DETAILED ACTION
This communication is in response to Applicant’s amendment filed on September 07, 2022. Claims 35, 42 and 46 have been amended. Claims 35-54 are pending and are directed towards SECURITY MANAGEMENT FOR SERVICE ACCESS IN A COMMUNICATION SYSTEM.
Examiner acknowledges Applicant’s argument and amendment, and therefore withdraws the 35 USC § 101 rejection since the way the claims have been amended integrate the abstract idea into a practical application. However, due to the change in scope of the claims in the amendment, a new rejection under 35 USC § 103 is presented herein. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/21/2022 was Acknowledge. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
Applicant's arguments filed on September 07, 2022 with respect to 35 U.S.C. 102 rejections have been fully considered but they are moot in view of the new grounds of rejections. Applicant’s argument has been addressed in the rejections below.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 35-37, 39 and 42-54 are rejected under 35 U.S.C. 103 as being unpatentable over Bemmel et al. US 2006/0041669 A1 (hereinafter “Bemmel”) in view of Jones et al. US 2018/0302391 A1 (hereinafter “Jones”).

As per claim 35, Bemmel teaches a method comprising: 
receiving at an authorization entity in a communication system comprising a service-based architecture a request from a service consumer in the communication system for access to a given service type (a Web Service based upon a service request may be discovered by the Web Service security module. Bemmel, para [0026][0027]) (a method for securing a Web Service includes receiving a service request at block 500, by the web server 115, in accordance with one embodiment of the present invention. At block 505, a first access controller element 375 and a smartUDDI 385 may be used by a requester 305 to discover a service and obtain a signed access token. Bemmel, para [0050]); 
obtaining at the authorization entity an access token that identifies a service producer offering services of the given service type (the UDDI registry generates a service ticket. Bemmel, para [0029]) (the smartUDDI 385 generates a token. The smartUDDI 385 signs the token, encoding the identity in block 415. As shown in block 420, the requestor 305 passes the token in service invocation to the deployed services 390. The access controller 375, in block 425, examines the token and enforces access policies for the deployed service 390. Bemmel, para [0046]) (The smartUDDI 385, at block 515, may encode the identity and access policy information in a signed access token. Bemmel, para [0050]); and 
sending the access token from the authorization entity to the service consumer (returns it with discovered service list to the Web Service requestor. Bemmel, para [0029])(the requestor 305 may pass the signed access token to the access controller 375 to reuse authentication and access policy calculations. Bemmel, para [0051]).
Bemmel does not explicitly teach an access token that identifies a plurality of service producers offering services of the given service type, the plurality of service producers comprising network entities of the service-based architecture in the communication system. 
However, Jones teaches an access token that identifies a plurality of service producers offering services of the given service type (The access token may also be usable on/by a plurality of service providers 140. For example, the access token 300 may further include a service provider field 314 to indicate on which one or more service providers the access token may be used. For example, the access token 300 may identify a first service provider by using a first service provider field 314(1) and a second service provider by using a second service provider field 314(2). The access token 300 may identify additional service providers by using additional service provider fields 314(n), to allow the access token 300 to be used by additional service providers. Jones, para [0036]), the plurality of service producers comprising network entities of the service-based architecture in the communication system (Network-based applications running over one or more networks occasionally utilize role-based access control lists to authenticate users and grant them access or permission to particular features of a service. Jones, para [0012])( The network environment 100 may be implemented using any number of communications links associated with one or more service providers, including one or more wired communication links, one or more wireless communication links, or any combination thereof. Additionally, the network environment 100 can be configured to support the transmission of data formatted using any number of protocols. Jones, para [0017])(The network devices (e.g., clients 110, service provider 140, identity provider 160, authorization server 170, resource server 180) may be connected over links through ports. Jones, para [0021]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Bemmel in view of Jones. One would be motivated to do so, to allow the access token to be used by additional service providers. (Jones, para [0036])

As per claim 36, Bemmel and Jones teach the method of claim 35, further comprising the authorization entity authenticating the service consumer in a discovery step prior to receiving an access token request from the service consumer (The web-services security architecture advantageously employs a combination of authentication with service discovery, evaluation of access policies, and capturing the result of this process in a signed, security token allowing efficient processing for each service request. Bemmel, para [0023]) (While the access controller 375 may authenticate and enforce the access policy 125, the policy engine 380 may evaluate access policies and encode its decision in a security token. More specifically, the smartUDDI 385 authenticates, authorizes, applies policy, achieves load balance by tracking dynamic information of each service instance and return response. While the Web Service security module 120 authenticates and provides service, the client application 310 authenticates and makes requests. Bemmel, para [0026]).

As per claim 37, Bemmel and Jones teach the method of claim 35, wherein the obtaining step further comprises retrieving from storage the access token generated during a discovery step (the UDDI registry generates a service ticket, returns it with discovered service list to the Web Service requestor (e.g., the requestor client 105). Bemmel, para [0029]) (the requestor 305 discovers a service before sending one or more service invocations to that service. The token is returned at block 435 and the access controller 375 issues a proxy request to the smartUDDI 385 for the requestor 305 in block 440. The access controller 375 caches token information from the smartUDDI 445 for the requestor 305 at block 445. Bemmel, para [0047]).

As per claim 39, Bemmel and Jones teach the method of claim 35. Bemmel does not explicitly teach wherein the access token comprises an identifier and an address for each of the plurality of service producers identified therein.
However, Jones teaches wherein the access token comprises an identifier and an address for each of the plurality of service producers identified therein (Each resource identifier field 308(n) may include one or more API scope fields 310(n) representing API scopes allocated to a particular client, as required to fulfill a request for a resource. For example, a request from a client to read and write data in a first application and read alerts and write policy in a second application may result in an access token 300 having a first resource identifier field 308(1) identifying the first application, with a first scope field 310(1) allowing reading of data for the first application, and a second scope field 310(2) allowing writing of data for the first application. In this example, the access token 300 may further include a second resource identifier field 308(2) identifying the second application, with a third scope field 310(3) allowing reading of alerts of the second application, and a fourth scope field 310(4) allowing writing of policy for the second application. The access token 300 may include additional scope fields 310(n) for each respective resource identifier field 308(n) as necessary to grant or fulfill the request from the client. The access token may also be usable on/by a plurality of service providers 140. For example, the access token 300 may further include a service provider field 314 to indicate on which one or more service providers the access token may be used. For example, the access token 300 may identify a first service provider by using a first service provider field 314(1) and a second service provider by using a second service provider field 314(2). The access token 300 may identify additional service providers by using additional service provider fields 314(n), para [0035]-[0036] Fig. 3 fields 314(1)-(n)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Bemmel in view of Jones. One would be motivated to do so, to allow the access token to be used by additional service providers using their identifiers. (Jones, para [0036])

As per claim 42, Bemmel teaches a method comprising: 
sending from a service consumer in a communication system comprising a service-based architecture to an authorization entity in the communication system a request for access to a given service type (a Web Service based upon a service request may be discovered by the Web Service security module. Bemmel, para [0026][0027]) (a method for securing a Web Service includes receiving a service request at block 500, by the web server 115, in accordance with one embodiment of the present invention. At block 505, a first access controller element 375 and a smartUDDI 385 may be used by a requester 305 to discover a service and obtain a signed access token. Bemmel, para [0050]); 
receiving at the service consumer an access token from the authorization entity, wherein the access token identifies a service producer offering services of the given service type (the UDDI registry generates a service ticket. Bemmel, para [0029]) (the smartUDDI 385 generates a token. The smartUDDI 385 signs the token, encoding the identity in block 415. As shown in block 420, the requestor 305 passes the token in service invocation to the deployed services 390. The access controller 375, in block 425, examines the token and enforces access policies for the deployed service 390. Bemmel, para [0046]) (The smartUDDI 385, at block 515, may encode the identity and access policy information in a signed access token. Bemmel, para [0050]).
Bemmel does not explicitly teach an access token that identifies a plurality of service producers offering services of the given service type, the plurality of service producers comprising network entities of the service-based architecture in the communication system; and selecting one of the plurality of service producers from the access token based on one or more selection criterion. 
However, Jones teaches an access token that identifies a plurality of service producers offering services of the given service type (The access token may also be usable on/by a plurality of service providers 140. For example, the access token 300 may further include a service provider field 314 to indicate on which one or more service providers the access token may be used. For example, the access token 300 may identify a first service provider by using a first service provider field 314(1) and a second service provider by using a second service provider field 314(2). The access token 300 may identify additional service providers by using additional service provider fields 314(n), to allow the access token 300 to be used by additional service providers. Jones, para [0036]), the plurality of service producers comprising network entities of the service-based architecture in the communication system (Network-based applications running over one or more networks occasionally utilize role-based access control lists to authenticate users and grant them access or permission to particular features of a service. Jones, para [0012])( The network environment 100 may be implemented using any number of communications links associated with one or more service providers, including one or more wired communication links, one or more wireless communication links, or any combination thereof. Additionally, the network environment 100 can be configured to support the transmission of data formatted using any number of protocols. Jones, para [0017])(The network devices (e.g., clients 110, service provider 140, identity provider 160, authorization server 170, resource server 180) may be connected over links through ports. Jones, para [0021]); and 
selecting one of the plurality of service producers from the access token based on one or more selection criterion (the access token 300 may identify a first service provider by using a first service provider field 314(1) and a second service provider by using a second service provider field 314(2). The access token 300 may identify additional service providers by using additional service provider fields 314(n). Jones, para [0036]) (an access token 300 may comprise a first resource identifier field 308(1) for identifying a first application or resource to which a given client 110 may request access, and a second resource identifier field 308(2) for identifying a second application or resource to which a given client 110 may request access. Jones, para [0034][0048]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Bemmel in view of Jones. One would be motivated to do so, to allow the access token to be used by additional service providers. (Jones, para [0036])

As per claim 43, Bemmel and Jones teach the method of claim 42, further comprising the service consumer sending a service request to the selected service producer, wherein the service request comprises the access token (after the UDDI registry factors in search criteria along with authenticated identity and applies policies, the UDDI registry returns the list of discovered services to the Web Service requester. The Web Service requestor connects to the Web Service and makes requests. The Web Service applies local policies, or connects to the UDDI registry over back-office channels, and requests treatment information. In this manner, requests are processed and responses are returned. Bemmel, para [0031]) (The Web Service security module 120 may capture the security token in a signed security token for use with each subsequent service request. Bemmel, para [0032]).

As per claim 44, Bemmel and Jones teach the method of claim 43, wherein the service request comprises an application programming interface service request (The requestor client 105 may comprise a requester 305 capable of running a client application 310 on an application server using a client Application Programming Interface (API) 320. Bemmel, para [0033]).

As per claim 45, Bemmel and Jones teach the method of claim 42, further comprising: subsequently selecting another service producer from the same access token (The Web Service security module 120 may capture the security token in a signed security token for use with each subsequent service request. Bemmel, para [0032]); and 
sending a service request to the selected other service producer, wherein the service request comprises the access token (The Web Service security module 120 may capture the security token in a signed security token for use with each subsequent service request. Bemmel, para [0032]) (after the UDDI registry factors in search criteria along with authenticated identity and applies policies, the UDDI registry returns the list of discovered services to the Web Service requester. The Web Service requestor connects to the Web Service and makes requests. The Web Service applies local policies, or connects to the UDDI registry over back-office channels, and requests treatment information. In this manner, requests are processed and responses are returned. Bemmel, para [0031]).

As per claim 46, Bemmel teaches a method comprising: 
receiving an access token at a proxy element in a communication system comprising a service- based architecture, wherein the access token identifies a plurality of service producers in the communication system for a given service type generated by an authorization entity in the communication system in response to a request by a service consumer in the communication system for access to the given service type (a Web Service based upon a service request may be discovered by the Web Service security module. Bemmel, para [0026][0027])( The client application 310 may send a service request from the requestor 305 to the intelligent services gateway 370 over the communication network 350 via the client API 320. The service capability server 365 may provide the interface and functionality to interact with the network elements 335. Bemmel, para [0041]) (a method for securing a Web Service includes receiving a service request at block 500, by the web server 115, in accordance with one embodiment of the present invention. At block 505, a first access controller element 375 and a smartUDDI 385 may be used by a requester 305 to discover a service and obtain a signed access token. Bemmel, para [0050]) (the UDDI registry generates a service ticket. Bemmel, para [0029]) (the smartUDDI 385 generates a token. The smartUDDI 385 signs the token, encoding the identity in block 415. As shown in block 420, the requestor 305 passes the token in service invocation to the deployed services 390. The access controller 375, in block 425, examines the token and enforces access policies for the deployed service 390. Bemmel, para [0046]) (The smartUDDI 385, at block 515, may encode the identity and access policy information in a signed access token. Bemmel, para [0050]).
Bemmel does not explicitly teach an access token that identifies a plurality of service producers offering services of the given service type, the plurality of service producers comprising network entities of the service-based architecture in the communication system; and selecting at the proxy element one of the plurality of service producers from the access token based on one or more selection criterion. 
However, Jones teaches an access token that identifies a plurality of service producers offering services of the given service type (The access token may also be usable on/by a plurality of service providers 140. For example, the access token 300 may further include a service provider field 314 to indicate on which one or more service providers the access token may be used. For example, the access token 300 may identify a first service provider by using a first service provider field 314(1) and a second service provider by using a second service provider field 314(2). The access token 300 may identify additional service providers by using additional service provider fields 314(n), to allow the access token 300 to be used by additional service providers. Jones, para [0036]), the plurality of service producers comprising network entities of the service-based architecture in the communication system (Network-based applications running over one or more networks occasionally utilize role-based access control lists to authenticate users and grant them access or permission to particular features of a service. Jones, para [0012])( The network environment 100 may be implemented using any number of communications links associated with one or more service providers, including one or more wired communication links, one or more wireless communication links, or any combination thereof. Additionally, the network environment 100 can be configured to support the transmission of data formatted using any number of protocols. Jones, para [0017]) (The network devices (e.g., clients 110, service provider 140, identity provider 160, authorization server 170, resource server 180) may be connected over links through ports. Jones, para [0021]); and 
selecting at the proxy element one of the plurality of service producers from the access token based on one or more selection criterion (the access token 300 may identify a first service provider by using a first service provider field 314(1) and a second service provider by using a second service provider field 314(2). The access token 300 may identify additional service providers by using additional service provider fields 314(n). Jones, para [0036]) (an access token 300 may comprise a first resource identifier field 308(1) for identifying a first application or resource to which a given client 110 may request access, and a second resource identifier field 308(2) for identifying a second application or resource to which a given client 110 may request access. Jones, para [0034] [0048]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Bemmel in view of Jones. One would be motivated to do so, to allow the access token to be used by additional service providers. (Jones, para [0036])

As per claim 47, Bemmel and Jones teach the method of claim 46, further comprising, when the proxy element resides between the authorization entity and the service consumer, the proxy element sending the service consumer identifying information for the selected service producer (The intelligent services gateway 370 may provide a standard way for carriers to open their network resources (the protocols 330 and the network elements 335) to the application service provider 360 or third-party client application developers. In this manner, the intelligent services gateway 370 may hide the details of the underlying network resources and shield the application developers from the complexities of the communication network 350. Bemmel, para [0040]).

As per claim 48, Bemmel and Jones teach the method of claim 46, further comprising, when the proxy element resides between the authorization entity and the service consumer, the proxy element subsequently selecting another service producer from the access token based on a change in at least one of the one or more selection criterion (The Web Service security module 120 may capture the security token in a signed security token for use with each subsequent service request. Bemmel, para [0032]) (The intelligent services gateway 370 may comprise a server Application Programming interface (API) 395 coupled to a cache 397. While the server API 395 may enable communications with the client application 310, the cache 397 may store identity and access policy information. Bemmel, para [0038]) (for Web Service discovery and selection, the Web Service registration proceeds as in a regular UDDI case having periodic updates with dynamic service load information. The Web Service requestor, the requestor client 105, connects with a UDDI registry which may be part of a UDDI module (as shown in FIGS. 3 and 4) and authenticates. The Web Service requestor sends registry service discovery criteria. The UDDI registry factors in search criteria along with authenticated identity and applies policies (e.g., the access policy 125) in the Web Service security module. Bemmel, para [0027]).

As per claim 49, Bemmel and Jones teach the method of claim 48, further comprising the proxy element sending the service consumer identifying information for the subsequently selected service producer (The intelligent services gateway 370 may provide a standard way for carriers to open their network resources (the protocols 330 and the network elements 335) to the application service provider 360 or third-party client application developers. In this manner, the intelligent services gateway 370 may hide the details of the underlying network resources and shield the application developers from the complexities of the communication network 350 […] the intelligent services gateway 370 may provide a set of Open Services Architecture (OSA) methods for the server API 395 to provide secure access to the underlying network resources. The server API 395 may be defined by OSA standard in one embodiment. The client application 310 may send a service request from the requestor 305 to the intelligent services gateway 370 over the communication network 350 via the client API 320. The service capability server 365 may provide the interface and functionality to interact with the network elements 335. Bemmel, para [0040]-[0041]).

As per claim 50, Bemmel and Jones teach the method of claim 46, further comprising, when the proxy element resides between the service consumer and one or more of the service producers, the proxy element sending the service consumer identifying information for the selected service producer (The intelligent services gateway 370 may provide a standard way for carriers to open their network resources (the protocols 330 and the network elements 335) to the application service provider 360 or third-party client application developers. In this manner, the intelligent services gateway 370 may hide the details of the underlying network resources and shield the application developers from the complexities of the communication network 350 […] the intelligent services gateway 370 may provide a set of Open Services Architecture (OSA) methods for the server API 395 to provide secure access to the underlying network resources. The server API 395 may be defined by OSA standard in one embodiment. The client application 310 may send a service request from the requestor 305 to the intelligent services gateway 370 over the communication network 350 via the client API 320. The service capability server 365 may provide the interface and functionality to interact with the network elements 335.. Bemmel, para [0040]-[0041]).

As per claim 51, Bemmel and Jones teach the method of claim 50, further comprising, when the proxy element resides between the service consumer and one or more of the service producers, the proxy element subsequently selecting another service producer from the access token based on a change in at least one of the one or more selection criterion (for Web Service discovery and selection, the Web Service registration proceeds as in a regular UDDI case having periodic updates with dynamic service load information. Bemmel, para [0027]) (the smartUDDI 385 authenticates, authorizes, applies policy, achieves load balance by tracking dynamic information of each service instance and return response. Bemmel, para [0036]) (The intelligent services gateway 370 may provide a standard way for carriers to open their network resources (the protocols 330 and the network elements 335) to the application service provider 360 or third-party client application developers. In this manner, the intelligent services gateway 370 may hide the details of the underlying network resources and shield the application developers from the complexities of the communication network 350 […] the intelligent services gateway 370 may provide a set of Open Services Architecture (OSA) methods for the server API 395 to provide secure access to the underlying network resources. The server API 395 may be defined by OSA standard in one embodiment. The client application 310 may send a service request from the requestor 305 to the intelligent services gateway 370 over the communication network 350 via the client API 320. The service capability server 365 may provide the interface and functionality to interact with the network elements 335. Bemmel, para [0040]-[0041]) (for Web Service discovery and selection, the Web Service registration proceeds as in a regular UDDI case having periodic updates with dynamic service load information. The Web Service requestor, the requestor client 105, connects with a UDDI registry which may be part of a UDDI module (as shown in FIGS. 3 and 4) and authenticates. The Web Service requestor sends registry service discovery criteria. The UDDI registry factors in search criteria along with authenticated identity and applies policies (e.g., the access policy 125) in the Web Service security module. Bemmel, para [0027]).

As per claim 52, Bemmel and Jones teach the method of claim 51, further comprising the proxy element sending the service consumer identifying information for the subsequently selected service producer (The intelligent services gateway 370 may provide a standard way for carriers to open their network resources (the protocols 330 and the network elements 335) to the application service provider 360 or third-party client application developers. In this manner, the intelligent services gateway 370 may hide the details of the underlying network resources and shield the application developers from the complexities of the communication network 350 […] the intelligent services gateway 370 may provide a set of Open Services Architecture (OSA) methods for the server API 395 to provide secure access to the underlying network resources. The server API 395 may be defined by OSA standard in one embodiment. The client application 310 may send a service request from the requestor 305 to the intelligent services gateway 370 over the communication network 350 via the client API 320. The service capability server 365 may provide the interface and functionality to interact with the network elements 335. Bemmel, para [0040]-[0041]).

As per claim 53, Bemmel and Jones teach the method of claim 48, wherein the selection criterion in which the change occurs comprises one or more of: a load balancing criterion; an availability criterion; and a maintenance criterion (for Web Service discovery and selection, the Web Service registration proceeds as in a regular UDDI case having periodic updates with dynamic service load information. Bemmel, para [0027]) (the smartUDDI 385 authenticates, authorizes, applies policy, achieves load balance by tracking dynamic information of each service instance and return response. Bemmel, para [0036]).

As per claim 54, Bemmel and Jones teach the method of claim 46, wherein the proxy element receives the access token from one of the authorization entity and the service consumer (the requestor 305 discovers a service before sending one or more service invocations to that service. The token is returned at block 435 and the access controller 375 issues a proxy request to the smartUDDI 385 for the requestor 305 in block 440. The access controller 375 caches token information from the smartUDDI 445 for the requestor 305 at block 445. Bemmel, para [0047]).

Claim 38 is rejected under 35 U.S.C. 103 as being unpatentable over Bemmel et al. US 2006/0041669 A1 (hereinafter “Bemmel”) in view of Jones et al. US 2018/0302391 A1 (hereinafter “Jones”), and further in view of Lee et al. US 2018/0270877 A1 (hereinafter “Lee”).

As per claim 38, Bemmel and Jones teach the method of claim 35. Bemmel does not explicitly teach wherein the authorization entity is a network function repository function, the service consumer is a first network function, and the plurality of service producers are two or more other network functions.
However, Lee teaches wherein the authorization entity is a network function repository function, the service consumer is a first network function, and the plurality of service producers are two or more other network functions (The vNF may be a network slice selection function for administrating network slices of the VPLMN or a network repository function for administrating network nodes of the VPLMN. Lee, para [0138])(the vNRF that has received the NF discovery request message at step 3 communicates with the hNRF to acquire the hSMF(s) information and sends the AMF an NF discovery response message including the vSMF(s) information and hSMF(s) information. Lee, para [0147]) (the network entity may be a RAN, AMF, vNRF, vSMF, hSMF, hNRF, hNF, etc. Lee, para [0156] Figs 11-12)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Bemmel in view of Lee. One would be motivated to do so, to enhance the security of the system.

Claim(s) 40-41 are rejected under 35 U.S.C. 103 as being unpatentable over Bemmel et al. US 2006/0041669 A1 (hereinafter “Bemmel”) in view of Jones et al. US 2018/0302391 A1 (hereinafter “Jones”), and further in view of Murugesan et al. US 2018/0083977 A1 (hereinafter “Murugesan”).

As per claim 40, Bemmel and Jones teach the method of claim 35. Bemmel does not explicitly teach wherein the access token comprises a JavaScript Object Notation Web Token format. 
However, Murugesan teaches wherein the access token comprises a JavaScript Object Notation Web Token format (Interactive web-based and native applications leverage standard browser-based OpenID Connect flow to request user authentication, receiving standard identity tokens that are JavaScript Object Notation (“JSON”) Web Tokens (“JWTs”) conveying the user's authenticated identity. Murugesan, para [0082]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Bemmel in view of Murugesan. One would be motivated to do so, to enhance the security of the system.

As per claim 41, Bemmel, Jones and Murugesan teach the method of claim 40. Bemmel does not explicitly teach wherein the plurality of service producers for the given service type are identified in an audience claim field of the JavaScript Object Notation Web Token format.
However, Murugesan teaches wherein the plurality of service producers for the given service type are identified in an audience claim field of the JavaScript Object Notation Web Token format (Browser 1102 sends AZ Code to Cloud Gate 1104, and Cloud Gate 1104 sends a REST POST to OAuth2 microservice 1110 to request the access token and the identity token. Both tokens are scoped to OAuth microservice 1110 (indicated by the audience token claim). Cloud Gate 1104 receives the tokens from OAuth2 microservice. Murugesan, para [0179][0149])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Bemmel in view of Murugesan. One would be motivated to do so, to enhance the security of the system.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALID M ALMAGHAYREH whose telephone number is (571)272-0179. The examiner can normally be reached Monday - Thursday 8AM-5PM EST & Friday variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



Respectfully Submitted

/KHALID M ALMAGHAYREH/Examiner, Art Unit 2492