DETAILED ACTION

Claims 35-54 are presented for examination. Claims 1-34 have been cancelled.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/24/2022  has been entered.
 
	
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 35-54 are rejected under 35 U.S.C. 103 as being unpatentable over Pi-Sunyer et al. (US Patent Application No. 20150370615) (Hereinafter Pi-Sunyer) in view of Drozd et al. (US Patent No. 10057246) (Hereinafter Drozd) in further view of Brinckman et al. (US Patent Application No. 20200092296) (Hereinafter Brinckman) .

As per claim 35, Pi-Sunyer discloses an access token management method, implemented by a server, wherein the access token management method comprises:
receiving an access token generation request from a terminal (fig 12, para 160, server may generate and send an access token revocation message that deletes the access token  ), wherein the access token generation request comprises user information of a first account (fig 12, para 151, username password submitted by the client to the server) wherein the first account is used to log in to a first application on the terminal (fig 12, para 154, after getting access token client device request for the resources using access token); 
generating the access token in response to the access token generation request, wherein the access token is a credential for accessing user information of the first account on the server (fig 12, 14, para 151, 154, 192, username password submitted by the client to the server, after getting access token client device request for the resources using access token) ;  
obtaining login information of the first account (para 158, client and/or enters a username and password if login is required to the authorization server). 
Pi-Sunyer does not explicitly disclose performing invalidation processing on the access token when the login information is in a non-login state on the terminal. 
Drozd discloses performing invalidation (col 5, ine24, event that token  has been invalidated) processing on the access token (token when the login information is in a non-login state on the terminal (col 5, lines 18-30, In response to the indication of invalidation, the existing token is not valid  because token is only valid for a period of time or a particular session, expired token is interpreted in non-login state).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Pi-Sunyer and Drozd. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based). 
Pi-Sunyer in view of Drozd does not explicitly discloses wherein the first application comprises an open authorization function configured to authorize a second application on the terminal to access a protected resource by the access token; sending the access token to the terminal;
receiving the access token from the terminal and authorizing the second application to access the protected resource;
denying the access to the protected resource of the second application of the terminal when the access token is invalid.
However, Brinckman discloses wherein the first application comprises an open authorization function configured to authorize a second application on the terminal to access a protected resource by the access token (fig 4-5, para 32, a second set of application authentication credentials formatted according to a different, second authentication protocol, such as a layer seven authentication protocol (e.g., OAuth). The admission access controller provides the second set of application authentication credentials to the application authentication system); sending the access token to the terminal (fig 4-5, para 53, obtains an OAuth access token from the application authentication system);
receiving the access token from the terminal and authorizing the second application to access the protected resource (fig 4-5, para 54, the client device is granted access to the network. In some 802-based embodiments, in response to obtaining the access accept message, the access point  permits the client device to communicate with the network);
denying the access to the protected resource of the second application of the terminal when the access token is invalid (fig 4-5, para 55, deny the client network access). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Pi-Sunyer and Drozd  with Brinckman. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based). 

As per claim 36, claim is rejected for the same reasons and motivation as claim 35, above. In addition, Drozd discloses further comprising storing a relationship between the access token and the first account (fig 5, lines 44-55, tenant hierarchy tree is formed based on the relationships of tenants/tenant objects … That is, when the AUTH server attempts to determine the user's tenants, roles, and privileges, etc., the AUTH server can obtain the user's token object and "walk" through the objects in the chain or a tree hierarchy). 
 
As per claim 37, claim is rejected for the same reasons and motivation as claim 36, above. In addition, Drozd discloses further comprising: obtaining a current login account of the first application (fig 2, col 4, lines 15-30, token associated with the user thus associated with the first account) ;  and 
performing invalidation processing on the access token when the current login account is different from the first account (col 5, lines 18-30, In response to the indication of invalidation). 
 
As per claim 38, claim is rejected for the same reasons and motivation as claim 35, above. In addition, Drozd discloses wherein the login information of the first account comprises a current login account of the first application (fig 2, 7, and 8, col 4, lines 15-30, token associated with the user). 
 
As per claim 39, claim is rejected for the same reasons and motivation as claim 35, above. In addition, Pi-Sunyer discloses further comprising freezing [revoking] (para 204, an API URL to revoke/freezing access to user's data for a client may be used.  A request to the API URL may include an access token associated with a client and user.) the access token on the terminal (para 158, 230, denial of the resource access permissions for the client and invalidation process, deleting the token); or denying a user access to the protected resource of the second application invalid (fig 4-5, para 55, deny the client network access); or
deleting the access token. 
 
As per claim 40, claim is rejected for the same reasons and motivation as claim 35, above.  
 
As per claim 41, claim is rejected for the same reasons and motivation as claim 36, above.  

As per claim 42, claim is rejected for the same reasons and motivation as claim 37, above.  
 
As per claim 43, claim is rejected for the same reasons and motivation as claim 35, above. In addition, Pi-Sunyer discloses wherein the login information comprises 
information about deletion of the first application from the terminal (para 201, deleting a client, client is interpreted as application, deleting  token and inaccessible url interpreted deletion of client, access token includes client and user id , and url includes access token; see para 204, an API URL to revoke/freezing access to user's data for a client may be used.  A request to the API URL may include an access token associated with a client and user). 

As per claim 44, claim is rejected for the same reasons as claim 39, above.   

As per claim 45, Pi-Sunyer discloses a terminal, comprising: a processor;  and a memory coupled to the processor and storing instructions that, when executed by the processor, cause the terminal to be configured  (fig 5) to: 
obtain login information of a first account of a first application corresponding to an access token in the terminal (fig 12, para 160, server may generate and send an access token revocation message that deletes the access token, para 158, client and/or enters a username and password if login is required to the authorization server  ), wherein the access token comprises a credential for accessing a protected resource in the server, wherein the first account is an account configured to log in to the first application on the terminal when the first application authorizes the access token (para 158, client and/or enters a username and password if login is required to the authorization server). 
Pi-Sunyer does not explicitly disclose performing invalidation processing on the access token when the login information is in a non-login state on the terminal. 
Drozd discloses performing invalidation processing on the access token when the login information is in a non-login state on the terminal (col 5, lines 18-30, In response to the indication of invalidation, the existing token is not valid  because token is only valid for a period of time or a particular session, expired token is interpreted in non-login state). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Pi-Sunyer and Drozd. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based). 
Pi-Sunyer in view of Drozd does not explicitly discloses authorize, by the  first application, a second application to protected resource by an open authorization function; 
denying the access to the protected resource of the second application of the terminal when the access token is invalid.
However, Brinckman discloses authorize, by the  first application, a second application to protected resource by an open authorization function (fig 4-5, para 32, a second set of application authentication credentials formatted according to a different, second authentication protocol, such as a layer seven authentication protocol (e.g., OAuth). The admission access controller provides the second set of application authentication credentials to the application authentication system); 
denying the access to the protected resource of the second application of the terminal when the access token is invalid (fig 4-5, para 55, deny the client network access). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Pi-Sunyer and Drozd  with Brinckman. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based). 
 
As per claim 46, claim is rejected for the same reasons and motivation as claim 45, above. In addition, Pi-Sunyer discloses the instructions further cause the 
terminal to be configured to send, to the server, a access token generation 
request, wherein the access token generation request comprises the user 
information of the first account, and wherein the first account is used to log 
in to the first application when the first application authorizes the access 
token for the second application (fig 12, para 154, after getting access token client device request for the resources using access token). 
 
As per claim 47, claim is rejected for the same reasons and motivation as claim 45, above. In addition, Pi-Sunyer discloses wherein the instructions further cause the 
terminal to be configured to receive, from the server, the access token in 
response to a access token generation request (fig 12, para 154, after getting access token client device request for the resources using access token). 
 
As per claim 48, claim is rejected for the same reasons and motivation as claim 45, above. In addition, Pi-Sunyer discloses wherein the login information comprises log-out information about the first account of the first application (para 211, API URL to delete a client may be used.  A request may include an access token associated with the client to delete, para 190, An access token table may include an access token ID data element and the client ID and the user ID data elements., client and user id are interpreted as login info) . 
 
As per claim 49, claim is rejected for the same reasons and motivation as claim 45, above. In addition, Pi-Sunyer discloses wherein the instructions further cause the 
terminal to be configured to: freezing [revoking]   the access token on the terminal (para 204, an API URL to revoke/freezing access to user's data for a client may be used.  A request to the API URL may include an access token associated with a client and user.); or deny a user access to the protected resource of the second application (para 158, 230, denial of the resource access permissions for the client and invalidation process, deleting the token). 
 
As per claim 50, claim is rejected for the same reasons and motivation as claim 45, above. In addition, Pi-Sunyer discloses wherein the instructions further cause the 
terminal to be configured to display an inquiry whether to invalidate the 
access token when the first account is logged-out (para 230, delete a session (invalidate the access token) may be used.  A request to delete the session, which invalidates the access token, may include the access token to be invalidated). 

As per claim 51, claim is rejected for the same reasons and motivation as claim 45, above. In addition, Pi-Sunyer discloses wherein the instructions further cause the 
terminal to be configured to: send log out information of the first account to 
the server; or send information of deletion of the first application to the 
server (para 158, 230, denial of the resource access permissions for the client and invalidation process, deleting the token). 
.  
As per claim 52, claim is rejected for the same reasons and motivation as claim 45, above. In addition, Pi-Sunyer discloses wherein the instructions further cause the 
terminal to be configured to: receive an access token restriction request from 
the server (para 225, an API URL to get all restrictions on a scope may 
be used.  A response returned by this API URL may include a status 
and names of user groups restricting the scope); and perform invalidation processing on the access token in 
response to the access token restriction request (para 158, 230, denial of the resource access permissions for the client and invalidation process, deleting the token). 
.  
As per claim 53, claim is rejected for the same reasons and motivation as claim 35, above. In addition, Pi-Sunyer discloses further comprising denying a user access to a second resource (para 158, denial of the resource access permissions for the client). 

As per claim 54, claim is rejected for the same reasons and motivation as claim 40, above. In addition, Pi-Sunyer discloses wherein the instructions further cause the server to be configured to deny access to a second resource using the access token (para 158, denial of the resource access permissions for the client, each token associated with resource on multiple resources).

Response to Arguments

Applicant’s arguments with respect to claim(s) filed on 10/24/2022  have been considered but are moot because the new ground of rejections, please see above.


Conclusion

Please see the attached PTO-892 for the prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MOHAMMAD A SIDDIQI/Primary Examiner, Art Unit 2493