DETAILED ACTION

Claims 1-11 and 13-20 are allowed. Claim 12 is cancelled.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Information Disclosure Statement
The Information Disclosure Statement(s) submitted by applicant on 04/08/2022 and 01/28/2021has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto.

	
EXAMINER’S AMENDMENT

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Jonathan Solomon on 08/22/2022. 

This listing of claims will replace all prior versions and listings of claims in the application:
IN THE CLAIMS:

1. 	(Currently Amended)	A computer-implemented method executed at an authorization server, the method comprising:
	receiving, from a client application, a first request to generate a new access token for authorization of the client application with an application server, wherein the first request includes a first protected version of a refresh token to authenticate with the authorization server for generating the new access token, wherein the first protected version of the refresh token is an encrypted version of the refresh token based on a first client identifier, and wherein the refresh token is a self-contained token that is readable by the authorization server;
	decrypting the first protected version of the refresh token to determine content of the refresh token, wherein the decrypting of the first protected version is based on a second client identifier of the client application that is externally invoked for validating the authorization;
	in response to successfully decrypting the first protected version of the refresh token, performing a validation of the refresh token to determine whether to authorize a generation of the new access token for the client application; [[and]]
	in response to successfully validating the refresh token: 
		generating the new access token; and
		providing the new access token to the client application;
	receiving a subsequent request to generate a second new access token, wherein the subsequent request includes a second protected version of the refresh token, wherein the second protected version is a second encrypted version of the refresh token, wherein the refresh token is encrypted with a new client identifier different from the first client identifier to generate the second protected version of the refresh token; and
	replacing the second client identifier with a third client identifier that decrypts the second protected version of the refresh token, wherein the second and the third client identifier are persisted at a key store where a single version of a client identifier for the client application is maintained at any point in time.

2.	(Original)	The method of claim 1, wherein the first protected version of the refresh token is generated by the client application based on the first client identifier of the client application and the refresh token.

3. 	(Original)	The method of claim 2, wherein the first client identifier and the second client identifier are identical.

4.	(Original)	The method of claim 1, further comprising obtaining, from a key management tool, the second client identifier of the client application as a current client identifier for decrypting protected refresh tokens received with requests for generation of access tokens.

5. 	(Currently Amended)	The method of claim 1, wherein the first protected version of the refresh token is generated by encrypting the refresh token with the first client identifier, wherein the first protected version of the refresh token is decrypted based on the second client identifier, and wherein the first client identifier and the second client identifier are [[are]] symmetric keys generated for secure protection of exchanged information associated with the client application. 

6.	(Currently Amended)	The method of claim 1, wherein a signature is generated for the [[the]] refresh token based on the first client identifier and is sent together with the protected version of the refresh token to the authorization server.

7. 	(Original)	The method of claim 6, wherein decrypting the first protected version of the refresh token comprises:
	validating the signature of the first protected version of the refresh token, wherein the signature is validated based on the second client identifier. 

8.	(Original)	The method of claim 1, wherein the first protected version of the refresh token that is received as part of the first request to generate the access token includes the refresh token and a message authentication code, wherein the message authentication code is computed based on at least a portion of the refresh token and the first client identifier. 

9.	(Original)	The method of claim 1, wherein successfully decrypting the first protected version of the refresh token to determine the content of the refresh token further comprises:
	decrypting the first protected version of the refresh token based on the second client identifier of the client application; and 
	in response to successfully decrypting the first protected version of the refresh token with the second client identifier, validating the refresh token as a valid token for requesting the new access token. 

10.	(Original)	The method of claim 1, wherein the refresh token is a string representing an authorization granted and is associated with a first validity period, wherein the new access token is associated with a second validity period, and wherein the first validity period is longer than the second validity period. 

11.	(Original)	The method of claim 1, wherein the refresh token is generated by the authorization server, and wherein the refresh token is associated with the client application and the application server. 

12.	(Cancelled).

13.	(Currently Amended)	A non-transitory, computer-readable medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations, the operations comprising:
	receiving, from a client application, a first request to generate a new access token for authorization of the client application with an application server, wherein the first request includes a first protected version of a refresh token to authenticate with the authorization server for generating the new access token, wherein the first protected version of the refresh token is an encrypted version of the refresh token based on a first client identifier, and wherein the refresh token is a self-contained token that is readable by the authorization server;
	decrypting the first protected version of the refresh token to determine content of the refresh token, wherein the decrypting of the first protected version is based on a second client identifier of the client application that is externally invoked for validating the authorization;
	in response to successfully decrypting the first protected version of the refresh token, performing a validation of the refresh token to determine whether to authorize a generation of the new access token for the client application; [[and]]
	in response to successfully validating the refresh token: 
		generating the new access token; and
		providing the new access token to the client application;
receiving a subsequent request to generate a second new access token, wherein the subsequent request includes a second protected version of the refresh token, wherein the second protected version is a second encrypted version of the refresh token, wherein the refresh token is encrypted with a new client identifier different from the first client identifier to generate the second protected version of the refresh token; and
replacing the second client identifier with a third client identifier that decrypts the second protected version of the refresh token, wherein the second and the third client identifier are persisted at a key store where a single version of a client identifier for the client application is maintained at any point in time.


14.	(Original)	The computer-readable medium of claim 13, wherein the first protected version of the refresh token is generated by the client application based on the first client identifier of the client application and the refresh token.

15.	(Currently Amended)	The computer-readable medium of claim 13, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising obtaining, from a key management tool, the second client identifier of the client application as a current client identifier for decrypting protected refresh tokens received with requests for generation of access tokens, wherein the first protected version of the refresh token is generated by encrypting the refresh token with the first client identifier, wherein the first protected version of the refresh token is decrypted based on the second client identifier, and wherein the first client identifier and the second client identifier are [[are]] symmetric keys generated for secure protection of exchanged information associated with the client application. 

16.	(Currently Amended)	The computer-readable medium of claim 13, wherein a signature is generated for the [[the]] refresh token based on the first client identifier and is sent together with the protected version of the refresh token to the authorization server, and wherein the instructions to decrypt the first protected version of the refresh token further comprise instructions, which when executed by the one or more processors, cause the one or more processors to perform operations comprising:
	validating the signature of the first protected version of the refresh token, wherein the signature is validated based on the second client identifier. 
 
17.	(Original)	The computer-readable medium of claim 13, wherein successfully decrypting the first protected version of the refresh token to determine the content of the refresh token further comprises instructions which when executed by the one or more processors, cause the one or more processors to perform operations comprising:
	decrypting the first protected version of the refresh token based on the second client identifier of the client application; and 
	in response to successfully decrypting the first protected version of the refresh token with the second client identifier, validating the refresh token as a valid token for requesting the new access token.  

18.	(Currently Amended)	A system comprising
a computing device; and
a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations, the operations comprising:
		receiving, from a client application, a first request to generate a new access token for authorization of the client application with an application server, wherein the first request includes a first protected version of a refresh token to authenticate with the authorization server for generating the new access token, wherein the first protected version of the refresh token is an encrypted version of the refresh token based on a first client identifier, and wherein the refresh token is a self-contained token that is readable by the authorization server;
		decrypting the first protected version of the refresh token to determine content of the refresh token, wherein the decrypting of the first protected version is based on a second client identifier of the client application that is externally invoked for validating the authorization;
		in response to successfully decrypting the first protected version of the refresh token, performing a validation of the refresh token to determine whether to authorize a generation of the new access token for the client application; [[and]]
		in response to successfully validating the refresh token: 
			generating the new access token; and
			providing the new access token to the client application;
		receiving a subsequent request to generate a second new access token, wherein the subsequent request includes a second protected version of the refresh token, wherein the second protected version is a second encrypted version of the refresh token, wherein the refresh token is encrypted with a new client identifier different from the first client identifier to generate the second protected version of the refresh token; and
		replacing the second client identifier with a third client identifier that decrypts the second protected version of the refresh token, wherein the second and the third client identifier are persisted at a key store where a single version of a client identifier for the client application is maintained at any point in time.

19.	(Currently Amended)	The system of claim 18, wherein the first protected version of the refresh token is generated by the client application based on the first client identifier of the client application and the refresh token, and wherein the computer-readable storage device further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising obtaining, from a key management tool, the second client identifier of the client application as a current client identifier for decrypting protected refresh tokens received with requests for generation of access tokens, wherein the first protected version of the refresh token is generated by encrypting the refresh token with the first client identifier, wherein the first protected version of the refresh token is decrypted based on the second client identifier, and wherein the first client identifier and the second client identifier are [[are]] symmetric keys generated for secure protection of exchanged information associated with the client application. 
 
20.	(Original)	The system of claim 18, wherein successfully decrypting the first protected version of the refresh token to determine the content of the refresh token further comprises instructions which when executed by the one or more processors, cause the one or more processors to perform operations comprising:
	decrypting the first protected version of the refresh token based on the second client identifier of the client application; and 
	in response to successfully decrypting the first protected version of the refresh token with the second client identifier, validating the refresh token as a valid token for requesting the new access token.  



Allowable Subject Matter
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure [see USPTO Notice of References Cited Form 892]:

Bahety et al (US Patent Application No. 20210288808) discloses secure token refresh involve an authentication service receiving a first message from a client with a first access token request and, in response, sending a message that includes a first access token to the client (para 4). In response, the authentication service verifies the first signed proof data with the public key stored in association with the first access token, generates a second access token, stores the second access token in association with the public key, and sends a fifth message to the client with the second access token (para 5).
Claims 1-11 and 13-20 are allowed over the prior art made of record.
The following is an examiner's statement of reasons for allowance:
Interpreting the claims in light of the specification, Examiner finds the claimed invention is patentably distinct from the prior art of record, which sets forth in the following:
The prior art of record does not teach the combination of claimed elements including and under the broadest reasonable interpretation of the claimed limitation consistence with the Applicant's Specification. The prior art cited above fails to teach all of the Applicant’s claimed limitation. In particularly, the claimed invention advantageously provides a finer level of detail that includes “ At an authorization server receiving, from a client application, a first request to generate a new access token for authorization of the client application with an application server, wherein the first request includes a first protected version of a refresh token to authenticate with the authorization server for generating the new access token, wherein the first protected version of the refresh token is an encrypted version of the refresh token based on a first client identifier, and wherein the refresh token is a self-contained token that is readable by the authorization server.	Decrypting the first protected version of the refresh token to determine content of the refresh token, wherein the decrypting of the first protected version is based on a second client identifier of the client application that is externally invoked for validating the authorization and in response to successfully decrypting the first protected version of the refresh token, performing a validation of the refresh token to determine whether to authorize a generation of the new access token for the client application further in response to successfully validating the refresh token: generating the new access token and providing the new access token to the client application. The method also includes the step of receiving a subsequent request to generate a second new access token, wherein the subsequent request includes a second protected version of the refresh token, wherein the second protected version is a second encrypted version of the refresh token, wherein the refresh token is encrypted with a new client identifier different from the first client identifier to generate the second protected version of the refresh token and replacing the second client identifier with a third client identifier that decrypts the second protected version of the refresh token, wherein the second and the third client identifier are persisted at a key store where a single version of a client identifier for the client application is maintained at any point in time.”, in combination with the other limitations of the claims, was not disclosed by, would not have been obvious over, nor would have been fairly suggested by the prior art of record in context to the claims and the specification.
The dependent claims, being further limiting to the independent claims, definite and enabled by the Specification are also allowed.
The Examiner asserts that the claims overcome the prior art of record as describes above when the limitations are read in combination with the respective claimed limitations in their entirety. Thus, prior art of record neither render obvious nor anticipates the combination of claimed elements in light of the specification.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

	Conclusion

Please see the attached PTO-892 for the prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MOHAMMAD A SIDDIQI/Primary Examiner, Art Unit 2493