DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is the responsive to the communication filed on 04/01/2021.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


As per claims 15-20, the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because:
 	As per claim 15, this claim recites the elements are server, system, plug-in, specification does not explicitly disclose that those elements are explicitly hardware. The body of the claim requires hardware to void the meaning of 35 USC 101. Those elements are purely software; Thus, this clam does not fall into any of four meaning of the statutory classes. 
     As per claims 16-20, those claims are rejected under 35 USC 101 as the same rational set forth the claim 15.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-3,5-10,12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Schmaltz III et al US 2020/0259652 hereafter Schmaltz in view of Yabe et al US 2018/0278603.

 	As per claim 1, Schmaltz discloses a method of securely exchanging a session token for a claims-based token by a plug-in integrated into an extensible system, the method comprising: 
 	transmitting, to an extensible system server of the extensible system(, i.e. target services), the session token and a request for a first claims-based token that corresponds to the session token and that is cryptographically signed by an authentication server (par 0051 and fig.3  Receive-transmit manager 210 may be configured to receive and transmit requests, data and information, i.e. tokens, session token,  Authentication tokens may encapsulate actor tokens , i.e. session token, and transformed, i.e. transmitting, user tokens for provision to target services and par 0063   an actor token that identifies the computing device executing forwarding manager 208, e.g., computing device 200, service host 106a, etc., may be received from ID provider host 104 as a claim  token and par 0066 service host 106b will only accept the actor token if the actor token is signed, includes the public key, and is inside the authentication token. Moreover, service host 106b will only accept the authentication token if the authentication token has an audience designated as service host 106b and is signed by ID provider host 104, i.e. authentication server, wherein the claim identity token is signed by the host authentication server ,  using the private key corresponding to the public key. Using the same key for the actor token as for the authentication token reduces the need of service host 106b to have a discovery endpoint (i.e., a routing endpoint to verify the server is calling the correct host with the correct permissions to get the requested data). 
acquiring, from the extensible system server, the first claims-based token ( par 0029  The signed authentication toke, i.e. the first claims based token,  is provided to the target service, i.e., the second service/microservice, i, which validates the authentication token as well as the encapsulated tokens and their respective signatures  ); 
transmitting, to the server, the first claims-based token and a request for a second claims-based token ( par 0060 user information provided with the first token, i.e. first claim ,  may be used in conjunction with the type of data requested to determine the target service. Target determiner 212 may provide indicia of the determined target service to authentication token generator 214. 0062 a second token is generated, the second token , i.e. second claim , including an actor token, from the identity provider, i.e. authentication sever, ); and 
receiving, from the server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server(par 0063 authentication token generator 214 may be configured to generate the second token, which may be an authentication token. Authentication token generator 214 may include the first token, as modified with the hashed nonce, , in the second token such that the second token, i.e. second token,  encapsulates the first token.  And par 0064 the second token is signed with a private key corresponding to the public key. For instance, the second token generated in step 308 is signed by authentication token generator 214 using the private key of the public/private key pair that corresponds to the public key in the actor token. ), and 
wherein if the second claims-based token is transmitted to a resource provider server hosting a resource provider service ( par 0065 the second token and the request for data are provided to the target service. For example, the second token generated in step 310 may be provided from service host 106a to service host 106b over network 110 and  par 0066  service host 106b will only accept the actor token if the actor token is signed, includes the public key, and is inside the authentication token. Moreover, service host 106b will only accept the authentication token if the authentication token has an audience designated as service host 106b and is signed by ID provider host 104 using the private key corresponding to the public key. Using the same key for the actor token as for the authentication token reduces the need of service host 106b to have a discovery endpoint (i.e., a routing endpoint to verify the server is calling the correct host with the correct permissions to get the requested data)), the resource provider service performs a requested operation on behalf of an interactive user of the extensible system ( par 0069  In step 316, the data associated with the request for data and the first token are provided to the application of the user, i.e. interactive user. For example, the data received in step 314 and the token may be provided by receive-transmit manager 210, service host, resource provider,  to client device 102. In embodiments, the user token, with hashed, or unmodified, nonce may be provided to client device 102 with the data that was requested).  


 Schmaltz does not explicitly disclose signing a claim-based token by the authentication server; receiving, from the authentication server, a second claims-based token. 
 However Yabe discloses signing a claim-based token by the authentication server ( par 0041 The authentication/authorization server cooperation client 330 performs, from the authentication/authorization server 102, a request for authenticating a user or client, a request for issuing an access token, or acquisition of an access token. And 0055 the authentication/authorization server 102 that issues the signed access token sets values as follows. The URI of the authentication/authorization server 102 is set as “iss”; the Universally Unique Identifier (UUID) of a user is set as “sub”; and the URI of the resource server 103 is set as “aud”. Further, 3600 seconds from the JWT issuance time, i.e., “iat” value+3600, is set as “exp”, and the JWT issuance time, i.e., the same value as the value “iat”, is set as “nbf”. An access token ID of access token information is set as “jti”.[0056] In addition, according to JWS RFC7519, each claim in a claim name class “Private Claim” in Table 1 is a private claim name class used under an agreement between a JWT issuer and a user. Each claim in “Private Claim” is based on a premise that the claim does nor. conflict with another defined claim name. In the present exemplary embodiment, the claim name in the “Private Claim” class is characterized by including access token information (access token scope list “authz:scopes”, access token client ID “authz:client_id”), and attribute information (first name “ext:fname”, last name “ext:lname”, locale name “ext:locale”, tenant ID “ext:tenantid”, e-mail address “ext:e-mail”, and application ID “ext:appid”) associated with the access token.[0057] Specifically, in the present exemplary embodiment, the authentication/authorization server 102 that, issues the signed access token sets claims “authz:scopes” and “authz:client_id” as athorization information. Specifically, as “authz:scopes”, the resource server 103 sets a scope list representing resources that are permitted to be acquired, and also sets “authz:client_id” representing the ID of the client that accesses the resource server 103 as “authz:client_id”. The authentication/authorization server 102 that issues the signed access token sets the claim representing information about the user of the UUID set to “sub” as follows as attribute information associated with the token of “authz:tokened”. Specifically, a first name is set as “ext:fname”; a last name is set as “ext:lname”; information about a locale to which the user belongs is set as “ext:locale”; an ID of a tenant to which the user belongs is set as “ext:tenantid”; and an e-mail address is set as “ext:e-mail”); 
 	receiving, from the authentication server, a second claims-based token is verified  ( claim  1 a second access token to be verified by the authorization server, according to an issuance request for issuing an access token from a client, based on a predetermined parameter for the issuance request; a unit configured to transmit, to the client having sent the issuance request, one of the first access token issued and the second access token issued; and a unit configured to verify the second access token according to a verification request received together with the second access token). 

Yabe discloses also 0006 A signed access token is known as means for verifying the access token by the service A itself, without the need for the service A to request the authorization server to verify the access token. As the signed access token, JSON Web Token (JWT) and JSON Web Signature (JWS) are known. The use of these types of access tokens enables the service A to determine whether the access token is valid by verifying the signature of the received signed access token, without the need for confirmation to the authorization server.
par 0073 If the received access token is a signed access token, it is determined whether verification processing in the resource server 103 is permitted. 
 The both prior arts are provision resource for the signed token. Thus, they are analogues art.

Therefore, Motivation would have been obvious to one of ordinary skill in the art, before the effective filing data of the claimed invention, to incorporate providing the signing the token by the authentication server is taught by Yabe into the providing the second token as the claim-based access token of Schmaltz III to yield a predictable result would be the use of these types of access tokens enables the service  to determine whether the access token is valid by verifying the signature of the received signed access token, without the need for confirmation to the authorization server ( par 0006).

 	As per claim 2, Schmaltz in view of Yabe discloses the method of claim 1, further comprising Schmaltz disclose  cryptographically signing the request for the first claims-based token ( par 0003 The first service acquires an actor token from the identity provider that uniquely identifies the first service using a public key, and then generates an authentication token, signed with a corresponding private key, that encapsulates the actor token and the transformed user token. The signed authentication token is provided to the target service which validates the authentication token as well as the encapsulated tokens and their signatures).  

 	As per claim 3, Schmaltz in view of Yabe discloses the method of claim 2, Yabe discloses wherein acquiring the first claims-based token comprises retrieving the first claims-based token from a uniform resource locator (URL) configured for a webhook ( par 0092 WS payload with a digital signature is expressed and encoded (BASE64 URL encoding) as a compact URL-safe character ).  

 	As per claim 5, Schmaltz in view of Yabe discloses the method of claim 1, further comprising Yabe discloses receiving the session token from a device of the interactive user (par 0033   A client terminal 104 is a client terminal, such as a personal computer, a mobile terminal, or an image forming apparatus, which transmits and receives data to and from the authentication/authorization server 102 and the resource server 103 and Schmaltz also discloses , par 0023 When an application of a user, executing at a user device, interacts with a first web service and provides a request that specifies access to data).  

 	As per claim 6, Schmaltz in view of Yabe discloses the method of claim 5, further comprising: Yabe discloses  receiving, from the device, a request to perform the operation ( par 0033   A client terminal 104 is a client terminal, such as a personal computer, a mobile terminal, or an image forming apparatus, which transmits and receives data to and from the authentication/authorization server 102 and the resource server 103 and par 0042 0042] The resource server cooperation application 331 is an application to receive service provision from the resource server 103. The resource server cooperation application 331 receives service provision from the resource server 103 by the following procedure. First, the resource server cooperation application 331 requests the authentication/authorization server cooperation client 330 to issue an access token. The authentication/authorization server cooperation client 330 acquires, from the authentication/authorization server 102, the access token corresponding to the service required by the resource server cooperation application 331. The authentication/authorization server cooperation client 330 returns the acquired access token to the resource service cooperation application 331 which has sent the request. The resource service cooperation application 331 can receive service provision by sending a resource request to the resource server 102 using the acquired access token.); 
 	transmitting, to the resource provider server, an application programming interface (API) call ( par 0003 the API for acquiring data of a user managed by a certain service A can be accessed by a service B within a range authorized by the user ), including the second claims-based token, to perform the operation (par 0032  [0032] An authentication/authorization server 102 is an authentication/authorization server for implementing the authentication and OAuth for a user and a client terminal. Specifically, the authentication/authorization server 102 can issue an access token according to a request ); and 
  	 receiving, from the resource provider server, a result of performing the operation (par 0039] The resource server 103 includes a resource server module 320. The resource server module 320 releases the API as a Web service, receives a service provision request from the client terminal 104, and provides a service. In response to the service provision request from the client terminal 104, signed access token verification processing is performed to determine whether to provide a service).  

 	As per claim 7, Schmaltz in view of Yabe discloses the method of claim 6, further comprising Yabe discloses cryptographically signing the API call before transmitting the API call to the resource provider server (par 0053  implement the signed access token including user information associated with the access token, such as access token information and resource owner information. And par 0055 the authentication/authorization server 102 that issues the signed access token and 0002 cloud services have released Application Programming Interfaces (APIs) for Web services, which enables use of functions provided via the APIs from other applications or cloud services. In the Web service APIs, a standard protocol called OAuth 2.0 and par 0039 [0039] The resource server 103 includes a resource server module 320. The resource server module 320 releases the API as a Web service, receives a service provision request from the client terminal 104, and provides a service. In response to the service provision request from the client terminal 104, signed access token verification processing is performed to determine whether to provide a service. ).  

 	As per claim 8, Schmaltz discloses a non-transitory computer readable medium comprising instructions that are executable in a computer system, wherein the instructions when executed cause the computer system to carry out a method of securely exchanging a session token for a claims-based token by a plug-in integrated into an extensible system, said method comprising: 
 	transmitting, to an extensible system server of the extensible system(, i.e. target services), the session token and a request for a first claims-based token that corresponds to the session token and that is cryptographically signed by an authentication server (par 0051 and fig.3  Receive-transmit manager 210 may be configured to receive and transmit requests, data and information, i.e. tokens, session token,  Authentication tokens may encapsulate actor tokens , i.e. session token, and transformed, i.e. transmitting, user tokens for provision to target services and par 0063   an actor token that identifies the computing device executing forwarding manager 208, e.g., computing device 200, service host 106a, etc., may be received from ID provider host 104 as a claim  token and par 0066 service host 106b will only accept the actor token if the actor token is signed, includes the public key, and is inside the authentication token. Moreover, service host 106b will only accept the authentication token if the authentication token has an audience designated as service host 106b and is signed by ID provider host 104, i.e. authentication server, wherein the claim identity token is signed by the host authentication server ,  using the private key corresponding to the public key. Using the same key for the actor token as for the authentication token reduces the need of service host 106b to have a discovery endpoint (i.e., a routing endpoint to verify the server is calling the correct host with the correct permissions to get the requested data). 
acquiring, from the extensible system server, the first claims-based token ( par 0029  The signed authentication toke, i.e. the first claims based token,  is provided to the target service, i.e., the second service/microservice, i, which validates the authentication token as well as the encapsulated tokens and their respective signatures  ); 
transmitting, to the server, the first claims-based token and a request for a second claims-based token ( par 0060 user information provided with the first token, i.e. first claim ,  may be used in conjunction with the type of data requested to determine the target service. Target determiner 212 may provide indicia of the determined target service to authentication token generator 214. 0062 a second token is generated, the second token , i.e. second claim , including an actor token, from the identity provider, i.e. authentication sever, ); and 
receiving, from the server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server(par 0063 authentication token generator 214 may be configured to generate the second token, which may be an authentication token. Authentication token generator 214 may include the first token, as modified with the hashed nonce, , in the second token such that the second token, i.e. second token,  encapsulates the first token.  And par 0064 the second token is signed with a private key corresponding to the public key. For instance, the second token generated in step 308 is signed by authentication token generator 214 using the private key of the public/private key pair that corresponds to the public key in the actor token. ), and 
wherein if the second claims-based token is transmitted to a resource provider server hosting a resource provider service ( par 0065 the second token and the request for data are provided to the target service. For example, the second token generated in step 310 may be provided from service host 106a to service host 106b over network 110 and  par 0066  service host 106b will only accept the actor token if the actor token is signed, includes the public key, and is inside the authentication token. Moreover, service host 106b will only accept the authentication token if the authentication token has an audience designated as service host 106b and is signed by ID provider host 104 using the private key corresponding to the public key. Using the same key for the actor token as for the authentication token reduces the need of service host 106b to have a discovery endpoint (i.e., a routing endpoint to verify the server is calling the correct host with the correct permissions to get the requested data)), the resource provider service performs a requested operation on behalf of an interactive user of the extensible system ( par 0069  In step 316, the data associated with the request for data and the first token are provided to the application of the user, i.e. interactive user. For example, the data received in step 314 and the token may be provided by receive-transmit manager 210, service host, resource provider,  to client device 102. In embodiments, the user token, with hashed, or unmodified, nonce may be provided to client device 102 with the data that was requested).  


 Schmaltz does not explicitly disclose signing a claim-based token by the authentication server; receiving, from the authentication server, a second claims-based token.
 However Yabe discloses signing a claim-based token by the authentication server (par 0041 The authentication/authorization server cooperation client 330 performs, from the authentication/authorization server 102, a request for authenticating a user or client, a request for issuing an access token, or acquisition of an access token. And  0055  the authentication/authorization server 102 that issues the signed access token sets values as follows. The URI of the authentication/authorization server 102 is set as “iss”; the Universally Unique Identifier (UUID) of a user is set as “sub”; and the URI of the resource server 103 is set as “aud”. Further, 3600 seconds from the JWT issuance time, i.e., “iat” value+3600, is set as “exp”, and the JWT issuance time, i.e., the same value as the value “iat”, is set as “nbf”. An access token ID of access token information is set as “jti”.[0056] In addition, according to JWS RFC7519, each claim in a claim name class “Private Claim” in Table 1 is a private claim name class used under an agreement between a JWT issuer and a user. Each claim in “Private Claim” is based on a premise that the claim does nor. conflict with another defined claim name. In the present exemplary embodiment, the claim name in the “Private Claim” class is characterized by including access token information (access token scope list “authz:scopes”, access token client ID “authz:client_id”), and attribute information (first name “ext:fname”, last name “ext:lname”, locale name “ext:locale”, tenant ID “ext:tenantid”, e-mail address “ext:e-mail”, and application ID “ext:appid”) associated with the access token.[0057] Specifically, in the present exemplary embodiment, the authentication/authorization server 102 that, issues the signed access token sets claims “authz:scopes” and “authz:client_id” as athorization information. Specifically, as “authz:scopes”, the resource server 103 sets a scope list representing resources that are permitted to be acquired, and also sets “authz:client_id” representing the ID of the client that accesses the resource server 103 as “authz:client_id”. The authentication/authorization server 102 that issues the signed access token sets the claim representing information about the user of the UUID set to “sub” as follows as attribute information associated with the token of “authz:tokened”. Specifically, a first name is set as “ext:fname”; a last name is set as “ext:lname”; information about a locale to which the user belongs is set as “ext:locale”; an ID of a tenant to which the user belongs is set as “ext:tenantid”; and an e-mail address is set as “ext:e-mail”); 
receiving, from the authentication server, a second claims-based token is verified  ( claim  1 a second access token to be verified by the authorization server, according to an issuance request for issuing an access token from a client, based on a predetermined parameter for the issuance request; a unit configured to transmit, to the client having sent the issuance request, one of the first access token issued and the second access token issued; and a unit configured to verify the second access token according to a verification request received together with the second access token). 

Yabe discloses also 0006 A signed access token is known as means for verifying the access token by the service A itself, without the need for the service A to request the authorization server to verify the access token. As the signed access token, JSON Web Token (JWT) and JSON Web Signature (JWS) are known. The use of these types of access tokens enables the service A to determine whether the access token is valid by verifying the signature of the received signed access token, without the need for confirmation to the authorization server.
par 0073 If the received access token is a signed access token, it is determined whether verification processing in the resource server 103 is permitted. 
 The both prior arts are provision resource for the signed token. Thus, they are analogues art.

Therefore, Motivation would have been obvious to one of ordinary skill in the art, before the effective filing data of the claimed invention, to incorporate providing the signing the token by the authentication server is taught by Yabe into the providing the second token as the claim-based access token of Schmaltz III to yield a predictable result would be the use of these types of access tokens enables the service  to determine whether the access token is valid by verifying the signature of the received signed access token, without the need for confirmation to the authorization server ( par 0006).

 	As per claim 9, Schmaltz in view of Yabe discloses the non-transitory computer readable medium of claim 8, Schmaltz discloses the method further comprising cryptographically signing the request for the first claims-based token ( par 0003 The first service acquires an actor token from the identity provider that uniquely identifies the first service using a public key, and then generates an authentication token, signed with a corresponding private key, that encapsulates the actor token and the transformed user token. The signed authentication token is provided to the target service which validates the authentication token as well as the encapsulated tokens and their signatures).  
 

 	As per claim 10, Schmaltz in view of Yabe discloses the non-transitory computer readable medium of claim 9, Yabe discloses wherein acquiring the first claims-based token comprises retrieving the first claims-based token from a uniform resource locator (URL) configured for a webhook (par 0092 WS payload with a digital signature is expressed and encoded (BASE64 URL encoding) as a compact URL-safe character).  
	
 	As per claim 12, Schmaltz in view of Yabe discloses the non-transitory computer readable medium of claim 8,  Yabe discloses the method further comprising receiving the session token from a device of the interactive user (par 0033  A client terminal 104 is a client terminal, such as a personal computer, a mobile terminal, or an image forming apparatus, which transmits and receives data to and from the authentication/authorization server 102 and the resource server 103 and Schmaltz also discloses , par 0023 When an application of a user, executing at a user device, interacts with a first web service and provides a request that specifies access to data).  

 	As per claim 13, Schmaltz in view of Yabe discloses the non-transitory computer readable medium of claim 12, the method further comprising: Yabe discloses 
 	receiving, from the device, a request to perform the operation ( par 0033   A client terminal 104 is a client terminal, such as a personal computer, a mobile terminal, or an image forming apparatus, which transmits and receives data to and from the authentication/authorization server 102 and the resource server 103 and par 0042 0042] The resource server cooperation application 331 is an application to receive service provision from the resource server 103. The resource server cooperation application 331 receives service provision from the resource server 103 by the following procedure. First, the resource server cooperation application 331 requests the authentication/authorization server cooperation client 330 to issue an access token. The authentication/authorization server cooperation client 330 acquires, from the authentication/authorization server 102, the access token corresponding to the service required by the resource server cooperation application 331. The authentication/authorization server cooperation client 330 returns the acquired access token to the resource service cooperation application 331 which has sent the request. The resource service cooperation application 331 can receive service provision by sending a resource request to the resource server 102 using the acquired access token.); 
 	transmitting, to the resource provider server, an application programming interface (API) call ( par 0003 the API for acquiring data of a user managed by a certain service A can be accessed by a service B within a range authorized by the user ), including the second claims-based token, to perform the operation (par 0032  [0032] An authentication/authorization server 102 is an authentication/authorization server for implementing the authentication and OAuth for a user and a client terminal. Specifically, the authentication/authorization server 102 can issue an access token according to a request ); and 
  	 receiving, from the resource provider server, a result of performing the operation (par 0039] The resource server 103 includes a resource server module 320. The resource server module 320 releases the API as a Web service, receives a service provision request from the client terminal 104, and provides a service. In response to the service provision request from the client terminal 104, signed access token verification processing is performed to determine whether to provide a service).  


 	As per claim 14, Schmaltz in view of Yabe discloses the non-transitory computer readable medium of claim 13, Yabe discloses the method further comprising cryptographically signing the API call before transmitting the API call to the resource provider server (par 0053  implement the signed access token including user information associated with the access token, such as access token information and resource owner information. And par 0055 the authentication/authorization server 102 that issues the signed access token and 0002 cloud services have released Application Programming Interfaces (APIs) for Web services, which enables use of functions provided via the APIs from other applications or cloud services. In the Web service APIs, a standard protocol called OAuth 2.0 and par 0039 [0039] The resource server 103 includes a resource server module 320. The resource server module 320 releases the API as a Web service, receives a service provision request from the client terminal 104, and provides a service. In response to the service provision request from the client terminal 104, signed access token verification processing is performed to determine whether to provide a service).  


Claim(s) 15 -16, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over  Schmaltz III et al US 2020/0259652 hereafter Schmaltz in view of Yabe et al US 2018/0278603 in view of Mody US 2014/0297759.

 	As per claim 15, Schmaltz discloses a computer system comprising:
 	 
 	an extensible system server of an extensible system (par 0051 (, i.e. target services); and 
 	 
 	transmit, to an extensible system server of the extensible system(, i.e. target services), the session token and a request for a first claims-based token that corresponds to the session token and that is cryptographically signed by an authentication server (par 0051 and fig.3  Receive-transmit manager 210 may be configured to receive and transmit requests, data and information, i.e. tokens, session token,  Authentication tokens may encapsulate actor tokens , i.e. session token, and transformed, i.e. transmitting, user tokens for provision to target services and par 0063   an actor token that identifies the computing device executing forwarding manager 208, e.g., computing device 200, service host 106a, etc., may be received from ID provider host 104 as a claim  token and par 0066 service host 106b will only accept the actor token if the actor token is signed, includes the public key, and is inside the authentication token. Moreover, service host 106b will only accept the authentication token if the authentication token has an audience designated as service host 106b and is signed by ID provider host 104, i.e. authentication server, wherein the claim identity token is signed by the host authentication server ,  using the private key corresponding to the public key. Using the same key for the actor token as for the authentication token reduces the need of service host 106b to have a discovery endpoint (i.e., a routing endpoint to verify the server is calling the correct host with the correct permissions to get the requested data). 
acquire, from the extensible system server, the first claims-based token ( par 0029  The signed authentication toke, i.e. the first claims based token,  is provided to the target service, i.e., the second service/microservice, i, which validates the authentication token as well as the encapsulated tokens and their respective signatures  ); 
transmit, to the server, the first claims-based token and a request for a second claims-based token ( par 0060 user information provided with the first token, i.e. first claim ,  may be used in conjunction with the type of data requested to determine the target service. Target determiner 212 may provide indicia of the determined target service to authentication token generator 214. 0062 a second token is generated, the second token , i.e. second claim , including an actor token, from the identity provider, i.e. authentication sever, ); and 
receive, from the server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server(par 0063 authentication token generator 214 may be configured to generate the second token, which may be an authentication token. Authentication token generator 214 may include the first token, as modified with the hashed nonce, , in the second token such that the second token, i.e. second token,  encapsulates the first token.  And par 0064 the second token is signed with a private key corresponding to the public key. For instance, the second token generated in step 308 is signed by authentication token generator 214 using the private key of the public/private key pair that corresponds to the public key in the actor token. ), and 
wherein if the second claims-based token is transmitted to a resource provider server hosting a resource provider service ( par 0065 the second token and the request for data are provided to the target service. For example, the second token generated in step 310 may be provided from service host 106a to service host 106b over network 110 and  par 0066  service host 106b will only accept the actor token if the actor token is signed, includes the public key, and is inside the authentication token. Moreover, service host 106b will only accept the authentication token if the authentication token has an audience designated as service host 106b and is signed by ID provider host 104 using the private key corresponding to the public key. Using the same key for the actor token as for the authentication token reduces the need of service host 106b to have a discovery endpoint (i.e., a routing endpoint to verify the server is calling the correct host with the correct permissions to get the requested data)), the resource provider service performs a requested operation on behalf of an interactive user of the extensible system ( par 0069  In step 316, the data associated with the request for data and the first token are provided to the application of the user, i.e. interactive user. For example, the data received in step 314 and the token may be provided by receive-transmit manager 210, service host, resource provider,  to client device 102. In embodiments, the user token, with hashed, or unmodified, nonce may be provided to client device 102 with the data that was requested).  
 Schmaltz does not explicitly disclose an authentication server; a plug-in server of a plug-in that is integrated into the extensible system, wherein the plug-in server is configured to:  signing a claim-based token by the authentication server; receiving, from the authentication server, a second claims-based token.
 However Yabe discloses an authentication server (the authentication/authorization server 102   );
signing a claim-based token by the authentication server ( par 0041 The authentication/authorization server cooperation client 330 performs, from the authentication/authorization server 102, a request for authenticating a user or client, a request for issuing an access token, or acquisition of an access token. And  0055 the authentication/authorization server 102 that issues the signed access token sets values as follows. The URI of the authentication/authorization server 102 is set as “iss”; the Universally Unique Identifier (UUID) of a user is set as “sub”; and the URI of the resource server 103 is set as “aud”. Further, 3600 seconds from the JWT issuance time, i.e., “iat” value+3600, is set as “exp”, and the JWT issuance time, i.e., the same value as the value “iat”, is set as “nbf”. An access token ID of access token information is set as “jti”.[0056] In addition, according to JWS RFC7519, each claim in a claim name class “Private Claim” in Table 1 is a private claim name class used under an agreement between a JWT issuer and a user. Each claim in “Private Claim” is based on a premise that the claim does nor. conflict with another defined claim name. In the present exemplary embodiment, the claim name in the “Private Claim” class is characterized by including access token information (access token scope list “authz:scopes”, access token client ID “authz:client_id”), and attribute information (first name “ext:fname”, last name “ext:lname”, locale name “ext:locale”, tenant ID “ext:tenantid”, e-mail address “ext:e-mail”, and application ID “ext:appid”) associated with the access token.[0057] Specifically, in the present exemplary embodiment, the authentication/authorization server 102 that, issues the signed access token sets claims “authz:scopes” and “authz:client_id” as athorization information. Specifically, as “authz:scopes”, the resource server 103 sets a scope list representing resources that are permitted to be acquired, and also sets “authz:client_id” representing the ID of the client that accesses the resource server 103 as “authz:client_id”. The authentication/authorization server 102 that issues the signed access token sets the claim representing information about the user of the UUID set to “sub” as follows as attribute information associated with the token of “authz:tokened”. Specifically, a first name is set as “ext:fname”; a last name is set as “ext:lname”; information about a locale to which the user belongs is set as “ext:locale”; an ID of a tenant to which the user belongs is set as “ext:tenantid”; and an e-mail address is set as “ext:e-mail”); 
receiving, from the authentication server, a second claims-based token is verified  ( claim  1 a second access token to be verified by the authorization server, according to an issuance request for issuing an access token from a client, based on a predetermined parameter for the issuance request; a unit configured to transmit, to the client having sent the issuance request, one of the first access token issued and the second access token issued; and a unit configured to verify the second access token according to a verification request received together with the second access token). 
Yabe discloses also 0006 A signed access token is known as means for verifying the access token by the service A itself, without the need for the service A to request the authorization server to verify the access token. As the signed access token, JSON Web Token (JWT) and JSON Web Signature (JWS) are known. The use of these types of access tokens enables the service A to determine whether the access token is valid by verifying the signature of the received signed access token, without the need for confirmation to the authorization server.
par 0073 If the received access token is a signed access token, it is determined whether verification processing in the resource server 103 is permitted. 
 The both prior arts are provision resource for the signed token. Thus, they are analogues art.
Therefore, Motivation would have been obvious to one of ordinary skill in the art, before the effective filing data of the claimed invention, to incorporate providing the signing the token by the authentication server is taught by Yabe into the providing the second token as the claim-based access token of Schmaltz III to yield a predictable result would be the use of these types of access tokens enables the service  to determine whether the access token is valid by verifying the signature of the received signed access token, without the need for confirmation to the authorization server ( par 0006).
 The combinations fails to disclose a plug-in server of a plug-in that is integrated into the extensible system, wherein the plug-in server is configured to: perform an API call.
However, Mody disclose a plug-in server of a plug-in that is integrated into the extensible system, wherein the plug-in server is configured to: perform an API call(par 0070The plug-in can perform an API call to the online content management service with the token to request a list of content items that are available to be linked in an email draft. A list of content items received from the API call can be displayed to a email author in a selection window (e.g. selection window 300 of FIG. 3). The email author can browse the list of available content items and select one of the content item references. Using the user selection, the client service can perform another API call using the token to request a link to a selected content item from the online content management service. The client service can insert the requested link into a draft email at a point designated by the email author's cursor).
All prior arts are provision resource for a token and providing the resource based on the token. Thus, they are analogues art.

Therefore, Motivation would have been obvious to one of ordinary skill in the art, before the effective filing data of the claimed invention, to incorporate performing the plug-in call for online resource taught by the Mody into providing the signing the token by the authentication server is taught by Yabe into the providing the second token as the claim-based access token of Schmaltz III to yield a predictable result would provide the content-item linking system for messaging services that that allow users to access and manage content across multiple devices to make content distribution efficient( par 0002).

 	As per claim 16, Schmaltz in view of Yabe in view of Mody discloses the computer system of claim 15,  Schmaltz discloses further configured to cryptographically sign the request for the first claims-based token(par 0064 the second token is signed with a private key corresponding to the public key. For instance, the second token generated in step 308 is signed by authentication token generator 214 using the private key of the public/private key pair that corresponds to the public key in the actor token ), However, Mody discloses wherein the plug-in server (par 0070 The plug-in can perform an API call to the online content management service with the token to request a list of content items),
 	Therefore, Motivation would have been obvious to one of ordinary skill in the art, before the effective filing data of the claimed invention, to incorporate performing the plug-in call for online resource taught by the Mody into providing the signing the token by the authentication server is taught by Yabe into the providing the second token as the claim-based access token of Schmaltz III to yield a predictable result would provide the content-item linking system for messaging services that that allow users to access and manage content across multiple devices to make content distribution efficient( par 0002).

 	As per claim 17, Schmaltz in view of Yabe in view of Mody discloses the computer system of claim 16, Yabe discloses  wherein acquiring the first claims-based token comprises retrieving the first claims-based token from a uniform resource locator (URL) configured for a webhook ( par 0092 WS payload with a digital signature is expressed and encoded (BASE64 URL encoding) as a compact URL-safe character ).  

 	As per claim 19, Schmaltz in view of Yabe in view of Mody discloses the computer system of claim 15, Mody discloses wherein the plug-in server receives the session token from a device of the interactive user (par 0070 The plug-in can perform an API call to the online content management service with the token to request a list of content items ).  









Allowable Subject Matter
Claims 4,11,18 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
 Hinton et al US 6,993,596 discloses 57) The plug-in (109) then builds an identity cookie DIDC (103) and an "enrollment token" for the user (100), and creates a response, re-directed to the other community domain (106). FIG. 6, the user's browser extracts (62) the DIDC and stores it in the browser's persistent cookie store, such as storing it in a cookie folder on a hard disk drive, and redirects the response to the other community domain (106). The plug-in (109) at the other domain (106) front-end (104) receives (63) the enrollment request from the home domain front-end (101) which was redirected through the user (100).
(59) The plug-in (109) at the other domain's front end (104) "unpacks" the enrollment token, and builds an domain identity cookie for the user for the other domain (106). An "enrollment successful" message is then sent to the home domain's front-end (101) via redirection (63) through the user's browser (100) along with the domain identity cookie for the other domain (106). During redirection (64) at the user's browser, the user's browser extracts (64) the DIDC for the other domain (106) and puts it in the browser's persistent cookie store.
(60) Finally, the home domain (103) plug-in (109) at the first front-end (101) receives (65) the redirected "enrollment successful at other domain" message. The SSO plug-in (103) at the first front-end (101) modifies (65) the home domain DIDC to include an "enrollment success at other domain" symbol in the extensible attribute data. This modified cookie is then returned (65) to the user in the next response from the first front-end (101).
(61) In this manner, the home domain DIDC is "built up" or accumulated to include indicators of successful enrollments at affiliated domains within the e-community. This process may continue for additional domains in the e-community, using the user's browser as a re-direction node in the communication path to pass enrollment tokens and success tokens between the home domain and the affiliated domains, as shown in the remaining steps of FIG. 6 (66 602).

	Koottayi 10,880292 discloses generally to access control, and more particularly, to techniques for seamless transition between world wide web (WEB) resource access and application programming interface (API) resource access on an enterprise network with security restrictions. One technique includes receiving a request for access to a first resource, determining the first resource is a WEB resource, creating an authentication cookie and a bearer token that are tied together using a common identifier, and providing access to the WEB resource based on the authentication cookie. The technique may further include receiving a call for access to a second resource, where the call includes the bearer token in a header of the call, determining the second resource is an API resource, initiating a token exchange of the bearer token for an access token; and providing access to the API resource based on the access token.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496