Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) was submitted on [02/04/2021 and 03/02/2022]. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Drawings

Drawings filed on 11/12/2020 are accepted.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that
form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale,
or otherwise available to the public before the effective filing date of the claimed invention.

Claims (1-3, 5, 7-11, 13,14, 16, and 18) is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by DUNJIC et al. (US-20190372958-A1, DUNJIC referred to as "DUNJIC”)

Referring to claim 1, DUNJIC teaches receiving, at an application server and from a client, a request for a resource (DUNJIC, [¶0073]” The request to access the protected resource includes the access/bearer token, the cryptographic nonce, and the digital signature.”, [¶0004] a client application executing on a user's mobile device may, upon receiving permission from the user, request to access the user's resources (e.g. data, services) at a resource server“), wherein the request is associated with a security token for authenticating the client by the application server (DUNJIC, [0016]” a first signal including a request to obtain an access token for accessing a protected resource”);
acquiring, at the application server, a public key of an authentication server associated with authenticating requests at the application server (DUNJIC, [0019]” receive, via the communication interface from a web server associated with the protected resource, a fourth signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validate the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fifth signal including a notification that the bearer token is valid.”);
validating, at the application server, a signature of the security token associated with the request for the resource, wherein validating the signature of the security token is based on the acquired public key of the authentication server (DUNJIC, [¶0019]” a fourth signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validate the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fifth signal including a notification that the bearer token is valid.”, [¶0075]” the authorization server validates the bearer token. The digital signature may be verified by using the public key previously stored at the authorization server to decrypt the signature and comparing to the original data“), wherein validating the signature of the security token determines whether the security token is validly issued by the authentication server (DUNJIC, [¶0019]” , the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fifth signal including a notification that the bearer token is valid “);
in response to the received request, determining, at the application server, an identifier associated with the client (DUNJIC, [¶0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application”); and
validating, at the application server, the security token based on the identifier associated with the client to determine whether to serve the received request and provide the resource (DUNJIC, [¶0016]”  a first signal including a request to obtain an access token for accessing a protected resource, the request including: a client identifier uniquely identifying the client application; an authorization code for authorizing the client application's access of the protected resource“).

Referring to claim 2, DUNJIC teaches the method of claim 1, further comprising, in response to determining that the security token is valid, providing the requested resource to the client by the application (DUNJIC, [¶0073]” receive, via the communication interface from a web server associated with the protected resource, a fourth signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validate the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fifth signal including a notification that the bearer token is valid.“).

Referring to claim 3, DUNJIC the method of claim 1, wherein the determined identifier is a client key generated by the client and provided by the client to the authentication server for generating the security token (DUNJIC, [¶0067]” the client application may perform one or more intermediate operations, such as generating a unique identifier of the end-user. In operation 516, the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together“, [¶0090]” The device then requests an authentication server to verify that the first credentials belong to a user that is authorized to access the protected resource, in operation 704. That is, the processor transmits to an authentication server, a first signal including a request to verify that the first credentials are authorized for accessing the protected resource. The first credentials may, for example, be compared to and validated against a database of identifies of authorized users/entities.”, [¶0091]” When the first credentials are determined to be authorized for accessing the protected resource, the device receives from the authentication server a second signal that includes an access token for use in authenticating the user on requests to access the protected resource “).

Referring to claim 5, DUNJIC the method of claim 1, wherein determining the identifier associated with the client comprises retrieving the identifier from a security storage component based on information about a location of the identifier included in the security token (DUNJIC, [¶0067]” the client application may perform one or more intermediate operations, such as generating a unique identifier of the end-user. In operation 516, the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device.“, [0069]” Once the keys have been generated, the client application submits a request to the authorization server, in operation 518, to obtain an access token for use in accessing a protected resource“), wherein the identifier comprises a client key incorporated in the security token during generation at the authentication (DUNJIC, [¶0079]” In operation 602, the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource, in operation 604.”, [¶0080]” the authorization server receives from the protected resource a third signal including a request to validate a bearer token submitted by the client application, where the bearer token includes a digital signature. The authorization server validates the bearer token in operation 608, verifying the digital signature using the public key included in the request in operation 602.”).

Referring to claim 7, DUNJIC teaches the method of claim 1, wherein the identifier is received as part of client authentication data received with the request for the resource (DUNJIC, [¶0016]” a first signal including a request to obtain an access token for accessing a protected resource, the request including: a client identifier uniquely identifying the client application; an authorization code for authorizing the client application's access of the protected resource”).

Referring to claim 8, DUNJIC teaches the method of claim 1, wherein the security token is generated at the authentication server in response to a request sent by the client to the authentication server (DUNJIC, [¶0090]”a user of a mobile device may input their user credentials on the device. The device then requests an authentication server to verify that the first credentials belong to a user that is authorized to access the protected resource, in operation 704. That is, the processor transmits to an authentication server, a first signal including a request to verify that the first credentials are authorized for accessing the protected resource. The first credentials may, for example, be compared to and validated against a database of identifies of authorized users/entities.”, [¶0091]“ When the first credentials are determined to be authorized for accessing the protected resource, the device receives from the authentication server a second signal that includes an access token for use in authenticating the user on requests to access the protected resource, in operation 706 “), wherein during the generation the received request is validated at the authentication server  (DUNJIC, [¶0090]” The device then requests an authentication server to verify that the first credentials belong to a user that is authorized to access the protected resource, in operation 704. That is, the processor transmits to an authentication server, a first signal including a request to verify that the first credentials are authorized for accessing the protected resource.“), the client key is collected from a security storage component (DUNJIC, [¶0079]” the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource “), a message authentication code of a payload portion of the security token is computed based on the client key (DUNJIC, [0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application, and the user-specific public key generated in operation 516.” , [¶0070]” the authorization server validates the request for an access token submitted by the client application. The authorization server may include, or be connected to, the mobile security service 132 of FIG. 1 and a security token service (included, for example, as a token endpoint of an identity provider). As part of the operation of validating the request, the authorization server may generate a request to exchange the authorization code for a set of one or more tokens, and submit the request to the security token service.”),  wherein the generated security token is signed with a public key of the authentication server ([¶0071] “The end-user public key is also saved at the authorization server. The public key may be saved in association with the tokens (e.g. ID token, access token) which were generated as a result of the request submitted by the client application in operation 518.”, [¶0075]” the authorization server validates the bearer token. The digital signature may be verified by using the public key.”), and wherein the security token includes the computed message authentication code as part of a header part of the security token ([¶0076]” the authorization server sends the web server associated with the protected resource a notification indicating that the bearer token is valid, in operation 532. For example, a message notifying the web server that the bearer token is valid may be generated and signed using a private key that is specific to the authorization server.”).

Referring to claim 9, DUNJIC teaches the method of claim 1The method of claim 1, further comprising:
generating, at the client, a client key as an identifier for the client (DUNJIC, [¶0067]” After receiving the authorization code, the client application may perform one or more intermediate operations, such as generating a unique identifier of the end-use“);
storing, at a security storage component, the generated client key (DUNJIC ,[¶0073]” The signature may be generated based on a message that includes a combination of a first representation of the requested access token and the cryptographic nonce. The message data (or a hash of the message data) may be encrypted with the user-specific private key in the secure enclave of the device. The signature itself may be generated in the secure enclave. The request to access the protected resource includes the access/bearer token, the cryptographic nonce, and the digital signature.”); and
generating the security token, at the authentication server, wherein the security token is generated to include a message authentication code that is computed using the client key. (DUNJIC, [¶0034]” The client application 102 may be an app that requests to access a protected resource 140.“, [0069]” Once the keys have been generated, the client application submits a request to the authorization server, in operation 518, to obtain an access token for use in accessing a protected resource.“, [¶0070]” As part of the operation of validating the request, the authorization server may generate a request to exchange the authorization code for a set of one or more tokens, and submit the request to the security token service.“, [¶0072]” In operation 522, the requested access token (and optionally, the refresh token) is provided to the client application. The access token may be saved on the user's device. “).

Referring to claim 10, DUNJIC teaches the method of claim 1, wherein the received request for the resource at the application comprises a security token (DUNJIC, [¶0004]” a client application executing on a user's mobile device may, upon receiving permission from the user, request to access the user's resources (e.g. data, services) at a resource server.”,  [¶0016]” the processing unit being configured to: receive, via the communication interface from a client application executing on a first device, a first signal including a request to obtain an access token for accessing a protected resource,”), wherein the security token is issued by the authentication server for the client (DUNJIC, [0069]” Once the keys have been generated, the client application submits a request to the authorization server, in operation 518, to obtain an access token for use in accessing a protected resource.“), and wherein the request includes credentials of the client for the application server (DUNJIC, [0090]” a user of a mobile device may input their user credentials on the device. The device then requests an authentication server to verify that the first credentials belong to a user that is authorized to access the protected resource, in operation 704. That is, the processor transmits to an authentication server, a first signal including a request to verify that the first credentials are authorized for accessing the protected resource. The first credentials may, for example, be compared to and validated against a database of identifies of authorized users/entities.”).

Referring to claim 11, DUNJIC teaches the method of claim 1, wherein the request includes information associated with a location of the client key to be retrieved by the application server (DUNJIC, [0067]” After receiving the authorization code, the client application may perform one or more intermediate operations, such as generating a unique identifier {i.e., client key} of the end-user. In operation 516, the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device. The secure enclave is isolated from the main processor of the user's device to provide an extra layer of security.”, (DUNJIC, [¶0079]” the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource “, (DUNJIC, [0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application, and the user-specific public key generated in operation 516.”).

Claim 13 is a computer system claims reciting similar limitations as method claim 1. Therefore claim 13 is rejected based on the same rational as the method claim 1.

Claim 14 is a computer system claims reciting similar limitations as method claim 2. Therefore claim 14 is rejected based on the same rational as the method claim 2.

Claim 16 is a computer system claims reciting similar limitations as method claim 8. Therefore claim 16 is rejected based on the same rational as the method claim 8.


Referring to claim 18, DUNJIC teaches the system comprising:
a computing device; and
a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations, the operations comprising:
receiving, at an application server and from a client, a request for a resource, wherein the request is associated with a security token for authenticating the client by the application server (DUNJIC, [0016]” a first signal including a request to obtain an access token for accessing a protected resource”);
acquiring, at the application server, a public key of an authentication server associated with authenticating requests at the application server (DUNJIC, [0019]” receive, via the communication interface from a web server associated with the protected resource, a fourth signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validate the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fifth signal including a notification that the bearer token is valid.”);
validating, at the application server, a signature of the security token associated with the request for the resource, wherein validating the signature of the security token is based on the acquired public key of the authentication server (DUNJIC, [¶0019]” a fourth signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validate the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fifth signal including a notification that the bearer token is valid.”, [¶0075]” the authorization server validates the bearer token. The digital signature may be verified by using the public key previously stored at the authorization server to decrypt the signature and comparing to the original data“), wherein validating the signature of the security token determines whether the security token is validly issued by the authentication server (DUNJIC, [¶0019]” , the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fifth signal including a notification that the bearer token is valid “);
in response to the received request, determining, at the application server, an identifier associated with the client (DUNJIC, [¶0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application”); and
validating, at the application server, the security token based on the identifier associated with the client to determine whether to serve the received request and provide the resource (DUNJIC, [¶0016]”  a first signal including a request to obtain an access token for accessing a protected resource, the request including: a client identifier uniquely identifying the client application; an authorization code for authorizing the client application's access of the protected resource“).



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims (4) is/are rejected under 35 U.S.C. 103 as being unpatentable over DUNJIC et al. (US-20190372958-A1, DUNJIC referred to as "DUNJIC”) and BOCANEGRA et al. (US-20150150109-A1, BOCANEGRA referred to as "BOCANEGRA”).

Referring to claim 4, DUNJIC teaches the method of claim 1.
However, DUNJIC does not explicitly teach wherein the determined identifier is a version value provided at a versioning field part of the received security token, and wherein the application server compares the determined version value with the stored values to determine whether the token is valid.   
Wherein, BOCANEGRA teaches wherein the determined identifier is a version value provided at a versioning field part of the received security token, and wherein the application server compares the determined version value with the stored values to determine whether the token is valid (BOCANEGRA, [¶007]“ If the bearer token conforms to the predefined syntax, the client identification value is extracted from the bearer token. The client identification value is compared to a predefined list of authorized client identification values associated with the protected resource. Each authorized client identification value in the list is associated with a corresponding authentication configuration that specifies the correct authentication client to be used by the third-party application for validating the bearer token. If the client identification value matches any of the values on the list of authorized values, an authentication server is called by the corresponding authentication client to validate the bearer token”).   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified DUNJIC to incorporate the teaching of BOCANEGRA to utilize the above feature, with the motivation of enhancing the security through comparing client identification value with a predefined list of authorized client identification values associated with the protected resource for validation, as recognized by (BOCANEGRA [0010]).


Claims (6, 15, and 19) is/are rejected under 35 U.S.C. 103 as being unpatentable over DUNJIC et al. (US-20190372958-A1, DUNJIC referred to as "DUNJIC”) and UY et al. (US-20200412539-A1, UY referred to as " UY”).

Referring to claim 6, DUNJIC the method of claim 5, wherein the identifier is a client key generated in advance by the client and stored at a security storage component (DUNJIC, [¶0073]” the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device. The secure enclave is isolated from the main processor of the user's device to provide an extra layer of security. When the private key is stored in the secure enclave, the private key itself is not handled; instead, the secure enclave is instructed to create the key, securely store it, and perform operations with it.”), wherein the client key is retrieved by the application server from the security storage component to validate the security token (DUNJIC, [¶0079]” the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource “, (DUNJIC, [0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application, and the user-specific public key generated in operation 516.”), wherein the security storage component is either [external to the authentication server] or within the authentication server (DUNJIC ,[0067]” A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device. The secure enclave is isolated from the main processor of the user's device to provide an extra layer of security. When the private key is stored in the secure enclave, the private key itself is not handled; instead, the secure enclave is instructed to create the key, securely store it, and perform operations with it”).
However, DUNJIC does not explicitly teach security component [external to the authentication server].
Wherein, UY  teaches security component [external to the authentication server]  (UY, [¶0030]” authentication server 104 may be associated with a third party cloud provider (e.g., rather than a telecommunication provider) and may associate the identifier and the configured public key using secure data storage.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified DUNJIC to incorporate the teaching of UY to utilize the above feature, with the motivation of enhancing the security through providing a secure data storage, regardless of a channel used to transmit the identifier and the configured public key, as recognized by (UY [0032]).

Referring to claim 15, DUNJIC teaches the computer-readable medium of claim 13, wherein determining the identifier associated with the client comprises retrieving the identifier from a security storage component based on information about a location of the identifier included in the security token (DUNJIC, [¶0067]” the client application may perform one or more intermediate operations, such as generating a unique identifier of the end-user. In operation 516, the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device.“, [0069]” Once the keys have been generated, the client application submits a request to the authorization server, in operation 518, to obtain an access token for use in accessing a protected resource“), wherein the identifier comprises a client key incorporated in the security token during generation at the authentication server (DUNJIC, [¶0079]” In operation 602, the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource, in operation 604.”, [¶0080]” the authorization server receives from the protected resource a third signal including a request to validate a bearer token submitted by the client application, where the bearer token includes a digital signature. The authorization server validates the bearer token in operation 608, verifying the digital signature using the public key included in the request in operation 602.”), wherein the identifier is a client key generated in advance by the client and stored at a security storage component (DUNJIC, [¶0073]” the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device. The secure enclave is isolated from the main processor of the user's device to provide an extra layer of security. When the private key is stored in the secure enclave, the private key itself is not handled; instead, the secure enclave is instructed to create the key, securely store it, and perform operations with it.”), wherein the client key is retrieved by the application server from the security storage component to validate the security token (DUNJIC, [¶0079]” the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource “, (DUNJIC, [0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application, and the user-specific public key generated in operation 516.”). 
However, DUNJIC does not explicitly teach wherein the security storage component is either external to the authentication server or within the authentication server.
Wherein, UY teaches the security storage component is either external to the authentication server or within the authentication server (UY, [¶0030]” authentication server 104 may be associated with a third party cloud provider (e.g., rather than a telecommunication provider) and may associate the identifier and the configured public key using secure data storage.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified DUNJIC to incorporate the teaching of UY to utilize the above feature, with the motivation of enhancing the security through providing a secure data storage, regardless of a channel used to transmit the identifier and the configured public key, as recognized by (UY [0032]).

Referring to claim 19, DUNJIC teaches the system of claim 18, wherein the computer-readable storage device further comprises instructions which, when executed by the computing device, cause the computing device to perform operations comprising:
in response to determining that the security token is valid, providing the requested resource to the client by the application (DUNJIC, [¶0073]” receive, via the communication interface from a web server associated with the protected resource, a fourth signal including a request to validate a bearer token submitted by the client application to the web server, the bearer token including a digital signature; validate the bearer token, the validating including verifying the digital signature using the public key; and in response to validating the bearer token, send to the web server via the communication interface a fifth signal including a notification that the bearer token is valid.“), wherein determining the identifier associated with the client comprises retrieving the identifier from a security storage component based on information about a location of the identifier included in the security token (DUNJIC, [¶0067]” the client application may perform one or more intermediate operations, such as generating a unique identifier of the end-user. In operation 516, the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device.“, [0069]” Once the keys have been generated, the client application submits a request to the authorization server, in operation 518, to obtain an access token for use in accessing a protected resource“), wherein the identifier comprises a client key incorporated in the security token during generation at the authentication server (DUNJIC, [¶0079]” In operation 602, the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource, in operation 604.”, [¶0080]” the authorization server receives from the protected resource a third signal including a request to validate a bearer token submitted by the client application, where the bearer token includes a digital signature. The authorization server validates the bearer token in operation 608, verifying the digital signature using the public key included in the request in operation 602.”), wherein the identifier is a client key generated in advance by the client and stored at a security storage component (DUNJIC, [¶0073]” the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device. The secure enclave is isolated from the main processor of the user's device to provide an extra layer of security. When the private key is stored in the secure enclave, the private key itself is not handled; instead, the secure enclave is instructed to create the key, securely store it, and perform operations with it.”),  wherein the client key is retrieved by the application server from the security storage component to validate the security token (DUNJIC, [¶0079]” the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource “, (DUNJIC, [0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application, and the user-specific public key generated in operation 516.”), wherein the security storage component is either [external to the authentication server] or within the authentication server (DUNJIC ,[0067]” A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device. The secure enclave is isolated from the main processor of the user's device to provide an extra layer of security. When the private key is stored in the secure enclave, the private key itself is not handled; instead, the secure enclave is instructed to create the key, securely store it, and perform operations with it”).
However, DUNJIC does not explicitly teach security component [external to the authentication server].
Wherein, UY  teaches security component [external to the authentication server]  (UY, [¶0030]” authentication server 104 may be associated with a third party cloud provider (e.g., rather than a telecommunication provider) and may associate the identifier and the configured public key using secure data storage.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified DUNJIC to incorporate the teaching of UY to utilize the above feature, with the motivation of enhancing the security through providing a secure data storage, regardless of a channel used to transmit the identifier and the configured public key, as recognized by (UY [0032]).


Claims (12,17, and 20) is/are rejected under 35 U.S.C. 103 as being unpatentable over DUNJIC et al. (US-20190372958-A1, DUNJIC referred to as "DUNJIC”) in view of  CHIPMAN et al. (US-20180075081-A1, CHIPMAN referred to as " CHIPMAN”) and further view of MUSABEYOGLU et al. (US-20200294338 -A1, MUSABEYOGLU referred to as " MUSABEYOGLU”)

Referring to claim 12, DUNJIC teaches the method of claim 1, further comprising: in response to a request to revoke security tokens associated with the client and the identifier (DUNJIC, [¶0086]” the server may revoke, at least, the access token provided to the client application at a token {i.e., identifier part of the token} revocation endpoint. In some embodiments, the server may revoke all tokens (including the refresh token) assigned to the client application upon receiving the third signal.re-gene“). 
when a request for a resource is received at the application server, wherein the request includes a security token that is [determined to be invalid as including a security token comprising an identifier that is invalidated, rejecting the request to provide the resource from the application server to the client.] (DUNJIC, [¶0073]” The request to access the protected resource includes the access/bearer token, the cryptographic nonce, and the digital signature.”, [¶0004] a client application executing on a user's mobile device may, upon receiving permission from the user, request to access the user's resources (e.g. data, services) at a resource server“). 
However, DUNJIC does not teach explicitly regenerating the identifier of the client to a new identifier comprising deleting the identifier, wherein regenerating the identifier invalidates one or more security tokens issued based on the identifier
Wherein, CHIPMAN teaches regenerating the identifier of the client to a new identifier comprising deleting the identifier, wherein regenerating the identifier invalidates one or more security tokens issued based on the identifier (CHIPMAN, [¶0024]” A “token” may include an identifier for an account that is a substitute for account data, such as an account number”,  [¶0087]” Embodiments further enable the resource provider computer to add context to the generated tokens (e.g. to contextually value the generated tokens) to associate an importance value to the generated tokens. Moreover, embodiments allow for recycling of the expired tokens by deleting the token from the token vault (or token database) and allowing for the token to be associated with a new account identifier in response to a recent (e.g. new) token generation request. As provided above, the tokens stored at the token vault are generated on behalf of a resource provider. Embodiments enable the resource provider to manage the tokens generated on its behalf by deleting expired tokens or by assigning level values (e.g. token importance indicator) to the tokens.”, i.e., delete token including deleting the identifier); and

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified DUNJIC to incorporate the teaching of CHIPMAN to utilize the above feature, with the motivation of allowing the users to keep their number of tokens lower, thus reducing concerns (e.g. cost, security concerns, duplicated tokens, and surprise charges) associated with their token portfolio, as recognized by (CHIPMAN [0017]).
However, DUNJIC in view of CHIPMAN does not explicitly teach security token that [determined to be invalid as including a security token comprising an identifier that is invalidated, rejecting the request to provide the resource from the application server to the client.]
wherein, MUSABEYOGLU teaches security token that [determined to be invalid as including a security token comprising an identifier that is invalidated, rejecting the request to provide the resource from the application server to the client.] MUSABEYOGLU [¶0078]” an identifier associated with the user's user device may also be received with the access token. The remote server may reject the access token as being invalid if the identifier does not match the user device on record (e.g., the one to which the access token was provided).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (DUNJIC in view of CHIPMAN) to incorporate the teaching of MUSABEYOGLU to utilize the above feature, with the motivation of restrict access to a secure area or resource, as recognized by (MUSABEYOGLU [0055]).

Referring to claim 17, DUNJIC teaches the computer-readable medium of claim 13, wherein the request includes information associated with a location of the client key to be retrieved by the application server (DUNJIC, [0067]” After receiving the authorization code, the client application may perform one or more intermediate operations, such as generating a unique identifier {i.e., client key} of the end-user. In operation 516, the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device. The secure enclave is isolated from the main processor of the user's device to provide an extra layer of security.”, (DUNJIC, [¶0079]” the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource “, (DUNJIC, [0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application, and the user-specific public key generated in operation 516.”), and 
wherein the computer-readable medium further comprises instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising: in response to a request to revoke security tokens associated with the client and the identifier (DUNJIC, [¶0086]” the server may revoke, at least, the access token provided to the client application at a token {i.e., identifier part of the token} revocation endpoint. In some embodiments, the server may revoke all tokens (including the refresh token) assigned to the client application upon receiving the third signal.re-gene“).
and when a request for a resource is received at the application server (DUNJIC, [¶0073]” The request to access the protected resource includes the access/bearer token, the cryptographic nonce, and the digital signature.”, [¶0004] a client application executing on a user's mobile device may, upon receiving permission from the user, request to access the user's resources (e.g. data, services) at a resource server“), wherein the request includes a [security token that is determined to be invalid as including a security token comprising an identifier that is invalidated, rejecting the request to provide the resource from the application server to the client] (DUNJIC, [¶0073]” The request to access the protected resource includes the access/bearer token, the cryptographic nonce, and the digital signature.”, [¶0004] a client application executing on a user's mobile device may, upon receiving permission from the user, request to access the user's resources (e.g. data, services) at a resource server“).
However, DUNJIC does not teach explicitly regenerating the identifier of the client to a new identifier comprising deleting the identifier, wherein regenerating the identifier invalidates one or more security tokens issued based on the identifier
Wherein, CHIPMAN teaches regenerating the identifier of the client to a new identifier comprising deleting the identifier (CHIPMAN, [¶0024]” A “token” may include an identifier for an account that is a substitute for account data, such as an account number”,  [¶0087]” Embodiments further enable the resource provider computer to add context to the generated tokens (e.g. to contextually value the generated tokens) to associate an importance value to the generated tokens. Moreover, embodiments allow for recycling of the expired tokens by deleting the token from the token vault (or token database) and allowing for the token to be associated with a new account identifier in response to a recent (e.g. new) token generation request. As provided above, the tokens stored at the token vault are generated on behalf of a resource provider. Embodiments enable the resource provider to manage the tokens generated on its behalf by deleting expired tokens or by assigning level values (e.g. token importance indicator) to the tokens.”, i.e., delete token including delete the identifier), wherein regenerating the identifier invalidates one or more security tokens issued based on the identifier (CHIPMAN, [¶0024]” A “token” may include an identifier for an account that is a substitute for account data, such as an account number”,  [¶0087]” Embodiments further enable the resource provider computer to add context to the generated tokens (e.g. to contextually value the generated tokens) to associate an importance value to the generated tokens. Moreover, embodiments allow for recycling of the expired tokens by deleting the token from the token vault (or token database) and allowing for the token to be associated with a new account identifier in response to a recent (e.g. new) token generation request. As provided above, the tokens stored at the token vault are generated on behalf of a resource provider. Embodiments enable the resource provider to manage the tokens generated on its behalf by deleting expired tokens or by assigning level values (e.g. token importance indicator) to the tokens.”, i.e., delete token including the identifier);
Same motivation as claim 12.
However, DUNJIC in view of CHIPMAN does not explicitly teach [security token that is determined to be invalid as including a security token comprising an identifier that is invalidated, rejecting the request to provide the resource from the application server to the client.]
wherein, MUSABEYOGLU teaches [security token that is determined determined to be invalid as including a security token comprising an identifier that is invalidated, rejecting the request to provide the resource from the application server to the client.] MUSABEYOGLU [¶0078]” an identifier associated with the user's user device may also be received with the access token. The remote server may reject the access token as being invalid if the identifier does not match the user device on record (e.g., the one to which the access token was provided).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (DUNJIC in view of CHIPMAN) to incorporate the teaching of MUSABEYOGLU to utilize the above feature, with the motivation of restrict access to a secure area or resource, as recognized by (MUSABEYOGLU [0055]).

Referring to claim 20, DUNJIC teaches the system of claim 18, wherein the security token is generated at the authentication server in response to a request sent by the client to the authentication server (DUNJIC, [¶0090]”a user of a mobile device may input their user credentials on the device. The device then requests an authentication server to verify that the first credentials belong to a user that is authorized to access the protected resource, in operation 704. That is, the processor transmits to an authentication server, a first signal including a request to verify that the first credentials are authorized for accessing the protected resource. The first credentials may, for example, be compared to and validated against a database of identifies of authorized users/entities.”, [¶0091]“ When the first credentials are determined to be authorized for accessing the protected resource, the device receives from the authentication server a second signal that includes an access token for use in authenticating the user on requests to access the protected resource, in operation 706 “), wherein during the generation the received request is validated at the authentication server  (DUNJIC, [¶0090]” The device then requests an authentication server to verify that the first credentials belong to a user that is authorized to access the protected resource, in operation 704. That is, the processor transmits to an authentication server, a first signal including a request to verify that the first credentials are authorized for accessing the protected resource.“), the client key is collected from a security storage component (DUNJIC, [¶0079]” the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource “), a message authentication code of a payload portion of the security token is computed based on the client key (DUNJIC, [0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application, and the user-specific public key generated in operation 516.” , [¶0070]” the authorization server validates the request for an access token submitted by the client application. The authorization server may include, or be connected to, the mobile security service 132 of FIG. 1 and a security token service (included, for example, as a token endpoint of an identity provider). As part of the operation of validating the request, the authorization server may generate a request to exchange the authorization code for a set of one or more tokens, and submit the request to the security token service.”), wherein the generated security token is signed with a public key of the authentication server([¶0071] “The end-user public key is also saved at the authorization server. The public key may be saved in association with the tokens (e.g. ID token, access token) which were generated as a result of the request submitted by the client application in operation 518.”, [¶0075]” the authorization server validates the bearer token. The digital signature may be verified by using the public key.”),  and wherein the security token includes the computed message authentication code as part of a header part of the security token ([¶0076]” the authorization server sends the web server associated with the protected resource a notification indicating that the bearer token is valid, in operation 532. For example, a message notifying the web server that the bearer token is valid may be generated and signed using a private key that is specific to the authorization server.”), wherein the request includes information associated with a location of the client key to be retrieved by the application server  (DUNJIC, [0067]” After receiving the authorization code, the client application may perform one or more intermediate operations, such as generating a unique identifier {i.e., client key} of the end-user. In operation 516, the client application may cause a pair of user-specific asymmetric cryptographic keys to be generated on the device. A public key and a private key are generated together. In at least some embodiments, the private key of the public-private key pair is generated in a hardware-based key manager, or a “secure enclave”, on the user's device. The secure enclave is isolated from the main processor of the user's device to provide an extra layer of security.”, (DUNJIC, [¶0079]” the server receives, from a client application, a first signal including a request to obtain an access token for accessing a protected resource, such as an API or database. The request includes a unique client identifier, a unique user identifier, and a public key associated with an end-user of the client application. The server validates the request, and transmits to the client application a second signal including a requested access token for accessing the protected resource “, (DUNJIC, [0069]” As part of the request to the authorization server, the client application submits, at least: a client identifier uniquely identifying the client application, a user identifier uniquely identifying an end user of the client application, and the user-specific public key generated in operation 516.”); and
wherein the computer-readable storage device further comprises instructions which, when executed by the computing device, cause the computing device to perform operations comprising:
in response to a request to revoke security tokens associated with the client and the identifier (DUNJIC, [¶0086]” the server may revoke, at least, the access token provided to the client application at a token {i.e., identifier part of the token} revocation endpoint. In some embodiments, the server may revoke all tokens (including the refresh token) assigned to the client application upon receiving the third signal.re-gene“). 
and when a request for a resource is received at the application server, wherein the request includes a security token that is determined to be invalid as including a security token comprising an [identifier that is invalidated, rejecting the request to provide the resource from the application server to the client.] (DUNJIC, [¶0073]” The request to access the protected resource includes the access/bearer token, the cryptographic nonce, and the digital signature.”, [¶0004] a client application executing on a user's mobile device may, upon receiving permission from the user, request to access the user's resources (e.g. data, services) at a resource server“).
However, DUNJIC does not teach explicitly regenerating the identifier of the client to a new identifier comprising deleting the identifier, wherein regenerating the identifier invalidates one or more security tokens issued based on the identifier.
Wherein, CHIPMAN teaches regenerating the identifier of the client to a new identifier comprising deleting the identifier, wherein regenerating the identifier invalidates one or more security tokens issued based on the identifier (CHIPMAN, [¶0024]” A “token” may include an identifier for an account that is a substitute for account data, such as an account number”,  [¶0087]” Embodiments further enable the resource provider computer to add context to the generated tokens (e.g. to contextually value the generated tokens) to associate an importance value to the generated tokens. Moreover, embodiments allow for recycling of the expired tokens by deleting the token from the token vault (or token database) and allowing for the token to be associated with a new account identifier in response to a recent (e.g. new) token generation request. As provided above, the tokens stored at the token vault are generated on behalf of a resource provider. Embodiments enable the resource provider to manage the tokens generated on its behalf by deleting expired tokens or by assigning level values (e.g. token importance indicator) to the tokens.”.
Same motivation as claim 12.
However, DUNJIC in view of CHIPMAN does not explicitly teach [determined to be invalid as including a security token comprising an identifier that is invalidated, rejecting the request to provide the resource from the application server to the client.]
wherein, MUSABEYOGLU teaches [determined to be invalid as including a security token comprising an identifier that is invalidated, rejecting the request to provide the resource from the application server to the client.] (MUSABEYOGLU [¶0078]” an identifier associated with the user's user device may also be received with the access token. The remote server may reject the access token as being invalid if the identifier does not match the user device on record (e.g., the one to which the access token was provided).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified (DUNJIC in view of CHIPMAN) to incorporate the teaching of MUSABEYOGLU to utilize the above feature, with the motivation of restrict access to a secure area or resource, as recognized by (MUSABEYOGLU [0055]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. HUNT et al. (US- 20200162255-A1, HUNT referred to as " HUNT”) suggests (par. [0092]) “the user agent may be a system that supports the user-centric features of the collaborating system, such as registration and then secure storage of any identity-related properties, tokens, or identifiers that are mandated by the access/session management system.”).
Any inquiry concerning this communication or earlier communications from the
examiner should be directed to AHMED HUMADI whose telephone number is (571)272-2066.
The examiner can normally be reached (7:30 am - 4:00 pm) Monday to Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at
http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw, can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be
obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/AHMED HUMADI/           Examiner, Art Unit 2497                                                                                                                                                                                             
/JORGE L ORTIZ CRIADO/           Supervisory Patent Examiner, Art Unit 2496