Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/04/2021 is in compliance with the
provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the
examiner.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 5-7,9-11 and 14 is/are rejected under 35 U.S.C. 102(1) as being anticipated by Murakami et al (US 20130007846 A1).
Regarding claim 5, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server, the system comprising (see Paragraph [0077], [0147] and FIG. 3 where service provider client device accessing resource by registering in authorization server with permission data (URL fragment)): a privacy-respecting authorization server configured to store a resource definition for the protected resource (see Paragraph [0065], [0174] and FIG. 3, where authorization server generates/store an access Uniform resource location, URL fragment for accessing resource (resource server));
and an agent device communicatively connected to the authorization server, the agent device configured to: provide an agent interface for managing credentials and controlling permissions and policies at the authorization server (see Paragraph [0060] and FIG. 3, where user agent to an authorization endpoint, to the authorization server, within the mobile phone, and user agent authorized the client to access the resource and create an authorization code and provided it to the client in authorization server);  
and store protected data including any one or more of account identifier data, authenticator data, resource server relationship data, and permissions data (see Paragraph [0040], where through authorization server, client identifier and permission data such as authentication key are shared).

Regarding claim 6, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server as claim 5, wherein the authorization server is further configured to store a privacy-respecting ledger of resource owner data including account data and permissions data (see Paragraph [0177], where client registration in authorization server and shared client identifiers are shared. See Paragraph [0167], authorization key, token secret key and token are shared in authorization server).

Regarding claim 7, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server as claim 5, wherein the authorization server is further configured to control any one or more of a governance registry and a registry of approved clients, resources servers, and agents (see Paragraph [0177], where client registration in authorization server and shared client identifiers are shared. See Paragraph [0167], authorization key, token secret key and token are shared in authorization server).

Regarding claim 8, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server as claim 5, wherein the agent interface includes a user interface configured to perform any one or more of registering a new account, authenticating to an account, interacting with an authenticator, managing permissions, and handling client resource requests (see Paragraph [0177], where client registration in authorization server and shared client identifiers are shared. See Paragraph [0167], authorization key, token secret key and token are shared in authorization server. see Paragraph [0060] and FIG. 3, where user agent to an authorization endpoint, to the authorization server, within the mobile phone, and user agent authorized the client to access the resource and create an authorization code and provided it to the client in authorization server).

Regarding claim 9, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server as claim 5, wherein the authorization server is further configured to provide a resource owner interface which can be used by the agent device to authenticate the resource owner (see Paragraph [0018], where authorization endpoint is used to obtain authorization from the resource owner via user-agent redirection).

Regarding claim 10, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server as claim 5, wherein the authorization server is further configured to delegate permission gathering (see Paragraph [0177], where client registration in authorization server and shared client identifiers are shared. See Paragraph [0167], authorization key, token secret key and token) and authentication to the agent device upon receiving a request from the service provider client device (see Paragraph [0077], [0147] and FIG. 3 where service provider client device accessing resource by registering in authorization server with permission data (URL fragment)).

Regarding claim 11, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server as claim 5, wherein a client capability is registered generically against the resource definition (see Paragraph [0065], where client capability is determined by extracting URL fragment to token).

Regarding claim 14, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server as claim 5, wherein the system enables an OAuth extension which allows a single call to connect to any number of protected resources stored in one or more resource servers, and wherein as part of a client authorization process, the service provider client device is given a token per granted resource, thereby allowing access to the one or more resource servers (see Paragraph [0014], where OAuth client being a web site, request token by presenting the authorization code from authorization server and access token use for accessing the resource on the resource server).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4,8,12, 15-16 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Murakami et al (US 20130007846 A1) in view of Kukreja et al (US 20200127994 A1) and further view of Mane et al (US 20210099297 A1) .
Regarding claim 1, Murakami et al teach a computer-implemented system for distributed authorization, the system comprising: 
a service provider client device, the service provider client device configured to provide a service which uses the protected resource (see Paragraph [0077] and [0147], where service provider provides website (service) to access resources);
a federated privacy exchange system configured to provide an authorization service for allowing the service provider client device to access the protected resource according to permissions data, the federated privacy exchange system comprising (see Paragraph [0077], [0147] and FIG. 3 where service provider client device accessing resource by registering in authorization server with permission data (URL fragment)): 
a privacy-respecting authorization server configured to store a resource definition for the protected resource (see Paragraph [0065] and FIG. 3, where authorization server generates/store an access Uniform resource location, URL fragment for accessing resource (resource server));
and an agent device configured to: provide an agent interface for managing credentials and controlling permissions and policies at the authorization server (see Paragraph [0060] and FIG. 3, where user agent to an authorization endpoint, to the authorization server, within the mobile phone, and user agent authorized the client to access the resource and create an authorization code and provided it to the client in authorization server); 
and store protected data including any one or more of account identifier data, authenticator data, resource server relationship data, and permissions data (see Paragraph [0040], where through authorization server, client identifier and permission data such as authentication key are shared).
Kukreja et al do not teach a resource server which stores a protected resource of a resource owner a service provider client device and the service provider client device configured to provide a service which uses the protected resource.
However, in analogous art, Kukreja et al teach same field of OAuth system between client, resource server, and authentication server. Kukreja et al teach a resource server which stores a protected resource of a resource owner (see Paragraph [0024-25], [0031], and [0061], where protected resource from resource owner are hosted to resource server);
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Murakami et al to incorporate the teaching of Kukreja et al using a resource server which stores a protected resource.
Motivation as recognized by one of ordinary skill in the art, to do so would protected resource are stored by resource owner with authorization policy (see Paragraph [0062])
Murakami et al and Kukreja et al do not teach a resource server which respects authorization server-issued authorization grants.
However, in analogous art, Mane et al teach same field of broker system between client device, authorization server, and resource server. Mane et al teach a resource server which respects authorization server-issued authorization grants (see Paragraph [0032], where authorization server for authentication to access one or more resource servers and to control access to the resource servers and corresponding protected resource);
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Murakami et al to incorporate the teaching of Kukreja et al and further teach of Mane et al using a resource server which respects authorization server-issued authorization grants.
Motivation as recognized by one of ordinary skill in the art, to do so would authorization program can replicate values and information associated with an access token in resource server (see Paragraph [0033]).

Regarding claim 2, modified Murakami et al and Kukreja et al and further view of Mane et al teach the system for distributed authorization as claim 1, Murakami et al teach wherein the authorization server is further configured to control any one or more of a governance registry, a registry of approved clients, resource servers, and agents, and a privacy-respecting ledger of resource owner data including account data and permissions data, wherein the permissions data records a resource owner-directed data authorization policy including client capability data and resource server capability data (see Paragraph [0177], where client registration in authorization server and shared client identifiers are shared. See Paragraph [0167], authorization key, token secret key and token are shared in authorization server).

Regarding claim 3, modified Murakami et al and Kukreja et al and further view of Mane et al teach the system for distributed authorization as claim 1, Murakami et al teach wherein the authorization server is further configured to provide a resource owner interface which can be used by the agent device to authenticate the resource owner and delegate permission gathering and authentication to the agent device upon receiving a request from the service provider client device (see Paragraph [0141], where resource owner receive incoming request via redirection from authorization endpoint of an authorization server).

Regarding claim 4, modified Murakami et al and Kukreja et al and further view of Mane et al teach the system for distributed authorization as claim 1, Murakami et al teach wherein the system enables an OAuth extension which allows a single call to connect to any number of protected resources stored in one or more resource servers, and wherein as part of a client authorization process, the service provider client device is given a token per granted resource, thereby allowing access to the one or more resource servers (see Paragraph [0014], where OAuth client being a web site, request token by presenting the authorization code from authorization server and access token use for accessing the resource on the resource server).

Regarding claim 12, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server as claim 5.
Murakami et al do not teach the protected resource is registered generically against the resource definition.
However, in analogues art, Kukreja et al teach same field of OAuth system between client, resource server, and authentication server. Kukreja et al teach the protected resource is registered generically against the resource definition (see Paragraph [0024-25], [0031], and [0061], where protected resource from resource owner are hosted to resource server against SSO cookies);
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Murakami et al to incorporate the teaching of Kukreja et al using a resource server which stores a protected resource and a service provider client device.
Motivation as recognized by one of ordinary skill in the art, to do so would protected resource are stored by resource owner with authorization policy (see Paragraph [0062])
Murakami et al and Kukreja et al do not teach capability of the service provider client device or the resource server is defined against the resource definition and the resource definition comprising a generic interface schema.
However, in analogous art, Mane et al teach same field of broker system between client device, authorization server, and resource server. Mane et al teach wherein capability of the service provider client device or the resource server is defined against the resource definition (see Paragraph [0023], where access token information include secure value, access tokens, purging by time, loss of a certificate for a resource/resource server, token revoked), the resource definition comprising a generic interface schema (see Paragraph [0024], where access token rules include a set of rules, schema, and/or predefined value respectively associated with device).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Murakami et al to incorporate the teaching of Kukreja et al and further view of Mane et al using a resource server which respects authorization server-issued authorization grants.
Motivation as recognized by one of ordinary skill in the art, to do so would authorization program can replicate values and information associated with an access token in resource server (see Paragraph [0033]).

Regarding claim 15, Murakami et al teach a method of authorizing access by a service provider client to a protected resource stored at a resource server using a resource definition, the method comprising: defining client capabilities against a generic resource definition (see Paragraph [0065], where client capability is determined by extracting URL fragment to token);
storing the generic resource definition at an authorization server (see Paragraph [0065], [0174] and FIG. 3, where authorization server generates/store an access Uniform resource location, URL fragment for accessing resource (resource server)).
Murakami et al do not teach the protected resource is registered generically against the resource definition.
However, in analogues art, Kukreja et al teach same field of OAuth system between client, resource server, and authentication server. Kukreja et al teach the protected resource is registered generically against the resource definition (see Paragraph [0024-25], [0031], and [0061], where protected resource from resource owner are hosted to resource server against SSO cookies);
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Murakami et al to incorporate the teaching of Kukreja et al using a resource server which stores a protected resource and a service provider client device.
Motivation as recognized by one of ordinary skill in the art, to do so would protected resource are stored by resource owner with authorization policy (see Paragraph [0062])
Murakami et al and Kukreja et al do not teach and resource server capabilities against a generic resource definition, the generic resource definition comprising a generic interface schema.
However, in analogous art Mane et al teach same field of broker system between client device, authorization server, and resource server. Mane et al teach resource server capabilities against a generic resource definition, the generic resource definition comprising a generic interface schema (see Paragraph [0024], where access token rules include a set of rules, schema, and/or predefined value respectively associated with device). 
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Murakami et al to incorporate the teaching of Kukreja et al and further view of Mane et al using a resource server which respects authorization server-issued authorization grants.
Motivation as recognized by one of ordinary skill in the art, to do so would authorization program can replicate values and information associated with an access token in resource server (see Paragraph [0033]).

Regarding claim 16, modified Murakami et al in view of Kukreja et al and further view of Mane et al teach a method of authorizing access by a service provider client to a protected resource stored at a resource server using a resource definition as claim 15.
Murakami et al and Kukreja et al do not teach further comprising: defining policy conditions comprising authorization grant rules at the authorization server against the generic interface schema.
 However, in analogous art Mane et al teach same field of broker system between client device, authorization server, and resource server. Mane et al teach further comprising: defining policy conditions comprising authorization grant rules at the authorization server against the generic interface schema (see Paragraph [0010], [0024], where a set of rules, schema, and/or predefine value associated with device and authorization server download and store a copy of rules and/or predefine value to access token rule and modified them).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Murakami et al to incorporate the teaching of Kukreja et al and further view of Mane et al using a resource server which respects authorization server-issued authorization grants.
Motivation as recognized by one of ordinary skill in the art, to do so would authorization program can replicate values and information associated with an access token in resource server (see Paragraph [0033]).

Regarding claim 20, modified Murakami et al in view of Kukreja et al and further view of Mane et al teach a method of authorizing access by a service provider client to a protected resource stored at a resource server using a resource definition as claim 15, Murakami et al teach providing access to one or more protected resources at one or more resource servers via a single authorization request issued by the service provider client (see Paragraph [0014], where OAuth client being a web site, request token by presenting the authorization code from authorization server and access token use for accessing the resource on the resource server).
However, Murakami et al and Kukreja et al do not teach integrating directly from the service provider client to the generic resource definition at the authorization server.
 However, in analogous art Mane et al teach same field of broker system between client device, authorization server, and resource server. Mane et al teach further comprising: integrating directly from the service provider client to the generic resource definition at the authorization server (see Paragraph [0023], where access token information includes secure value, access tokens, purging by time, loss of a certificate for a resource/resource server, token revoked).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Murakami et al to incorporate the teaching of Kukreja et al and further view of Mane et al using a resource server which respects authorization server-issued authorization grants.
Motivation as recognized by one of ordinary skill in the art, to do so would authorization program can replicate values and information associated with an access token in resource server (see Paragraph [0033]).

Claim(s) 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Murakami et al in view of Kukreja et al.
Regarding claim 13, Murakami et al teach a computer-implemented system for providing an authorization service for allowing a service provider client device to access a protected resource stored at a resource server as claim 5.
Murakami et al et al do not teach the protected resource is registered generically against the resource definition.
However, in analogues art, Kukreja et al teach same field of OAuth system between client, resource server, and authentication server. Kukreja et al teach the protected resource is registered generically against the resource definition (see Paragraph [0024-25], [0031], and [0061], where protected resource from resource owner are hosted to resource server against SSO cookies);
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of Murakami et al to incorporate the teaching of Kukreja et al using a resource server which stores a protected resource and a service provider client device.
Motivation as recognized by one of ordinary skill in the art, to do so would protected resource are stored by resource owner with authorization policy (see Paragraph [0062])

Claim(s) 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Murakami et al in view of Kukreja et al and Mane et al and further view of Cronk et al (U.S 20120011567 A1).
Regarding claim 17, modified Murakami et al in view of Kukreja et al and further view of Mane et al teach a method of authorizing access by a service provider client to a protected resource stored at a resource server using a resource definition as claim 15.
Murakami et al, Mane et al and Kukreja et al do not teach further comprising: fulfilling the generic interface schema for a specific service provider client by a specific resource server that receives a generic request from the specific service provider client and resolves the generic request.
However, in analogous art, Cronk et al teach same field of federated model. Cronk et al teach further comprising: fulfilling the generic interface schema for a specific service provider client by a specific resource server that receives a generic request from the specific service provider client and resolves the generic request (see Paragraph [0060], where the rights profile contains information regarding the specific rights of a device and/or a subscriber to access content. It is via the rights profile that the device. A given user will have MSO- specific information regarding its identity and/or information regarding its subscription level and other service detail stored at the programmer site, or other entity accessible to the programmer without requiring consultation with the MSO).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of modified Murakami et al, Mane et al and Kukreja et al to incorporate the teaching of Cronk et al using specific resource server that receives a generic request from the specific service provider client and resolves the generic request.
Motivation as recognized by one of ordinary skill in the art, to do so would the third party may later reference this information when subsequent request for content are made by the user, and thereby provide faster and more efficient service (see Paragraph [0060]).

Regarding claim 18, modified Murakami et al in view of Kukreja et al and further view of Mane et al teach a method of authorizing access by a service provider client to a protected resource stored at a resource server using a resource definition as claim 15.
Murakami et al, Mane et al and Kukreja et al do not teach receiving, at the authorization server, user consent allowing a specific resource server to fulfill the generic interface schema for a specific client.
However, in analogous art, Cronk et al teach same field of federated model. Cronk et al teach receiving, at the authorization server, user consent allowing a specific resource server to fulfill the generic interface schema for a specific client (see Paragraph [0060], where the rights profile contains information regarding the specific rights of a device and/or a subscriber to access content. It is via the rights profile that the device. A given user will have MSO- specific information regarding its identity and/or information regarding its subscription level and other service detail stored at the programmer site, or other entity accessible to the programmer without requiring consultation with the MSO).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of modified Murakami et al, Mane et al and Kukerja et al to incorporate the teaching of Cronk et al using specific resource server that receives a generic request from the specific service provider client and resolves the generic request.
Motivation as recognized by one of ordinary skill in the art, to do so would the third party may later reference this information when subsequent request for content are made by the user, and thereby provide faster and more efficient service (see Paragraph [0060]).

Regarding claim 19, modified Murakami et al in view of Kukreja et al and further view of Mane et al teach a method of authorizing access by a service provider client to a protected resource stored at a resource server using a resource definition as claim 15.
Murakami et al, Mane et al and Kukreja et al do not teach further comprising: defining, via the generic resource definition, contents of a successful response from the resource server to the service provider client upon successful authorization of access to the protected resource.
However, in analogous art, Cronk et al teach same field of federated model. Cronk et al teach further comprising: defining, via the generic resource definition, contents of a successful response from the resource server to the service provider client upon successful authorization of access to the protected resource (see Paragraph [0283], where the Service must respond with a the request was successfully processed and the decision of "Permit" if the request was successfully validated subscriber should be granted access to the resource and processed end to end without error and the service through the specified expiry without further entitlement unequivocally determined that the subscriber should have the requests. right to perform the requested action via the specified medium on the specified resource).
It would have been obvious to one of ordinary skills in arty before the effective filling data of the
claimed invention to modify the system of modified Murakami et al, Mane et al and Kukreja et al to incorporate the teaching of Cronk et al using specific resource server that receives a generic request from the specific service provider client and resolves the generic request.
Motivation as recognized by one of ordinary skill in the art, to do so would the third party may later reference this information when subsequent request for content are made by the user, and thereby provide faster and more efficient service (see Paragraph [0060]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
LaFever et al (US 20190332807 A1) disclosed a system and methods for improving data privacy/anonymity and data value, wherein data related to a data subject can be ser and stored while minimizing re-identification risk by unauthorized parties and enabling data related to the data subject to be disclosed to an authorized party by granting access only to the data relevant to that authorized party-s purpose.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID HYUNGYU KIM whose telephone number is (571)272-0460. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on (571)-273-8300. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DAVID HYUNGYU KIM/Examiner, Art Unit 2499                                                                                                                                                                                                        
/PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499