DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the communication filed on 10/28/2020.
Claims 1-20 have been canceled.
Claims 21-40 are pending for consideration.

Specification
The disclosure is objected to because of the following informalities: The U.S. Patent Application No. 15/421,255 has been patented.  Therefore, it is required to update the Patent Application No. 15/421,255 to its current status (see CROSS-REFERENCE TO RALATED APPLICATION).  
Appropriate correction is required.
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.

Claim Objections
Claims 32-25 are objected to because of the following informalities:  These claims recite the limitation “The non-transitory computer storage media of claim”.  It would need to change it to “The one or more non-transitory computer storage media of claim” for consistency.  Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21-40 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,735,425. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-20 of the Reference Patent anticipate the instant claims 21-40 as shown in the table below for the independence claims only.

Instant Application 16/984,085
Patent Application 10,735,425

Claim 21:

A method comprising: receiving, by a midstream application from an upstream application, a first invocation request, the first invocation request being associated with a first token generated by the upstream application, the first token specifying a permissible audience of the first token; 

authenticating, by the midstream application, the first invocation request, including verifying the first token of the upstream application; 


verifying, by the midstream application, that the midstream application is an instance of the permissible audience of the first token; 

upon successful verification, generating, by the midstream application, a second token; 






submitting, by the midstream application to a downstream application, a second invocation request in association with the second token and the first token; 

receiving, by the downstream application from the midstream application, the second invocation request; 

authenticating, by the downstream application, the second invocation request, including verifying the second token of the midstream application; and verifying, by the downstream application, that the midstream application is an instance of the permissible audience for the first token received from the upstream application.

Claim 1:

A method comprising: receiving, by a midstream application from an upstream application, a first invocation request, the first invocation request being associated with a first token signed by a first private key of the upstream application, the first token specifying permissible audience of the first token; 

authenticating the first invocation request, including verifying the first token by the midstream application using a first public key corresponding to the upstream application and stored in a service registry; 
verifying that the midstream application is an instance of the permissible audience of the first token; 

upon successful verification, generating a second token by the midstream application, including inserting the first token into a parent field of the second token; signing the second token by the midstream application using a second private key of the midstream application, wherein a corresponding second public key is stored in the service registry; and 
submitting, by the midstream application to a downstream application, a second invocation request in association with the signed second token; 

receiving, by the downstream application from the midstream application, the second invocation request; 

determining, by the downstream application, that the second invocation request received from the midstream application is authenticated based on verifying that the midstream application is an instance of the permissible audience for the first token received from the upstream application; and in response to determining that the second invocation request is authenticated based on verifying that the midstream application is an instance of the permissible audience for the first token received from the upstream application, authorizing, by the downstream application, the second invocation request, wherein the upstream, midstream and downstream applications are configured to serve user requests in a chain of invocations within a microservice-based computing platform comprising a plurality of computers.

Claim 31:

One or more non-transitory computer storage media encoded with computer program instructions that when executed by a plurality of computers cause the plurality of computers to perform operations comprising: 

receiving, by a midstream application from an upstream application, a first invocation request, the first invocation request being associated with a first token generated by the upstream application, the first token specifying a permissible audience of the first token; 

authenticating, by the midstream application, the first invocation request, including verifying the first token of the upstream application; 


verifying, by the midstream application, that the midstream application is an instance of the permissible audience of the first token; 

upon successful verification, generating, by the midstream application, a second token; 








submitting, by the midstream application to a downstream application, a second invocation request in association with the second token and the first token; 

receiving, by the downstream application from the midstream application, the second invocation request; 


authenticating, by the downstream application, the second invocation request, including verifying the second token of the midstream application; and verifying, by the downstream application, that the midstream application is an instance of the permissible audience for the first token received from the upstream application.

Claim 13:

A non-transitory computer readable storage medium storing instructions executable by a data processing apparatus and upon such execution cause the data processing apparatus to perform operations comprising: 

receiving, by a midstream application from an upstream application, a first invocation request, the first invocation request being associated with a first token signed by a first private key of the upstream application, the first token specifying permissible audience of the first token; 
authenticating the first invocation request, including verifying the first token by the midstream application using a first public key corresponding to the upstream application and stored in a service registry; 
verifying that the midstream application is an instance of the permissible audience of the first token; 


upon successful verification, generating a second token by the midstream application, including inserting the first token into a parent field of the second token; signing the second token by the midstream application using a second private key of the midstream application, wherein a corresponding second public key is stored in the service registry; and 

submitting, by the midstream application to a downstream application, a second invocation request in association with the signed second token; 


receiving, by the downstream application from the midstream application, the second invocation request; 


determining, by the downstream application, that the second invocation request received from the midstream application is authenticated based on verifying that the midstream application is an instance of the permissible audience for the first token received from the upstream application; and in response to determining that the second invocation request is authenticated based on verifying that the midstream application is an instance of the permissible audience for the first token received from the upstream application, authorizing, by the downstream application, the second invocation request, wherein the upstream, midstream and downstream applications are configured to serve user requests in a chain of invocations within a microservice-based computing platform comprising a plurality of computers.

Claim 36:

A system comprising one or more computers and one or more storage devices on which are stored instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: 

receiving, by a midstream application from an upstream application, a first invocation request, the first invocation request being associated with a first token generated by the upstream application, the first token specifying a permissible audience of the first token;


authenticating, by the midstream application, the first invocation request, including verifying the first token of the upstream application; 


verifying, by the midstream application, that the midstream application is an instance of the permissible audience of the first token; 

upon successful verification, generating, by the midstream application, a second token; 








submitting, by the midstream application to a downstream application, a second invocation request in association with the second token and the first token; 

receiving, by the downstream application from the midstream application, the second invocation request; 

authenticating, by the downstream application, the second invocation request, including verifying the second token of the midstream application; and verifying, by the downstream application, that the midstream application is an instance of the permissible audience for the first token received from the upstream application.

Claim 17:

A system comprising: one or more computers and one or more storage devices on which are stored instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: 

receiving, by a midstream application from an upstream application, a first invocation request, the first invocation request being associated with a first token signed by a first private key of the upstream application, the first token specifying permissible audience of the first token; 

authenticating the first invocation request, including verifying the first token by the midstream application using a first public key corresponding to the upstream application and stored in a service registry; 
verifying that the midstream application is an instance of the permissible audience of the first token; 


upon successful verification, generating a second token by the midstream application, including inserting the first token into a parent field of the second token; signing the second token by the midstream application using a second private key of the midstream application, wherein a corresponding second public key is stored in the service registry; and 

submitting, by the midstream application to a downstream application, a second invocation request in association with the signed second token; 

receiving, by the downstream application from the midstream application, the second invocation request; 

determining, by the downstream application, that the second invocation request received from the midstream application is authenticated based on verifying that the midstream application is an instance of the permissible audience for the first token received from the upstream application; and in response to determining that the second invocation request is authenticated based on verifying that the midstream application is an instance of the permissible audience for the first token received from the upstream application, authorizing, by the downstream application, the second invocation request, wherein the upstream, midstream and downstream applications are configured to serve user requests in a chain of invocations within a microservice-based computing platform comprising a plurality of computers.


The dependent claims of the instant application recite language similar to the dependent claims of the patent application and are covered by the patent application.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 21, 24-31, 33-36 and 38-40 are rejected under 35 U.S.C. 102(a)(1)as being anticipated by Kalogridis et al. (US 20040117623) (hereinafter Kalogridis).
Regarding claim 21, Kalogridis discloses a method comprising: receiving, by a midstream application from an upstream application, a first invocation request, the first invocation request being associated with a first token generated by the upstream application, the first token specifying a permissible audience of the first token (Kalogridis: paragraphs 0037, 0069-0071, 0088-0089 and 0091, “in order to protect against delegation token duplication and delegation token deletion, the delegation token DT is preferably constructed to include the intended recipient and a freshness value”); authenticating, by the midstream application, the first invocation request, including verifying the first token of the upstream application (Kalogridis: paragraphs 0035, 0072 and 0094-0095, “described below the original Mobile Agent A is assumed to be fully trusted by the other Mobile Agents and each of the Mobile Agents from A to Z is able to produce a valid signature simply by using the Mobile Agent's cryptographic key to sign a Delegation Token”); verifying, by the midstream application, that the midstream application is an instance of the permissible audience of the first token (Kalogridis: paragraphs 0073 and 0083-0084, “Again the DT provided by Mobile Agent A is incorporated or cascaded within the message of Mobile Agent B. The inclusion of identifier C in M2 and DT' is desirable to prevent the token from being accepted by anyone other than the intended verifier and, as before, a freshness value such as a time stamp T.sub.B or nonce N.sub.B may also be added”); upon successful verification, generating, by the midstream application, a second token (Kalogridis: paragraphs 0082-0083, “Again the DT provided by Mobile Agent A is incorporated or cascaded within the message of Mobile Agent B. The inclusion of identifier C in M2 and DT' is desirable to prevent the token from being accepted by anyone other than the intended verifier and, as before, a freshness value such as a time stamp T.sub.B or nonce N.sub.B may also be added”); and submitting, by the midstream application to a downstream application, a second invocation request in association with the second token and the first token (Kalogridis: paragraphs 0074-0076, 0085-0086 and 0103-0106, “Terminal B constructs a new message M2 which it sends to terminal C (the server) as though it is terminal B which is requesting the desired movie clip”); receiving, by the downstream application from the midstream application, the second invocation request (Kalogridis: paragraphs 0074-0076, 0085-0086 and 0103-0106, “The message for a second stage of delegation, from B to C is then: M2: B.fwdarw.C:C.parallel.T.sub.B/N.sub.B.parallel.B.parallel.T.sub.A/N.su- b.A.parallel.P.sub.C(K.sub.P-T-E.parallel..GAMMA..parallel.S.sub.B(h(DT'))- .parallel..GAMMA..parallel.K.sub.P-T-E.parallel.S.sub.A(h(DT))) (Equation 5) where DT'=K.sub.P-T-E.parallel.C.parallel.T.sub.B/N.sub.B.parallel..GAMMA.'”); authenticating, by the downstream application, the second invocation request, including verifying the second token of the midstream application (Kalogridis: paragraphs 0083-0086 and 0103-0106, “Again the DT provided by Mobile Agent A is incorporated or cascaded within the message of Mobile Agent B. The inclusion of identifier C in M2 and DT' is desirable to prevent the token from being accepted by anyone other than the intended verifier and, as before, a freshness value such as a time stamp T.sub.B or nonce N.sub.B may also be added”); and verifying, by the downstream application, that the midstream application is an instance of the permissible audience for the first token received from the upstream application (Kalogridis: paragraphs 0083-0086 and 0103-0106, “An example of the procedure at the end point of a chain of delegation will now be described. When an originator such as Mobile Agent A passes rights to an intermediary and eventually on to a last delegate, say Mobile Agent Y, the last delegate contacts, for example, the server Z of an appropriate service provider (the end point of the chain) and demonstrates that it holds valid (that is properly signed) DTs in order to request that a service is granted to Mobile Agent A”).
Regarding claim 31, claim 31 discloses a media claim that is substantially equivalent to the method of claim 21.  Therefore, the arguments set forth above with respect to claim 21 are equally applicable to claim 31 and rejected for the same reasons.
Regarding claim 36, claim 36 discloses a system claim that is substantially equivalent to the method of claim 21.  Therefore, the arguments set forth above with respect to claim 21 are equally applicable to claim 36 and rejected for the same reasons.
Regarding claim 24, Kalogridis discloses  the first token includes an initial token including credentials of a user initiating the chain of invocations including the first invocation request and the second invocation request (Kalogridis: paragraphs 0076 and 0082-0083, “Thus the DT provided by Mobile Agent A is incorporated or cascaded within the message of Mobile Agent B. The inclusion of identifier C in M2 and DT' is desirable to prevent the token from being accepted by anyone other than the intended verifier and, as before, a freshness value such as a time stamp T.sub.Bor nonce N.sub.B may also be added. Further delegations give rise to further signed DTs by extension of the same procedure as required.”).
Regarding claim 25, Kalogridis discloses authenticating the first invocation request by the midstream application, wherein: authentication is performed on the first token, and authentication is performed on the initial token (Kalogridis: paragraphs 0059, 0071, 0085 and 0091-0095, “that is where there are multiple Mobile Agents to delegation which is cascaded from an initial Mobile Agent A, to a second agent in the chain B, then to a third agent C, and so on to a final agent of the chain, say Z, before data is returned, or a final message is sent, to the original Mobile Agent A. Such a chain has already been described in more detail with reference to FIG. 5”).
Regarding claim 26, Kalogridis discloses authenticating the second invocation request by the downstream application, wherein: authentication is performed on the second token, authentication is performed on the first token contained within the second token, and authentication is performed on the initial token (Kalogridis: paragraphs 0103-0104, “Terminal C decrypts the encrypted portion of message M2 using its private key (or the shared secret key), the decrypted data comprising DT and DT' and signatures for terminal A and terminal B. (In a chain of terminals the end terminal has delegation tokens and signatures for all the terminals in the chain.)”).
Regarding claim 27, Kalogridis discloses authorizing the first invocation request by the midstream application, wherein authorization is based on a security policy that requires presence of one more authenticated tokens (Kalogridis: paragraphs 0096 and 0104, “As previously noted, PKI allows each signature of each terminal (A and B) in the chain to be verified and thus allows each delegation token to be authenticated. The protocol also provides accountability since each entity in the chain (A and B in this case) has attached their own signed request and keys”).
Regarding claims 28, 33 and 38, Kalogridis discloses wherein: the first token includes a request field, the request field describing intended operation to be invoked by the upstream application on the midstream application, and authenticating the first invocation request by the midstream application comprises determining whether the request field of the first token sufficiently describes the first invocation request (Kalogridis: paragraph 0091, “Terminal A creates a message M1 as described above including an identifier B for terminal B (necessary if there is more than one possible recipient and in any case preferred to hinder an impersonation attack) and preferably a timestamp or nonce for freshness. This allows message M1 to expire after a time interval, for example if there is no reply within a time window, and thus allows a relatively short period to be defined during which an attack is possible. A timestamp may be preferred where terminals in the chain have synchronized clocks (say, to better than one second) otherwise a nonce may be employed, generated by a pseudo-random number generator starting from a known seed. Preferably the delegation token DT also includes the identifier for B and the timestamp and/or nonce. In this way if an attacker attempts to change the timestamp or nonce this will show up in the delegation token DT.”).
Regarding claims 29, 34 and 39, Kalogridis discloses generating, by the upstream application, the first token, the first token specifying the permissible audience of the first token (Kalogridis: paragraphs 0037, 0069-0071, 0088-0089 and 0091, “in order to protect against delegation token duplication and delegation token deletion, the delegation token DT is preferably constructed to include the intended recipient and a freshness value”); generating, by the upstream application, a first wrapper and associating the first token with the first wrapper (Kalogridis: paragraphs 0037, 0061-0062, 0069-0071, 0088-0089 and 0091, “a Mobile Agent A sends a signed message M1 to a Mobile Agent B as set out in Equation 1 below. M1:A.fwdarw.B: B.parallel.T.sub.A/N.sub.A.parallel.P.sub.B(K.sub.P-T-E.par- allel..GAMMA..parallel.S.sub.A(h(DT))) (Equation 1)”); and submitting, by the upstream application to the midstream application, the first invocation request in association with the first token and the first wrapper, wherein: authenticating the first invocation request further comprises verifying, by the midstream application, a source of the first invocation request received from the upstream application using the first wrapper (Kalogridis: paragraphs 0035, 0070-0076 and 0094-0095, “in order to protect against delegation token duplication and delegation token deletion, the delegation token DT is preferably constructed to include the intended recipient and a freshness value such as a timestamp, and/or a random number (which can be used more than once, for example a number from a pseudo-random sequence) and/or a nonce”).
Regarding claims 30, 35 and 40, Kalogridis discloses discarding, by the midstream application, the first wrapper from the first token (Kalogridis: paragraphs 0070-0076, “K.sub.P-T-E' is a power to execute delegation key between Mobile Agent B and Mobile Agent C, and .GAMMA.'=(R',L') where R'=a request or set of roles or tasks and L'=a lifespan of the delegation token DT' that was generated by Mobile Agent B. It will be recognized that S.sub.A(h(DT))) is available to B for inclusion in M2 as it was received by B (encrypted) in message M1.”); generating, by the midstream application, a second wrapper and associating the second token with the second wrapper; and verifying, by the downstream application, a source of the second invocation request received from the midstream application using the second wrapper, wherein: the downstream application does not have access to the discarded first wrapper (Kalogridis: paragraphs 0076-0083, “Thus the DT provided by Mobile Agent A is incorporated or cascaded within the message of Mobile Agent B. The inclusion of identifier C in M2 and DT' is desirable to prevent the token from being accepted by anyone other than the intended verifier and, as before, a freshness value such as a time stamp T.sub.Bor nonce N.sub.B may also be added. Further delegations give rise to further signed DTs by extension of the same procedure as required.”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Kalogridis in in view of Sanso et al. (US 20170012980) (hereinafter Sanso).
Regarding claim 22, Kalogridis does not explicitly disclose the following limitation which is disclosed by Sanso, wherein each of the first token and the second token is a JSON Web token (JWT) and is transmitted in a header of a corresponding invocation request (Sanso: paragraphs 0017-0018, “JSON Web Token (JWT) is a compact information representation format intended for space constrained environments such as HTTP Authorization headers and URI query parameters”).  Kalogridis and Sanso are analogous art because they are from the same field of endeavor, privacy and security protection.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Kalogridis and Sanso before him or her, to modify the system of Kalogridis to include the JSON Web token (JWT) and is transmitted in a header of Sanso.  The suggestion/motivation for doing so would have been for protecting the privacy and security of data associated with a web document (Sanso: paragraph 0021).

Claims 23, 32 and 37 are rejected under 35 U.S.C. 103 as being unpatentable over Kalogridis in view of XU et al. (US 20160127352) (hereinafter XU).
Regarding claims 23, 32 and 37, Kalogridis does not explicitly disclose the following limitation which is disclosed by XU, wherein each of the first token and the second token is a single use token (XU: paragraphs 0029 and 0031, “token agent 108 sends the OTA token as well as a request to authentication service 120 to authenticate with the additional authentication method”).  Kalogridis and XU are analogous art because they are from the same field of endeavor, different authentication levels.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Kalogridis and XU before him or her, to modify the system of Kalogridis to include the one-time token of XU.  The suggestion/motivation for doing so would have been to provide users with convenient and secure access to sensitive resources (XU: paragraph 0006).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRANG T DOAN/Primary Examiner, Art Unit 2431