weighted average as disclosed in Col. 9 line 20-31, in order to eventually determine the authentication level, i.e. whether the system would require additional authentication, Col. 2 line 37-50 “The login request includes several attributes, including in an embodiment an Internet protocol (IP) or other Internet network address for the remote site, a browser ID for the user's browser, the time of day, and the time since the last logon. The improbability of individual attributes of the current login request is calculated, and a composite score is created that measures the improbability of several of the attributes. If the composite score exceeds a threshold of improbability, an additional authentication method is required before the user receives access to the Internet banking host site. In an alternative embodiment, the user receives access to the web site, but has to satisfy the additional authentication requirement before receiving access to particular transaction pages.”, where the individual scores are illustrated in Figure 4, and a combined score).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Badri to incorporate the teaching of Samuels to utilize the above feature, with the motivation of providing a quantitative measure of how improbable, or anomalous, the user's login statistics are from the historical statistics for the user., as recognized by (Samuels Col. 9 line 20-31).

Regarding claim 18 (Previously Presented), Unnikrishnan in view of Badri and Samuels teaches the computing system according to claim 17, wherein the programming instructions further comprise instructions to save the initial token (Unnikrishnan [0062] “An exemplary authentication component 104 protects authentication artifacts from being misused. As an example, the authentication component 104 may tie an authentication artifact to a client that the authentication artifact was initially issued to. In an example where a device of a client seeks access to multiple secured resources”, examiner asserts that protecting authentication artifacts, which stems from the initial cookies used by the authentication component 104 and connecting them to clients means that the authenticating component 104 is storing the artifacts which stems from the initial token).

Regarding claim 19 (Previously Presented), Unnikrishnan in view of Badri and Samuels teaches the computing system according to claim 17, wherein: the computing system comprises one or more authentication services; and the programming instructions further comprise instructions to: identify an authentication service of the one or more authentication services, wherein the identified authentication service is configured to execute the at least one authentication scheme; and include an identification of the identified authentication service in the authentication parameters (Unnikrishnan [0030] “…the authentication component may inspect the access request and specifically identify whether the client's application is able to be authenticated using a specific authentication protocol”, [0031] “The authentication component generates an authentication challenge to authenticate a client for access to a secured resource…The authentication challenge is presented in a flexible format that can be tailored to a specific type of authentication (i.e. authentication service) (or multiple types of authentication)…Parameters of the authentication challenge may vary, for example, depending on the application that the client 102 is running or the type of authentication the authentication protocol is determining. The challenge contains information about the requested enforcement criteria to aid the client 102 in determining an authentication credential being requested by the authentication component 104. The challenge includes information that would allow the client 102 to easily locate the authentication credential required to authenticate the client 102 such as data related to an issuer of an authentication credential as an example. The challenge may also include challenge-specific data that the client 102 uses in a challenge response as criteria to authenticating the client 102. This includes secured data that is opaque to the client 102 (e.g., encrypted data). Examples of some of the parameters that may be included in an exemplary authentication challenge are highlighted in Table 1.1 below:”, [0032] , examiner asserts that the authentication component would identify a specific authentication protocol for the client device 102, and the authentication parameters/challenge-specific data would aid/allow the client to locate/identify/determine the authentication credentials to authenticate the client device, where identifying the authentication credentials, etc., correspond to knowledge of the authentication protocol and service required).
  
Regarding claim 27 (Previously Presented), Unnikrishnan in view of Badri and Samuels teaches the computing system according to claim 17, wherein the access request comprises user information identifying the user (Unnikrishnan discloses in [0059] that the request may include “a user authentication of the client 102 …authentication request including identifying that the client 102 provided an authentication artifact proving that the client 102 has already been authenticated.”, where a request identifying that a client provides authentication artifacts establishing that the client is authenticated, corresponds to user information, examiner asserts that for the authentication component to authenticate and validate the user, indicates knowledge of the user from the request and determining whether the client has already been authenticated).  

Regarding claim 28 (Previously Presented), Unnikrishnan in view of Badri and Samuels teaches the computing system according to claim 27, wherein determining the context information corresponding to the access request comprises determining the context information [based on the user information] (Unnikrishnan discloses in [0030] context information in terms of user string or header of the access request).  
Unnikrishnan does not disclose based on the user information
Badri discloses context information based on the user information (Badri [0054] and Figure 4 (410) “FIG. 4, in step 410, the registration system 210 collects user information, service location (for example, via Global Positioning System (GPS), IP address, MAC address), service usage time, authenticators used, etc.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Badri to utilize the above feature, with the motivation of enhancing the 

Regarding claim 29 (Previously Presented), Unnikrishnan in view of Badri and Samuels teaches the computing system according to claim 17, 
Unnikrishnan does not disclose the below limitation.
Badri teaches wherein the context information comprises one or more of the following: one or more characteristics of the user, one or more characteristics of the resource (Badri [0054] and Figure 4 (410), “e.g. service usage time”), or one or more characteristics of the computing device (Badri [0054] and Figure 4, “service location”, “IP address, MAC address, service usage time”, which can also be construed as contextual information).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan to incorporate the teaching of Badri to utilize the above feature, with the motivation of enhancing the authentication system through a self-learning process, as recognized by (Badri [0004-0005]).

Claims 20-22 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan in view of Badri, Samuels and further in view of Veeraraghavan.

Regarding claim 20 (Previously Presented), Unnikrishnan in view of Badri and Samuels teaches the computing system according to claim 19, 
Unnikrishnan in view of Badri and Samuels do not explicitly and collectively disclose the remaining limitations. 
Veeraraghavan from analogues field of invention discloses 
wherein the programming instructions further comprise instructions to cause the computing device to: 
transmit an authentication request that comprises the initial token (Veeraraghavan Figure 4, after receiving the auth. Request 302, i.e. authentication challenge, informing the client 100 which claims/privileges and authorizations are required, the client transmits authentication requests, including auth. Request 400, which comprises the original token and additional claims provided by IP-STS104); and 
receive, by the computing device, an updated token that comprises an assertion indicating a status of user authentication upon execution of the at least one authentication scheme (Veeraraghavan [0025-0027] Figure 4, illustrates receiving by the client, PR token, which indicates assertion that the client is authorized and privileged for a service, where the assertion of augmenting the original tokens with claim/privileges/authorization is performed upon authenticating one or more claim providers 106 with the client, i.e. executing authentication scheme with the client 100).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Badri and Samuels to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 21. (Previously Presented) Unnikrishnan in view of Badri, Samuels teaches and Veeraraghavan teaches the computing system according to claim 20, wherein the programming instructions further comprise instructions to cause the computing device to: 
determine, upon receipt of the [updated token], whether all authentication schemes included in the identified authentication protocol have been executed (Unnikrishnan [0059] “After update of the data opaque to the client/authentication session cookie, the client 102 or the authentication component 104 may require additional levels of authentication. For example, in a case where a device authentication was performed during an initial authentication challenge, a user authentication of the client 102 may still need to be performed (or alternatively another form of authentication such as service or process authentication etc., may need be performed).”); and 
upon determining that all authentication schemes included in the identified authentication protocol have been executed (Unnikrishnan [0021] “…security authorization may include but are not limited to an authentication artifact (e.g. an authentication cookie, single sign-on token, etc.), an access token, a cryptographic hash of data, a cryptographic signature of data or a certificate. The client 102 may present the security authorization to a network resource (i.e. transmitting token) to be granted access to the network resource.”, [0068] “Once the authentication component evaluates the response the challenge, flow proceeds to operation 310 where the client receives a validation result from the authentication component. The validation result may include an authentication artifact if the client is authenticated by the authentication component.”, [0069] “312 where the client attempts to access another resource using an issued authentication artifact.”), 
Badri disclose updating the authentication score, updated score associated with the authentication level, however, Unnikrishnan in view of Badri and Samuels do not explicitly disclose the remaining limitations. 
Veeraraghavan teaches upon determining that all authentication schemes included in the identified authentication protocol have been executed, transmit the updated token to the resource service (Veeraraghavan discloses in [0033-0034] Figure 4 (316) “This token is then presented 316 to the service which verifies the token and provides service 318 as described above.”, where the transmitting is performed upon authenticating with all the appropriate claims that have been identified in the request as disclosed in [0024]).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Badri and Samuels to incorporate the teaching of Veeraraghavan to incorporate augmented tokens, with the motivation of augmenting security token with claims/authentication and authorization so that the client is granted access to services within a domain or across domains based on claims/privileges/authorizations provided to the client, as recognized by (Veeraraghavan [0023, 0030, 0033]).

Regarding claim 22. (Previously Presented) Unnikrishnan in view of Badri, Samuels and Veeraraghavan teaches the computing system according to claim 21, wherein the programming instructions further comprise instructions to cause the processor to grant the access request for accessing the resource upon determining that the one or more assertions included in the [updated token] satisfy the identified authentication protocol (Unnikrishnan [0069] “operation 312 where the client attempts to access another resource using an issued authentication artifact…When both the client and the authentication artifact are validated, flow may proceed to operation 314 where the client is granted access to the secured resource.”).
  	Unnikrishnan in view of Badri and Samuels do not disclose updated token.
Veeraraghavan discloses the updated token as discussed above in claim 21. Rationale and motivation apply.

Regarding claim 25 (Previously Presented) Unnikrishnan in view of Badri, Samuels Veeraraghavan teaches the computing system according to claim 22, wherein the programming instructions further comprise instructions to cause the processor to: determine whether a timestamp associated with the [updated token] is within a threshold time limit; and grant the access request for accessing the resource (Unnikrishnan [0054-0055] “As examples of parameters that the authentication component 104 validates in the Context parameter or authentication session cookie, the authentication component 104 may include evaluation such as: Check whether the challenge has expired including validation of the timestamp”, where the challenge includes the artifact (e.g., single sign-on cookie or authentication token), which correspond to the token, examiner asserts that setting a timestamp and expiration time correspond to setting a threshold at which the timestamp expires, and validation of the artifact and timestamp for authentication means that access would only be allowed if the timestamp hasn’t expired).  
Unnikrishnan in view of Badri and Samuels do not disclose updated token.
Veeraraghavan discloses the concept of updated token as discussed above in claim 22. Rationale and motivation in claim 22 apply.

Claims 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan in view of Badri, Samuels, Veeraraghavan and further in view of Orozco et. al. (US 9935934 B1), hereinafter Orozco.

Regarding claim 23 (Previously Presented), Unnikrishnan in view of Badri, Samuels and Veeraraghavan teaches the computing system according to claim 22, 
While Unnikrishnan in view of Badri, Samuels and Veeraraghavan teaches initial and updated token as disclosed in the rationales of claim 20 and 22 above, however, 
Orozco from analogues field of invention teaches wherein the programming instructions further comprise instructions to cause the processor to discard the updated token upon granting the access request for accessing the resource (Orozco Col. 9 line 35-45 “upon the expiration time threshold being satisfied (e.g., the time or time period for which the third-party resource access token can be used to access the third-party resource, has been reached or met), the third-party resource access token is removed from the token repository.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Badri, Samuels and Veeraraghavan to incorporate the teaching of Orozco to discard tokens from the resource service after granting access, with the motivation of enhancing security, protection and controlling authorization access to resources by setting a threshold time allowed for when the access token is available and then removed, as recognized by (Orozco Col. 9 line 35-45).
  
Regarding claim 24 (Previously Presented), Unnikrishnan in view of Badri, Samuels and Veeraraghavan teaches the computing system according to claim 22, 
While Unnikrishnan in view of Badri, Samuels and Veeraraghavan teaches initial and updated token as disclosed in the rationales of claim 20 and 22 above, however,  does not disclose that such token are discarded after access is granted.
Orozco from analogues field of invention teaches wherein the programming instructions further comprise instructions to cause the processor to discard the initial token upon granting the access request for accessing the resource (Orozco Col. 9 line 35-45 “upon the expiration time threshold being satisfied (e.g., the time or time period for which the third-party resource access token can be used to access the third-party resource, has been reached or met), the third-party resource access token is removed from the token repository.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Badri, Samuels and Veeraraghavan to incorporate the teaching of Orozco to discard tokens from the resource service after granting access, with the motivation of enhancing security, protection and controlling authorization access to resources by setting a threshold time allowed for when the access token is available and then removed, as recognized by (Orozco Col. 9 line 35-45).

Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over Unnikrishnan in view of Badri and Samuels and further in view of McMurtry.
 
Regarding claim 26. (Previously Presented) Unnikrishnan in view of Badri, Samuels teaches the computing system according to claim 17, 
 discloses in Unnikrishnan [0021, 0062] “If the client 102 is authenticated, the authentication component 104 may issue a security authorization to the client 102 to allow access to a secured network resource such as network resource 112. Examples of a security authorization may include but are not limited to an authentication artifact (e.g. an authentication cookie, single sign-on token, etc.), an access token, a cryptographic hash of data, a cryptographic signature of data or a certificate. The client 102 may present the security authorization to a network resource to be granted access to the network resource.”, where the authentication artifact (authentication token/cookie) stems from initial cookie/token, however, Unnikrishnan in view of Badri and Samuels do not disclose wherein the initial token comprises an initial assertion indicating successful authentication of one or more authentication credentials included in the access request, emphasis in bold.
McMurtry discloses wherein the initial token comprises an initial assertion indicating successful authentication of one or more authentication credentials included in the access request (McMurtry discloses in [0054] Figure 5 the access request (512) to resources protected resources interfaced by web service, web service response to the client 102 as shown in Figure 5 (514), indicating that it considered the user credentials and additional credentials and authentication may be required as disclosed in [0030-0032] and Figure 2 (204-208). Examiner notes that Figure 2 (204) is the first initial authentication to determine whether additional credentials/authentication is required, if so, then proceed to step Figure (204) by sending a response to the client as shown in [0054] Figure 5 (514) directing the client to the authentication service to completed authentication, [0032] discloses “quality of the credentials already included with the request…”. Examiner asserts that the sending a response from the web service Figure 5 (514) directing the client in Figure 5 (102) to the authentication service (108) seeking additional authentication correspond to initial token indicating success of initial credentials.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Unnikrishnan in view of Badri and Samuels to incorporate the teaching of McMurtry to utilize authentication of initial credentials and authentication, with the motivation of enhancing security and controlling access to web services and protection of resources, as recognized by (McMurtry, [0005, 0030-0032]).

	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BASSAM A NOAMAN whose telephone number is (571)272-2705. The examiner can normally be reached Monday-Friday 8:30 AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 





/BASSAM A NOAMAN/Examiner, Art Unit 2497                                                                                                                                                                                                        /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497