Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	
Response to Restriction Election Requirement
	In response to restriction requirement the Applicant has elected claims 1-11 without traverse and authorized Examiner to cancel claims 12-20. Hence, the Examiner has examined claims 1-11 and cancelled claims 12-20.

Claim Objection
Claim 4 is objected to as it recites “wherein a time stamp is associated with the access token signed by the client and forwarded as part of the service request, and wherein the time stamp is protected by the signature of the client on the access token”. As recited it is not clear how time stamp is protected by the signature of the client on the access token. Examiner assumes for examination purpose that time stamp is signed by the client.  
Claim 5 is objected to as it recites “wherein an increasing random number is associated with the access token signed by the client and forwarded as part of the service request, and wherein the increasing random number is protected by the signature of the client on the access token”.  As recited it is not clear how random number is protected by the signature of the client on the access token. Examiner assumes for examination purpose that random number signed by the client.  

Claim 6 is objected to as it recites “ wherein a hash of the service request is associated with the access token signed by the client and forwarded as part of the service request, and wherein the hash of the service request is protected by the signature of the client on the access token”. As recited it is not clear how hash of the request is protected by the signature of the client on the access token. Examiner assumes for examination purpose that hash of the request is appended with the signed access token.  
Claim 7 is objected to as it recites “wherein the client signature is provided for the entire service request including the access token, and wherein the access token is signed by the authorization server, whereby the access token is associated with the service request forwarded to the resource server by the proxy node”.  First part of the limitation recites that client signature is provided for entire service request including access token, wherein the access token is signed by the authorization server, and second part recites whereby the access token is associated with the service request forwarded to the resource server by the proxy node. As recited it is not clear how the Proxy node get the access token and the service request once the entire service request and associated the access token is signed by the client. The Examiner assumes for the examination purposes that the request and the access token is signed by the client and the proxy forwards it to resource server.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Claims 1-2, are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Nair (WO2020/030852A1 as mentioned in IDS 8/05/2021)
Regarding claim 1, Nair teaches:
 a method of performing validation of an access token for wireless communication, comprising: providing, by an authorization server, the access token for service to a client in response to a request for the access token; [page 02, lines 19-30]
adding, by the client, a client signature to at least the access token; [page 02, lines27-30]
forwarding, by the client, the access token as part of a service request to a resource server; [page 02, lines 27-30]
 and 
validating, by the resource server, whether the client is a valid owner of the access token, wherein the validation is based on at least the client signature of the access token.  [page 03, lines 1-9]
Regarding claim 2, Nair teaches wherein the validation of the access token is under OAuth 2.0 protocol, and  wherein the resource server is a producer Network Function (pNF), the client is a consumer Network Function (cNF), and 
the authorization server is a network repository function (NRF), and 
wherein the access token additionally includes a signature of the authorization server. [page 12, lines 25-30]  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 3, 6-7, & 9-11 are rejected under 35 USC 103 as being unpatentable over Nair (WO2020/030852A1) in view of Hagmeier (US20060264202
Regarding claims 3, although Nair teaches wherein the service request is forwarded from the client via a proxy node to the resource server as illustrated in the mapping of claim 1, he does not explicitly teach, however, Hagmeier teaches the service request is forwarded from the client via a proxy node to the server, [paragraphs 0033-0035] [paragraph 0011 & Fig 1B please see elements 5 & 3].  
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Nair with the disclosure of Hagmeier. The motivation or suggestion would have been to implement a system that will provide improved techniques for authenticating clients in a client-server environment by avoiding  increased traffic while overcoming the disadvantages of the password based authentication.(paras 0001-0009, Hagmeier)
Regarding claims 6, Regarding claims  8, although Nair teaches validation of access token received as illustrated in the mapping of claim 1, he does not teach explicitly, However, Hagmeier teaches  wherein a hash of the service request is associated with the access token signed by the client and forwarded as part of the service request, and wherein the hash of the service request is protected by the signature of the client on the access token.  [paragraph 0038]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Nair with the disclosure of Hagmeier. The motivation or suggestion would have been to implement a system that will provide improved techniques for authenticating clients in a client-server environment by avoiding  increased traffic while overcoming the disadvantages of the password based authentication.(paras 0001-0009, Hagmeier)
Regarding claims 7, Regarding claims  7, although Nair and Wang teach validation of access token received via proxy node as illustrated in the mapping of claims 1 & 3, they do not teach explicitly, however, Hagmeier teaches wherein the client signature is provided for the entire service request including the access token, and wherein the access token is signed by the authorization server, whereby the access token is associated with the service request forwarded to the resource server by the proxy node.  [paragraph 0011]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Nair with the disclosure of Hagmeier. The motivation or suggestion would have been to implement a system that will provide improved techniques for authenticating clients in a client-server environment by avoiding  increased traffic while overcoming the disadvantages of the password based authentication.(paras 0001-0009, Hagmeier)
Regarding claims 9,  wherein the resource server validates the client signature using a client server public key included in a client server certificate signed by a trusted certificate authority (CA).  [page 14, lines 12-22]
Although Nair teaches client server certificate and public key, he does not teach expclitly, however, Hagmeier teaches public key included in a client server certificate signed by a trusted certificate authority. [paragraphs 0011, 0034 & 0052] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Nair with the disclosure of Hagmeier. The motivation or suggestion would have been to implement a system that will provide improved techniques for authenticating clients in a client-server environment by avoiding  increased traffic while overcoming the disadvantages of the password based authentication.(paras 0001-0009, Hagmeier)
Regarding claims 10, Nair teaches wherein the resource server receives the client server certificate in the service request, [page 17, line 25-27]
Although Nair teaches client server certificate, he does not teach explicitly, however, Hagmeier teaches wherein the client server certificate is added to the service request by the proxy node, [paragraph 0011] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Nair with the disclosure of Hagmeier. The motivation or suggestion would have been to implement a system that will provide improved techniques for authenticating clients in a client-server environment by avoiding  increased traffic while overcoming the disadvantages of the password based authentication.(paras 0001-0009, Hagmeier)
Regarding claims 11,  Nair teaches wherein the resource server receives the client server certificate in the service request, [page 17, lines 25-30]
wherein the client server certificate is added to the service request by the client server, [page 17, lines 25-30]

Claim 4 is rejected under 35 USC 103 as being unpatentable over Nair (WO2020/030852A1) in view of Raley (US20030177400)
Regarding claims 4, although Nair teaches access token as illustrate in the mapping of claim1, he does not teach expclitly, however, Raley (US20030177400) teaches wherein a time stamp is associated with the access token signed by the client and forwarded as part of the service request, and wherein the time stamp is protected by the signature of the client on the access token.  [paragraph 0111]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Nair with the disclosure of Raley. The motivation or suggestion would have been to implement a system that will provide improved techniques for encrypting content in an adaptive manner. (abstract & paras 0009-0010, & para 0021, Raley)

Claim 5 is rejected under 35 USC 103 as being unpatentable over Nair (WO2020/030852A1) in view of Ajitomi (US20200092101)
Regarding claims 5, although Nair teaches access token as illustrate d in claim 1, he does not teach expclitly, however, Ajitomi teaches wherein an increasing random number is associated with the access token signed by the client and forwarded as part of the service request, and wherein the increasing random number is protected by the signature of the client on the access token. [paragraph 0010] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Nair with the disclosure of Ajitomi. The motivation or suggestion would have been to implement a system that will provide efficient techniques issuing a access token in a secure and leakage proof manner. (abstract, para 0004 & 0010, Ajitomi)
Claim 8 is rejected under 35 USC 103 as being unpatentable over Nair (WO2020/030852A1-as mentioned in IDS 8/05/2021) in view of Hagmeier (US20060264202-as mentioned IDS 8/05/2021) and Snodgrass (US8775810) 
Regarding claim 8, although Nair and Hagmeier teach validation of access token received via proxy node as illustrated in the mapping of claim 3, they do not teach explicitly, however, Snodgrass teaches wherein the validation is based on a hash of a combination of the service request, the access token common to the client and the resource server, and wherein the output of the hash is added to the service request, and wherein the resource server validates the hash by i) hashing the service request including the access token and the shared secret key, and ii) comparing the output of the hashing by the resource server with the hash added to the service request, [Column 07, lines 5-35: (40) Next, in block 508, server 110 may verify digital signature 402. To do so, server 110 may decrypt digital signature 402 using signature validation key 301. As discussed above with respect to block 505, digital signature 402 is an encrypted hash value calculated based on a combination of token 300 and request 401. Server 110 may also independently calculate a hash value based on the combination of token 300 and request 401, and compare the independently calculated hash value to the decrypted digital signature (received hash).(41) If server 110 determines that the independently calculated hash value matches the decrypted digital signature (received hash), the digital signature is validated. This indicates that communication 400 has not been altered since created by client device 120. In this case, routine 500 moves to block 509, where server 110 provides access to web service 206.(42) If server 110 determines that the independently calculated hash value does not match the decrypted digital signature, the digital signature is not validated. This may indicate that an attacker has altered communication 400, or that communication 400 has otherwise been corrupted. In this case, routine 500 moves to block 510, where server 110 denies access to web service 206. 
It is obvious to a skilled person in art that Snodgrass teaching of calculation of hash  of a combination of parameters (token and request) can be expanded to calculate hash of combination of service request, access token and a shared key (all well-known parameters  in the art] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Nait and Hagmeier with the disclosure of Sondgrass. The motivation or suggestion would have been to implement a system that will provide efficient techniques for recovering quickly from system failure when encryption key inadvertently gets deleted or corrupted. (Col 01, lines 05-30, Sondgrass)

Examiner’s Note: Following are the relevant mentioned in pto-892 but not used in the instant Office Action:
1.Gomi (JP2010113462A-translated copy attached) discloses  an information management device that communicates with terminal equipment used by a user and an information utilization device which utilizes the user information, and manages the user information. A storage means stores an information utilization device identifier for specifying the information utilization device and random numbers in association with each other. A connection means connects the random numbers stored in the storage means with authentication information to be used for authentication of the user. A hash value calculation means calculates a hash value by a hash function from a code connected by the connection means. An access token issuing means issues the hash value calculated by the hash value calculation means to the terminal equipment as an access token for accessing the user information.
2. Wang (US20080126794) teaches a server and a client that are configured to trust a certificate of an intermediate proxy device. The proxy device may then intercept a client-server security session request message sent from the client to the server. In response, the proxy device initiates a proxy-server security session with the server and obtains server security information from the server. Then, the proxy device initiates a client-proxy security session with the client using the trusted proxy certificate, and obtains client security information from the client. Upon obtaining the client security information, the proxy device creates a dynamic certificate using the obtained client security information and the trusted proxy certificate, and establishes the initiated proxy-server security session with the dynamic certificate. The proxy device then establishes the initiated client-proxy session, wherein the client-proxy security session and proxy-server security session transparently appear to the client and server as the requested client-server security session.
3. Zhang (CN112787986A-translated copy attached0 discloses The invention claims a multi-path bidirectional authentication method and device, the method comprises the following steps: pre-storing the corresponding relation between each resource path and the client certificate allowing to access the resource path in the back-end server; when the client requests to access the resource path to the reverse proxy server, and through the bidirectional authentication with the reverse proxy server, the reverse proxy server sends the access authentication message to the back end server, wherein the access authentication message comprises the client certificate, and a resource path for requesting access; the back end server sends the client certificate included in the access verification message, and the resource path for requesting access; matching the corresponding relation between the pre-stored resource path and the corresponding client certificate allowing access to the resource path; if the matching is successful, passing the verification.
4. Blasi (US200170346807) describes Technologies for token-based access authorization to an application program interface (API) include an access management server to receive a service request message from an application executed by a remote computing device. The service request message includes a digitally signed license token previously generated by the access management server and distributed to the remote computing device. The service request message also includes a request from the executed application to access data or a service of the resource server via an exposed API. The access management server verifies the digital signature of the digitally signed license token and generates a digitally signed Security Assertion Markup Language (SAML) token. The digitally signed SAML token is transmitted to the resource server for verification and local caching. The resource server receives the service request message and determines whether access to the requested data or service is authorized based on the locally-cached SAML token.
	Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHER KHAN whose telephone number is (571)272-8574.  The examiner can normally be reached on Monday-Friday-8:00am - 5:00pm (EST).If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHER A KHAN/           Primary Examiner, Art Unit 2497