DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/26/2022, for application 16/143,540 has been entered.
This Office Action is in response to the Amendment filed on 01/26/2022. In the instant amendment: Claims 1, 6, 9, 13 and 18 have been amended and claims 1, 9 and 13 are independent claims. Claims 1-20 have been examined and are pending. 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



the device.” The phrase lacks antecedent basis and the identity of “the device” (e.g., user’s mobile device, computer, server, etc.) is unclear and cannot be ascertained. Correction is required. 
Response to Arguments
Applicants’ arguments with respect to amended claims 1, 9 and 13 have been considered but are moot in view of the new ground(s) of rejection. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 6, 9, 10, 13, 14, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ortiz et al. (“Ortiz,” US 11210648, filed Mar 8, 2017) in view of Sa (“Sa,” US 20200402152, filed May 10 2018). 
Regarding claim 1, Ortiz discloses a computer-implemented method comprising: 
assigning, by one or more processing units of an authorization system, a first token to authorize a first client to access at least one protected resource of a resource owner (Ortiz FIGs 5A-5C, col. 12: 42-47; col. 13: 54-59. At 2606, the user 104 can designate a recipient for a pre-funded token [e.g., gift card token, see col. 12: 9-14] by using a command sequence adapted to enable the user 104 to select the recipient, and thereby identify a transferee address information data item, from a convenient, pre-existing list in a contacts folder, or through a wide variety of social platforms. Optionally any or all of the designated information can be displayed on a device 610, display 4040, along with any data generated or retrieved by the token request application 300, 306, for confirmation by the user 104, prior to routing of the request to an authorized pre-funded token administration system 100 for adjudication and issuance of the pre-paid token [to the recipient]), 
wherein the first token depends on an access session between the authorization system and the first client, and wherein a scope of authorization of the first token is determined by receiving a set of authorization options from the resource owner, the set of authorization options represented graphically within a user interface and selectable by a user (Ortiz FIG. 5C,  col. 11: 40-44; col. 12: 21-31.  As a further option, one or more expiration dates and/or times may be associated with the token, so that after a given amount of time has elapsed, or after a predetermined date and/or time has passed, a token may be temporarily or permanently and wholly or partially disabled. In such a case, at 2604 invocation of a ‘send eGift’ process by selection of such a corresponding display icon within the virtual wallet or merchant app 300, 306 can result in generation of an interactive catalog or list display 4000 such as that shown in the first (top left) of the eight interface screens shown in FIG. 5C, for capture or designation of further relevant data. As a next step, still at 2604 in FIG. 5A, the user 104 can select any of catalog items 4004, to elect to browse the same or another a virtual catalog of goods and services and generate a pre-funded token representing payment for one or more particular items and/or services; an item 4006, to elect to generate one or more pre-funded tokens representing a monetary value to be used as whole or partial payment for a transaction; or an item 4008 to generate one or more pre-funded tokens representing a real or virtual gift card.); 
assigning, by the one or more processing units of the authorization system and based on the assigning of the first token, a second token associated with at least one long-term protected resource of the resource owner to the first client, wherein the second token is independent from the access session (Ortiz col.26: 59-65; col. 27: 13-16. For example, a pre-authorized token associated with pre-authorized negotiable value of $100 can be split into two tokens, each valued at $50, one token valued at $50 and five valued at $10, etc. As will be readily understood by those skilled in the relevant arts, routing of multiple token data sets 11 can include routing multiple token data sets to a single recipient 105, and/or single tokens to multiple recipients 105. [Per col. 11: 40-45, tokens, include split tokens, can be issued without an expiration time, and thus independent of access sessions.] ), 
and wherein the second token is stored, according to the first client, in a table of the authorization system; in response to the assigning of the first token or the second token: (Ortiz col. 15: 64-67; col. 16: 1-4; col. 26: 59-65. At 2614, conditioned upon tender to the token administrator 100 or designated FI 101 of adequate funding sources, a (negotiable) pre-funded token can be issued. As shown at 206 in FIG. 1, [ ] alternatively the token may be routed for secure, remote storage in the cloud, for forwarding subject to a later authorized request. For example, a pre-authorized token associated with pre-authorized negotiable value of $100 can be split into two tokens, each valued at $50, one token valued at $50 and five valued at $10, etc.); 
in response to receiving a request from a second client after the session has expired, the request including the second token, and in response to validating the second client against the table (Ortiz FIGs 6A-6B, col. 24 30-40; col. 25: 2-5; col. 26: 20-25. Upon completion of such registration or certification, [ ] such device(s) and/or application(s) may be provided with one or more secure electronic tokens or identifiers useable by the trusted platform and other devices, such as payment account administration servers, to verify or otherwise identify a trusted relationship with the requesting communication device 106. As described herein, such tokens or identifiers may be the included with, or distinct from, secure pre-funded tokens 11 that can be provisioned to such request communication devices for use in the processing and completion of mobile payments. At 2710, 214 a recipient 105 of a pre-funded token data set 11 can initiate a process of redeeming the pre-funded token by, for example, using a merchant internet website shopping application 300. At 2718, the token account administrator 100, the merchant 102, and/or the recipient's device 106B can complete processing of the transaction 2710 and confirmation of the transaction, including for example generation and issuance of any required or desired transaction receipt or notification data sets. [Per col. 11: 40-45, tokens, include split tokens, can be issued with or without an expiration time. Thus, a token issued without expiration time can be used at any time after other tokens has expired, etc.]). 
Ortiz does not explicitly disclose: obtaining, by a resource collector module of the authorization system, the at least one long-term protected resource from the device; storing, in a resource database of the authorization system, the at least one obtained long-term protected resource in a resource database; and transmitting, from the resource database of the authorization system, the at least one long-term protected resource to the second client.
However, in an analogous art, Sa discloses a method, comprising: 
obtaining, by a resource collector module of the authorization system, the at least one long-term protected resource from the device; storing, in a resource database of the authorization system, the at least one obtained long-term protected resource in a resource database (Sa, [0074], [0076]. The user profile store 636 maintains information about user accounts, including biographic, demographic, and other types of descriptive information, such as work experience, educational history, hobbies or preferences, location, and the like that has been declared by users or inferred by the social networking system 630. The connection store 638 includes data structures suitable for describing a user's connections to other users, connections to external systems 620 or connections to other entities. The connection store 638 may also associate a connection type with a user's connections, which may be used in conjunction with the user's privacy setting to regulate access to information about the user. [Note that the social networking system can authorize other users to view a user’s profile and other information, see [0086].] ); and 
Sa [0086]. The authorization server 644 contains logic to determine if certain information associated with a user can be accessed by a user's friends, external systems 620, and/or other applications and entities. The external system 620 may need authorization from the authorization server 644 to access the user's more private and sensitive information, such as the user's work phone number. Based on the user's privacy settings, the authorization server 644 determines if another user, the external system 620, an application, or another entity is allowed to access information associated with the user, including information about actions taken by the user.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Sa with teachings of Ortiz to include the steps of:  storing, in a resource database of the authorization system, the at least one obtained long-term protected resource in a resource database; and transmitting, from the resource database of the authorization system, the at least one long-term protected resource to the second client, to provide users with a means for managing, using a token-based authorization, the extent of disclosure of a user’s social networking profile and usage information to authorized peer users.  (See Sa [0086].)
Regarding claim 2, Ortiz and Sa disclose the method of claim 1. Ortiz further discloses wherein the at least one long-term protected resource is a part of the at least one protected resource, wherein the part comprises account information of the resource owner in the first client (Ortiz col. 9: 40-55. [A]  first user 104 can cause his/her device 106A to request generation or other acquisition of a pre-funded token data set 11 representing a desired negotiable value in virtual currency, and store it for immediate or future use in a virtual wallet application 306A or other secure memory 306 of the device 106, 106A. Any such additional authorized transaction value may be funded by any resources controlled by such user 104/device 106A, including for example any debit, credit, loyalty, or rewards accounts administered on the user's behalf by a token administration system 100 or other account administration or FI system(s) 101.). 
Regarding claim 6, Ortiz and Sa disclose the method of claim 1. Sa further discloses wherein: the protected resource is hosted by a device separated from the authorization system (Sa,  [0074], [0076]. The user profile store 636 maintains information about user accounts, including biographic, demographic, and other types of descriptive information, such as work experience, educational history, hobbies or preferences, location, and the like that has been declared by users or inferred by the social networking system 630. The connection store 638 includes data structures suitable for describing a user's connections to other users, connections to external systems 620 or connections to other entities. The connection store 638 may also associate a connection type with a user's connections, which may be used in conjunction with the user's privacy setting to regulate access to information about the user. [Note that in FIG. 6,  the social networking system’s Authorization Server 644 is separate from user profile store 636 and connection store 638.] ).
 The motivation is the same as that of claim 1 above. 
Regarding claim 9, claim 9 is directed to a system corresponding to the method of claim 1. Claim 9 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 10, claim 10 is directed to a system corresponding to the method of claim 2. Claim 10 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 13, claim 13 is directed to a computer program product corresponding to the system of claim 1. Claim 13 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 14, claim 14 is directed to a computer program product corresponding to the system of claim 2. Claim 14 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 18, claim 18 is directed to a computer program product corresponding to the system of claim 6. Claim 18 is similar in scope to claim 6 and is therefore rejected under similar rationale. 
Claims 8 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Ortiz et al. (“Ortiz,” US 11210648, filed Mar 8, 2017) in view of Sa (“Sa,” US 20200402152, filed May 10 2018) and Hinton et al. (“Hinton,” US 20090205032, published Aug. 13, 2009). 
Regarding claim 8, Ortiz and Sa disclose the method of claim 1. Ortiz and Sa do not explicitly disclose: wherein a lifetime of the second token is set to be longer than a 
However, in an analogous art, Hinton discloses a method, comprising: wherein a lifetime of the second token is set to be longer than a lifetime of the first token (Hinton [0023]. In connected mode, the application typically is able to leverage the network to request from the identity provider a fresh token, e.g., as generated at request time for the use at the appropriate connected application. According to one embodiment, and as illustrated in FIG. 5, the mobile device user obtains a “long term' token 505. Preferably, the token is used to obtain authentication (or otherwise to assert the user's authenticated identity) when the mobile device is operating in an identity provider-disconnected mode environment. The duration of the token may be set in various timeframes, such as one (1) day, one (1) week, or the like.); and 
wherein the first token is prioritized over the second token until the access session is terminated (Hinton [0023]. This token is sometimes referred to herein as a “long term' token to contrast that it is usable (theoretically) during time periods when the mobile device is not then connected to the identity provider. Typically, the token is not used when the mobile device is operating in connected mode, i.e. when the mobile device is connected to the identity provider. In connected mode, the application typically is able to leverage the network to request from the identity provider a fresh token, e.g., as generated at request time for the use at the appropriate connected application. The token that is used in identity provider-disconnected mode as described herein may not be associated with the same level of privileges as provided with a one-time-use token generated and used in connected mode.).  
See Hinton [0023].)
Regarding claim 12, claim 12 is directed to a system corresponding to the method of claim 8. Claim 12 is similar in scope to claim 8 and is therefore rejected under similar rationale. 
Claims 3, 4, 7, 11, 15, 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ortiz et al. (“Ortiz,” US 11210648, filed Mar 8, 2017) in view of Sa (“Sa,” US 20200402152, filed May 10 2018) and McEnroe et al. (“McEnroe,” US 20070203714, published Aug. 30, 2017). 
Regarding claim 3, Ortiz and Sa disclose the method of claim 1. Ortiz further discloses a second client (Ortiz col.26: 59-65; col. 27: 13-16. For example, a pre-authorized token associated with pre-authorized negotiable value of $100 can be split into two tokens, each valued at $50, one token valued at $50 and five valued at $10, etc. As will be readily understood by those skilled in the relevant arts, routing of multiple token data sets 11 can include routing multiple token data sets to a single recipient 105, and/or single tokens to multiple recipients 105.). 

However, in an analogous art, McEnroe discloses a method comprising the steps of determining, by one or more processing units, whether a further client has been granted by the resource owner to access the at least one long-term protected resource; and in response to determining that the further client has been granted, sharing, by one or more processing units of the [second] client, the second token with the further client (McEnroe FIGs 5, 7, [0063], [0070]. The first type of token is assigned to a first client (block 508), such as by assigning the HD token 202(1) to client device 106(1). A second client then attempts to consume content that would cause the viewing system to exceed the allocated bandwidth (block 510). Further, these tokens represent the maximum amount of bandwidth allocated to the viewing system 104. Therefore, if the client device 106(N) was to consume content, that content consumption may exceed the bandwidth allocated by the con tent provider 102. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). A variety of other examples are also contemplated, such as [ ]a permanent token that permits consumption of the additional amount of content based on a subscription, and so on.); and 
storing the second token, according to the further client, in the table of the authorization system (McEnroe [0041]. The manager client device 106(1), for instance, may maintain a token listing 204 in storage 122 which lists which tokens 202(1)-202(4) have been assigned to which respective client devices 106(1)-106(4). In the illustrated example, because client device 106(N) does not include one of the tokens 202(1)-202(N), the client device 106(N) is not authorized to consume content 110(c) from the content provider 102.); and 
wherein the second token authorizes access to a subset of the at least one long-term protected resource (McEnroe [0070]. TA variety of other examples are also contemplated, such as for purchase of a temporary token for a limited period, a permanent token that permits consumption of the additional amount of content based on a subscription, and so on.)
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of McEnroe with teachings of Ortiz and Sa to include the steps of: determining, by one or more processing units, whether a further client has been granted by the resource owner to access the at least one long-term protected resource; and in response to determining that the further client has been granted, sharing, by one or more processing units of the client, the second token with the further client has been granted, sharing, by one or more processing units of the client, the second token with the further client; and storing the second token, according to the further client, in the table of the authorization system, See McEnroe [0070].)

Regarding claim 4, Ortiz, Sa and McEnroe disclose the method of claim 3. McEnroe further discloses: in response to receiving from the further client a further request including the second token and validating the further client against the table, providing, by one or more processing units, the at least one long-term protected resource to the further client (McEnroe FIGs 5, 7, [0041], [0070]. The manager client device 106(1), for instance, may maintain a token listing 204 in storage 122 which lists which tokens 202(1)-202(4) have been assigned to which respective client devices 106(1)-106(4). In the illustrated example, because client device 106(N) does not include one of the tokens 202(1)-202(N), the client device 106(N) is not authorized to consume content 110(c) from the content provider 102. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). A variety of other examples are also contemplated, such as [ ]a permanent token that permits consumption of the additional amount of content based on a Subscription, and so on.). 
The motivation is the same as that of claim 3 above. 
Regarding claim 7, Ortiz and Sa disclose the method of claim 6. McEnroe further discloses in response to a trigger to update the at least one long-term protected resource, requesting, by one or more processing units, the at least one updated long-term (McEnroe FIG. 6, [0070]. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). The response may be formed in a variety of ways. For example, the response may be a token that permits consumption of a particular content item (e.g., a VOD movie), consumption of a content stream for a designated amount of time (e.g., to permit the client device 106(N) to consume a content stream from different television channels), and so on. );
obtaining, by one or more processing units, the at least one updated long-term protected resource from the device (McEnroe FIG. 6, [0070]. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). The response may be formed in a variety of ways. For example, the response may be a token that permits consumption of a particular content item (e.g., a VOD movie), consumption of a content stream for a designated amount of time (e.g., to permit the client device 106(N) to consume a content stream from different television channels), and so on. ); and  
storing, by one or more processing units, the at least one updated long-term protected resource (McEnroe FIG. 2, [0055]. Therefore, the [sporting] event may be streamed to the remote client device 106(N) from the manager client device 106(1), [ ] e.g., streaming content from storage 122 of the manager client device 106(1) to the remote client device 106(N). [i.e., the content is available at a manager client device 106(1) such as mobile phones, game consoles, or other devices. See [0032].]).  
See McEnroe [0070].). The Th
Regarding claim 11, Ortiz and Sa disclose the method of claim 9. McEnroe further discloses generating, by the first client, a client-specific resource based on the at least one long-term protected resource (McEnroe FIG. 2, [0055]. Therefore, the [sporting] event may be streamed to the remote client device 106(N) from the manager client device 106(1), [ ] e.g., streaming content from storage 122 of the manager client device 106(1) to the remote client device 106(N). [i.e., the content is available at a manager client device 106(1) such as mobile phones, game consoles, or other devices. See [0032].]); and  P201707408US01Page 38 of 42
presenting, by the second client, at least one of the at least one long-term protected resource and the generated client-specific resource(McEnroe FIG. 6, [0070]. After the request is processed, a response is formed for communication to the at least one client device that indicates whether the additional bandwidth has been purchased (block 616). The response may be formed in a variety of ways. For example, the response may be a token that permits consumption of a particular content item (e.g., a VOD movie), consumption of a content stream for a designated amount of time (e.g., to permit the client device 106(N) to consume a content stream from different television channels), and so on. ).  
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of McEnroe with teachings of Ortiz and Sa to include: generating, by one or more processing units, a client-specific resource based on the at least one long-term protected resource wherein the second token authorizes access to a subset of the at least one long-term protected resource, presenting, by one or more processing units, at least one of the at least one long-term protected resource and the generated client-specific resource, to provide users with a means for assigning access tokens to additional users and/or devices according to online content purchases and network resources needs.  (See McEnroe [0070].). 
Regarding claim 15, claim 15 is directed to a computer program product corresponding to the system of claim 3. Claim 15 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Regarding claim 16, claim 16 is directed to a computer program product corresponding to the system of claim 4. Claim 16 is similar in scope to claim 4 and is therefore rejected under similar rationale. 
Regarding claim 19, claim 19 is directed to a computer program product corresponding to the system of claim 7. Claim 19 is similar in scope to claim 7 and is therefore rejected under similar rationale. 
Claims 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Ortiz et al. (“Ortiz,” US 11210648, filed Mar 8, 2017) in view of Sa (“Sa,” US 20200402152, filed May 10 2018), McEnroe et al. (“McEnroe,” US 20070203714, published Aug. 30, 2017) and Saxman et al. (“Saxman,” US 20140026193, published Jan 23, 2014). 
Regarding claim 5, Ortiz, Sa and McEnroe disclose the method of claim 3. 
Ortiz and Sa do not explicitly disclose: receiving, by the one or more processing units, a request from the resource owner to revoke access to the protected resource by the second client; updating the table of the authorization system to reflect the revoked access for the device without invalidating the second token; receiving, from the device, an access request for the protected resource; and in response to querying the table and determining the second client is not authorized, denying access to the protected resource by the device.
However, in an analogous art, Saxman discloses a method comprising the steps of:  
receiving, by the one or more processing units, a request from the resource owner to revoke access to the protected resource by the second client (Saxman [0104]. The authentication server 102 receives (944) from the personal device 106 a command to revoke access privileges associated with the access token 322. The authentication server determines (948) that the access privileges associated with the access token 322 have been revoked, and notifies (950) the resource server 104 that the validation request failed. The notification thereby prevents (950) access to the personal information 114 by the shared user device 108. );
updating the table of the authorization system to reflect the revoked access for the device without invalidating the second token (Saxman FIG. 2, [0080], [0086] – [0087]. When the movement exceeds (618) the threshold amount, the personal device 106 revokes (620) the access privileges corresponding to the access token. The revocation is transmitted (620) to the credential server 102. Once the credential server 102 receives the revocation, the credential server 102 will deny (614) access in response to all subsequent requests to validate (612). In some implementations, a permanent access token 226 is stored on the personal user device 106, and the permanent token is transmitted (708) to the credential server. When the credential server 102 receives the credentials from the personal user device 106, the credential server 102 creates a temporary access token 322 with appropriate privileges to access the personal information 114. [Note that is it the temporary token that is subject to expiration time and/or location restraints. Also note that the “second token” does not depend on access session, per claim 1.].); 
receiving, from the device, an access request for the protected resource (Saxman [0059]. After receiving the request, the personal user device 106 provides (604) user credentials to the credential server 102. In some implementations, the credentials are supplied by the user 110 using the user interface 206 of the personal user device 106 (e.g., user ID and password). In some implementations, a permanent access token 226 is stored on the personal user device 106, and the permanent token is transmitted (604) to the credential server.); and 
Saxman [0060], [0064] – [0065], [0069]. When the credential server 102 receives the credentials from the personal user device 106, the credential server 102 creates a temporary access token 322 with appropriate privileges to access the personal information 114. The credential server 102 looks up the temporary access token 322 in its token database 522. Several different scenarios can occur, including:  The temporary access token 322 exists in the database 522, but all privileges have been revoked; The temporary access token 322 exists in the database 522, but the specific portion of information 114 sought is outside the scope of privileges associated with the access token 322. The credential server 102 then confirms (614) or denies (614) access to the personal information 114. In some implementations, the response is a simple yes/no. [Note: while the permanent token is valid, an temporary access token can be issued to the device. But access is denied when the temporary access token has expired or outside of privileges granted]. ). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Saxman with teachings of Ortiz, Sa and McEnroe to include: receiving a request to revoke access, by the device, to the protected resource; updating the table of the authorization system to reflect the revoked access for the device without invalidating the second token; receiving, from the device, an access request for the protected resource; and in response to querying the table and determining the second token is valid, denying access to the protected resource by the device, to provide users with a means for assigning temporary access tokens with specified access privileges and deny access when See Saxman [0080].).
Regarding claim 17, claim 17 is directed to a computer program product corresponding to the method of claim 5. Claim 17 is similar in scope to claim 5 and is therefore rejected under similar rationale. 

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Ortiz et al. (“Ortiz,” US 11210648, filed Mar 8, 2017) in view of Sa (“Sa,” US 20200402152, filed May 10 2018), McEnroe et al. (“McEnroe,” US 20070203714, published Aug. 30, 2017) and Yu (“Yu,” US 20130276086, published Oct. 17, 2013).  
Regarding claim 20, Ortiz, Sa, and McEnroe disclose the method of claim 3.  McEnroe further discloses wherein, in response to receiving from the further client a further request including the second token and validating the second token against the table (McEnroe FIGs 5, 7, [0041], [0043], [0063]. The manager client device 106(1), for instance, may maintain a token listing 204 in storage 122 which lists which tokens 202(1)-202(4) have been assigned to which respective client devices 106(1)-106(4). [I]n order to permit client device 106(N) to also consume content, the HD token 202(1) may be changed into a plurality of tokens 206(1)-206(T) that permit the client devices that are assigned the tokens to consume content having lesser bandwidth than that corresponding to the HD token 202(1). The first type of token is assigned to a first client (block 508), such as by assigning the HD token 202(1) to client device 106(1). A second client then attempts to consume content that would cause the viewing system to exceed the allocated bandwidth (block 510). [However, as per [0043], sometimes token characteristics may be changed to accommodate the second client. An appropriate token is issued to the second client, allowing content access while not exceeding the allocated bandwidth].); and 
Ortiz, Sa and McEnroe do not explicitly disclose: determining the further client is revoked;  denying, by one or more processing units, the at least one long-term protected resource to the further client. 
However, in an analogous art, Yu discloses method comprising the step of determining the further client is revoked;  denying, by one or more processing units, the at least one long-term protected resource to the further client (Yu [0051], [0056]. If the client computer 102 determines, in operation 214 that a token is not included in the application access request and/or that the token is invalid, the method 200 can proceed to operation 218. In operation 218, the client computer 102 can deny access to the application. As such, the client computer 102 can communicate with the target application and/or the requestor to indicate that the token possessed by the requestor has been revoked.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Yu with the teachings of Ortiz, Sa and McEnroe to include the steps of: receiving a request from the resource owner and revoke the associated second token, to provide users with a means for granting, updating or revoking registration/access of applications and services. (See Yu [0026]).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961. The examiner can normally be reached on Monday to Friday, 9 AM - 6 PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on 571 270 5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/EDWARD  LONG/
Examiner, Art Unit 2439

/KARI L SCHMIDT/Primary Examiner, Art Unit 2439