DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given by Ryan McCarthy (Reg. No. 50,636) on June 17, 2022.

The application has been amended as follows: 

Regarding claim 1: (Currently Amended) A computer-implemented method for secure access token forwarding between components in cloud platforms, the method being executed by one or more processors and comprising:
receiving, from a first component and by a second component in a cloud platform, a first call, a token, and a first client certificate; wherein the token provided to the first component in response to a request from the first component to a central identity and authentication service (IAS) of the cloud platform, and the first client certificate is provided during execution of a process to generate the token;
determining, by the second component, a first client identifier associated with the first component;
determining, by the second component, that the first client identifier is included in a manifest of the token, the manifest defining at least a portion of a communication path between components within the cloud platform, and in response:
executing functionality responsive to the first call;
receiving, from a third component and by the second component, a second call, the token, and a second client certificate;
determining, by the second component, a second client identifier associated with the third component; and
determining, by the second component, that the second client identifier is absent from the manifest of the token, and in response:
transmitting an error to the third component.

Regarding claims 5-6: (Currently Cancelled) 

Regarding claim 8: (Currently Amended) A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for secure access token forwarding between components in cloud platforms, the operations comprising:
receiving, from a first component and by a second component in a cloud platform, a first call, a token, and a first client certificate; wherein the token provided to the first component in response to a request from the first component to a central identity and authentication service (IAS) of the cloud platform, and the first client certificate is provided during execution of a process to generate the token;
determining, by the second component, a first client identifier associated with the first component;
determining, by the second component, that the first client identifier is included in a manifest of the token, the manifest defining at least a portion of a communication path between components within the cloud platform, and in response:
executing functionality responsive to the first call;
receiving, from a third component and by the second component, a second call, the token, and a second client certificate;
determining, by the second component, a second client identifier associated with the third component; and
determining, by the second component, that the second client identifier is absent from the manifest of the token, and in response:
transmitting an error to the third component.  

Regarding claims 12-13: (Currently Cancelled)

Regarding claim 15: (Currently Amended) A system, comprising:
a computing device; and
a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations for natural language explanations for secure access token forwarding between components in cloud platforms, the operations comprising:
receiving, from a first component and by a second component in a cloud platform, a first call, a token, and a first client certificate; wherein the token provided to the first component in response to a request from the first component to a central identity and authentication service (IAS) of the cloud platform, and the first client certificate is provided during execution of a process to generate the token;
determining, by the second component, a first client identifier associated with the first component;
determining, by the second component, that the first client identifier is included in a manifest of the token, the manifest defining at least a portion of a communication path between components within the cloud platform, and in response:
executing functionality responsive to the first call;
receiving, from a third component and by the second component, a second call, the token, and a second client certificate;
determining, by the second component, a second client identifier associated with the third component; and
determining, by the second component, that the second client identifier is absent from the manifest of the token, and in response:
transmitting an error to the third component.  

Regarding claims 19-20: (Currently Cancelled)
	
Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
Claims 1-3, 7-10 and 14-17 are considered allowable.

The Prior Art Schmaltz, III et al. US Patent Application Publication No. 2020/0259652 teaches methods for hardening security between web services using protected forwarded access tokens are implemented via systems and devices. User applications receive user tokens with user information from an identity provider and provide the user tokens to first services with data requests. Each first service extracts and transforms a portion of a user token to validate a user token signature, and determines a target service for the data request. The first services acquire actor tokens from the identity provider that uniquely identify the first services using public keys, and then generate authentication tokens, signed with corresponding private keys, that encapsulate the actor tokens and the transformed user tokens. The signed authentication tokens are provided to target services which validate the authentication tokens as well as the encapsulated tokens and their respective signatures. Upon validation, requested data is retrieved and provided back for the user applications from the target services.

The Prior Art Suresh et al. US Patent Application Publication No. 2020/0195439 teaches systems and methods for establishing a secure connection are described. A server receives a plurality of routing tokens for establishing a service connection between a service node and the server along a network path through a plurality of network devices. The routing tokens can be validated by a corresponding network device. The server transmits a packet including the routing tokens to a first network device. The first network device validates a first routing token associated therewith, then directs the packet along the network path to a second network device, and so forth, until each of the network device receives and validates their routing token. The server establishes a cryptographic context between the service node and server for establishing a secure channel between the service node and the server. The server transmits a service node routing token to the service node via the secure channel for validation.

The Prior Art Kariv et al. US Patent Application Publication No. 2011/0307947 teaches systems, methods and apparatus for accessing at least one resource hosted by at least one server of a cloud service provider. In some embodiments, a client computer sends authentication information associated with a user of the client computer and a statement of health regarding the client computer to an access control gateway deployed in an enterprise's managed network. The access control gateway authenticates the user and determines whether the user is authorized to access the at least one resource hosted in the cloud. If the user authentication and authorization succeeds, the access control gateway requests a security token from a security token service trusted by an access control component in the cloud and forwards the security token to the client computer. The client computer sends the security token to the access component in the cloud to access the at least one resource from the at least one server.

The instant application is allowable over Schmaltz, III et al., Suresh et al. and Kariv et al. described above, either singularly or in combination, due to the instant application teaching different and detailed methods, systems, and computer-readable storage media for receiving, from a first component and by a second component in a cloud platform, a call, a token, and a first client certificate, determining, by the second component, a first client identifier associated with the first component, and determining, by the second component, that the first client identifier is included in a manifest of the token, the manifest defining at least a portion of a communication path between components within the cloud platform, and in response: executing functionality responsive to the call.

The prior art of record does not disclose, teach, or suggest neither singly nor in combination the claimed limitations of “[A] computer-implemented method for secure access token forwarding between components in cloud platforms, receiving, from a first component and by a second component in a cloud platform, a first call, a token, and a first client certificate; wherein the token provided to the first component in response to a request from the first component to a central identity and authentication service (IAS) of the cloud platform, and the first client certificate is provided during execution of a process to generate the token; determining, by the second component, a second client identifier associated with the third component; and determining, by the second component, that the second client identifier is absent from the manifest of the token, and in response: transmitting an error to the third component” as recited in independent claims 1, 8 and 15 in combination with the remaining elements of the claim as a whole. Therefore, the claims of the instant application are allowable over the cited prior art.
[AltContent: textbox ()]
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439                    

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433