DETAILED ACTION
This communication is in response to Applicant’s amendment filed on October 07, 2022. Claims 1, 10, and 15-19 have been amended, and claims 7, 12, and 20 have been canceled. Claims 1-6, 8-11, and 13-19 are pending and are directed towards CLIENT AUTHORIZATION MECHANISMS TO ACCESS NATIVE SERVICES. 
Examiner acknowledges Applicant’s amendment to the specification and the claims, and therefore withdraws the previous specification and claims objections, and withdraws the previous 112(b) rejections. However, due to the change in scope of the claims in the amendment, a new rejection under 35 USC § 103 is presented herein. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments/amendments filed on October 07, 2022 with respect to 35 U.S.C. 103 rejections have been fully considered but they are moot in view of the new grounds of rejections. Applicant’s arguments have been addressed in the rejections below. 

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1-6 and 8-9 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Regarding independent claim 1, the original disclosure discloses in para [0042] and Fig. 3 stage C, and para [0047] and Fig. 4 step 425 the process of retrieving the manifest from the client. The disclosure stated that the network interface uses different network communication channels in para [0017] and [0018], but did not mention any out-of-band communication channel. Therefore, the newly added limitation in claim 1 “retrieving the manifest via an out-of-band communication” is not properly described or recited in the application as filed.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 1-5, and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Suarez et al. US 2017/0177877 A1 (hereinafter “Suarez”) in view of Galloway US 2019/0229922 A1, and further in view of Joyce et al. US 2021/0240551 A1 (hereinafter “Joyce”) and further in view of Blasi US 2017/0346807 A1. 

As per claim 1, Galloway teaches a method comprising: 
receiving, by a processor, a connection request from a client application (the software developer 966 makes a request to an instance service interface 912, such as the instance service interface 212 of FIG. 2, for a security token 974. The request may include credentials or proof of credentials 978 (e.g., username/password, biometric identifying information, one-time passcode, a cryptographic hash of any or all of the aforementioned data, etc.) usable to authenticate the software developer 966. Suarez, para [0085]) (receive a request from a client (e.g., a client device) to access (e.g., download from, upload to, delete from, list images stored in, search the contents of, etc.) a repository assigned to a customer of a computing resource service provider. Suarez, para [0119]);
verifying that a digital signature of the client application is valid and untampered (Validation of the authentication token may be performed, by, for example, decrypting a set of credentials from the authentication token and verifying that the set of credentials are associated with an entity authorized to have the request received in 1502 to be fulfilled. Suarez, para [0119])( The authorization token may be a string of characters generated by encrypting, such that the token may be decrypted by the key held by a container registry proxy or container registry front-end service, credentials and/or proof of credentials (e.g., a cryptographic hash of credentials) of an entity authorized to make the request and/or a digital signature usable at least in part at least for certain amount of time (e.g., the token may have been generated at least in part using time-based parameters such that the token has an effective expiration date, after which the token is no longer considered valid) for validating access to the repository. Suarez, para [0122]);
subsequent to the verifying that the digital signature is valid and untampered, retrieving a manifest, wherein the manifest includes application programming interfaces of the client application (In response to receiving the second request, the system may obtain the manifest corresponding to stored container image, and retrieve the set of files for the stored container image as indicated by the manifest. Suarez, para [0022]) (a manifest for the specified container image may be obtained. In some embodiments, this manifest is obtained from a registry metadata storage service, such as the registry metadata service. Suarez, para [0114]) (The container registry front-end service 214 may be a set of APIs and endpoints that are made accessible to customers of the computing resource service provider. Suarez, para [0042]);
validating whether an application programming interface request received from the client application is authorized based on the application programming interfaces included in the manifest (the security sweep may scan the registry 302 for occurrences of a content-addressable identifier associated with that particular layer. For example, the security sweep may discover from the manifest 350B that the content-addressable identifier of layer 2.sub.2 listed in the manifest 350B matches the content-addressable identifier provided to the security sweep associated with the insecure layer […] the security sweep 454 may search the manifests in the repository for content-addressable identifiers of layers matching “df9cb78ee4b0.”. Suarez, para [0056]-[0057])( the security sweep 454 searches the manifests of the first repository 452A for a match between the reference identifier 456 and the content-addressable identifiers 458 of the layers stored in the first repository 452A. Suarez, para [0058]-[0059]); and 
Suarez teaches a manifest that includes vulnerable programming interfaces of a client application that should be prevented and denied when requested. But, does not explicitly teach a manifest that includes authorized programming interfaces of a client application. 
However, Galloway in the same field of endeavor teaches a manifest that includes authorized programming interfaces of a client application (a token received from the user and an indication of an action to be performed by the user within the application platform, determining that the token includes an identification of the action as an action within the software application platform that the user has permission to perform, and based on the identification of the action as a permissible action, providing a response to the application platform indicating that the user is authorized to perform the action within the software application platform. The token may include a set of attributes of the token, a set of identifiers that indicate a plurality of actions within the software application platform that the user has permission to perform, and/or a first encryption of a combination of the set of attributes and the set of identifiers. Galloway, para [0003])(Once the token has been issued, subsequent action requests are expected to have the token in the authorization header of any communication, which may be processed via an application program interface (API). Galloway, para [0028]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Suarez in view of Galloway. One would be motivated to do so, for the obvious reason of processing the authorized application programming request. 
Suarez teaches a security process that sweeping the manifest to discover any content-addressable identifier associated with the security vulnerability, and flag and prevent using the layer at which the vulnerability was discovered. Suarez does not explicitly teach if the application programming interface request is authorized, then process the application programming interface request; and if the application programming request is unauthorized, then terminate the connection request from the client application. 
However, Joyce teaches if the application programming interface request is authorized, then process the application programming interface request (If the API request is deemed to be a permitted API request, e.g., the API request includes elements that are included in current API whitelist (affirmative determination in block 402), the API gateway 150 will increment one or more API counters that are associated with the API request, and the API request will be executed. Joyce, para [0072] Fig. 4 elements 402 and 404); and
if the application programming request is unauthorized, then terminate the connection request from the client application (if the API request is deemed not to be a permitted API request (negative determination in block 402), the API request will be rejected (block 406) and an error message (e.g., HTTP status code) may be sent from the API gateway 150. The API request will be rejected in response to the whitelist validation operation determining that an identified endpoint path of the client API request is not a permitted API endpoint path [terminate connection request], or that an identified endpoint parameter of the API request is not a permitted API endpoint parameter, or that an identified endpoint parameter value of the API request is not a permitted API endpoint parameter value, or that an identified method of the API request is not a permitted method, or that an identified header of the API request is not a permitted header. Joyce, para [0072] Fig. 4 elements 402 and 406).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Joyce. One would be motivated to do so, to enhance the security of the system by identifying authorized and unauthorized API requests and identify potential security risks and attack patterns. (Joyce, para [0072])
Suarez does not explicitly teach retrieving a manifest via an out-of-band communication. 
However, Blasi teaches retrieving a manifest via an out-of-band communication (the access management server 110 securely transmits the digitally signed license token to the requesting entity out-of-band (e.g., during a separate communications session, via a separate communications channel, etc.). Blasi, para [0044]) (the API calls transmitted to the resource server 140 (or to an intermediary device) are configured to include, or otherwise embed within, the digitally signed license token. Blasi, para [0019]) (the ISV application 132 is configured to interact with the services and/or data provided by the resource server 140 via one or more exposed Application Program Interfaces (APIs). For example, in some embodiments, the ISV application 132 is configured to initiate one or more calls to the APIs exposed by the resource server. Blasi, para [0016]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Blasi. One would be motivated to do so, to enhance the security of the system by securely transmitting/receiving the manifest using a seperate communicating channel. (Blasi, para [0044])

As per claim 2, Suarez, Galloway, Joyce and Blasi teach the method of claim 1, wherein the manifest further includes capabilities of the client application (the system may receive a second application programming interface request to launch the stored container image in a container instance of the customer as a running software container. In response to receiving the second request, the system may obtain the manifest corresponding to stored container image, and retrieve the set of files for the stored container image as indicated by the manifest. Suarez, para [0022]).

As per claim 3, Suarez, Galloway, Joyce and Blasi teach the method of claim 1, further comprising caching the manifest (a manifest that contains metadata about the set of container image layers corresponding to the specified container image. Individual container image layers may comprise a set of files of the container image. Suarez, para [0021]) (container images may be cached based on previous usage of container images by the customer/developer and/or resource needs of the container image. Suarez, para [0092]) (intelligent caching of container images. Suarez, para [0094] and Fig. 10)

As per claim 4, Suarez, Galloway, Joyce and Blasi teach the method of claim 1. Suarez does not explicitly teach wherein the manifest was generated at build time of client code. 
However, Galloway teaches the manifest was generated at build time of client code (The definition of specific actions and features may be done within the software application security layer during initial development. Galloway, para [0025]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Galloway. One would be motivated to do so, to define the authorized actions and features that can be done by a client application. 

As per claim 5, Suarez, Galloway, Joyce and Blasi teach the method of claim 1. Suarez does not explicitly teach wherein the manifest is encapsulated in a custom data segment.
However, Galloway teaches the manifest is encapsulated in a custom data segment (the token may be included in the header of the request 203. The token and/or the request may be serialized as previously disclosed or, more generally, it may be included in the request in any suitable format. Galloway, para [0037]) (Once the token has been issued, subsequent action requests are expected to have the token in the authorization header of any communication, which may be processed via an application program interface (API). Galloway, para [0028]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Galloway. One would be motivated to do so, to define the authorized actions and features that can be done by a client application. 

As per claim 9, Suarez, Galloway, Joyce and Blasi teach the method of claim 1, wherein the processor is configured to host a native service (a front-end service that provides a plurality of application programming interfaces for performing operations with the container registry. Suarez, para [0023]) (Some or all of the process 1500 (or any other processes described, or variations and/or combinations of those processes) may be performed under the control of one or more computer systems configured with executable instructions and/or other data, and may be implemented as executable instructions executing collectively on one or more processors. Suarez, para [0117]).

Claim(s) 6 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Suarez et al. US 2017/0177877 A1 (hereinafter “Suarez”) in view of Galloway US 2019/0229922 A1, and further in view of Joyce et al. US 2021/0240551 A1 (hereinafter “Joyce”) and further in view of Blasi US 2017/0346807 A1, and further in view of Doane et al. US 2015/0254451 A1 (hereinafter “Doane”)

As per claim 6, Suarez, Galloway, Joyce and Blasi teach the method of claim 1. Suarez dose not explicitly teach wherein the manifest is attached at an end of an image of the client application. 
However, Doane teaches the manifest is attached at an end of an image of the client application (each virtual machine image may include a manifest that includes metadata associated with certain specifications of the virtual machine image. Doane, para [0038]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Doane. One would be motivated to do so, to define the authorized actions and features that can be done by a client application. 

As per claim 8, Suarez, Galloway, Joyce and Blasi teach the method of claims 1. Suarez does not explicitly teach wherein the digital signature is used to sign an image of client code that includes the manifest. 
However, Doane teaches the digital signature is used to sign an image of client code that includes the manifest (This manifest may be digitally signed instead of the entire virtual machine image, particularly if the virtual machine image is of sufficient size. Thus, the customer may be able to verify the authenticity of the virtual machine image based at least in part on the digitally signed manifest of the selected virtual machine image. Doane, para [0038]) (the vendor may create one or more virtual machine images, digitally sign these one or more virtual machine images and include the agreed upon digital certificate. Doane, para [0013])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Doane. One would be motivated to do so, to verify the authenticity of the virtual machine image based at least in part on the digitally signed manifest of the selected virtual machine image. (Doane, para [0038])

Claims 10 and 14-17 are rejected under 35 U.S.C. 103 as being unpatentable over Suarez et al. US 2017/0177877 A1 (hereinafter “Suarez” in view of Galloway US 2019/0229922 A1 and further in view of Joyce et al. US 2021/0240551 A1 (hereinafter “Joyce”)

As per claim 10, Suarez teaches an information handling system, comprising: 
a memory to cache a manifest that includes programming interfaces of a client application after the manifest was retrieved from the client application (a manifest that contains metadata about the set of container image layers corresponding to the specified container image. Individual container image layers may comprise a set of files of the container image. Suarez, para [0021]) (container images may be cached based on previous usage of container images by the customer/developer and/or resource needs of the container image. Suarez, para [0092]) (intelligent caching of container images. Suarez, para [0094] and Fig. 10) (the security sweep may scan the registry 302 for occurrences of a content-addressable identifier associated with that particular layer. For example, the security sweep may discover from the manifest 350B that the content-addressable identifier of layer 2.sub.2 listed in the manifest 350B matches the content-addressable identifier provided to the security sweep associated with the insecure layer. Suarez, para [0056]); and 
a native service configured to: receive a connection request from the client application (the software developer 966 makes a request to an instance service interface 912, such as the instance service interface 212 of FIG. 2, for a security token 974. The request may include credentials or proof of credentials 978 (e.g., username/password, biometric identifying information, one-time passcode, a cryptographic hash of any or all of the aforementioned data, etc.) usable to authenticate the software developer 966. Suarez, para [0085]) (receive a request from a client (e.g., a client device) to access (e.g., download from, upload to, delete from, list images stored in, search the contents of, etc.) a repository assigned to a customer of a computing resource service provider. Suarez, para [0119]); 
verify that a digital signature of the client application is valid and untampered (Validation of the authentication token may be performed, by, for example, decrypting a set of credentials from the authentication token and verifying that the set of credentials are associated with an entity authorized to have the request received in 1502 to be fulfilled. Suarez, para [0119])( The authorization token may be a string of characters generated by encrypting, such that the token may be decrypted by the key held by a container registry proxy or container registry front-end service, credentials and/or proof of credentials (e.g., a cryptographic hash of credentials) of an entity authorized to make the request and/or a digital signature usable at least in part at least for certain amount of time (e.g., the token may have been generated at least in part using time-based parameters such that the token has an effective expiration date, after which the token is no longer considered valid) for validating access to the repository. Suarez, para [0122]);
subsequent to a verification that the digital signature is valid and untampered, retrieve the manifest from the client application (In response to receiving the second request, the system may obtain the manifest corresponding to stored container image, and retrieve the set of files for the stored container image as indicated by the manifest. Suarez, para [0022]) (a manifest for the specified container image may be obtained. In some embodiments, this manifest is obtained from a registry metadata storage service, such as the registry metadata service. Suarez, para [0114]); 
receive an application programming interface request from the client application (the services provided by a computing resource service provider include one or more interfaces that enable the customer to submit requests via, for example, appropriately-configured application programming interface calls to the various services. Suarez, para [0038]) (the software developer pushes the layers (including the manifest) of the container image 952 and the security token 974 in application programming interface requests to the container registry front-end service 914. Suarez, para [0090]); 
validate whether the application programming interface request is authorized based on the manifest (the security sweep may scan the registry 302 for occurrences of a content-addressable identifier associated with that particular layer. For example, the security sweep may discover from the manifest 350B that the content-addressable identifier of layer 2.sub.2 listed in the manifest 350B matches the content-addressable identifier provided to the security sweep associated with the insecure layer […] the security sweep 454 may search the manifests in the repository for content-addressable identifiers of layers matching “df9cb78ee4b0.”. Suarez, para [0056]-[0057])(the security sweep 454 searches the manifests of the first repository 452A for a match between the reference identifier 456 and the content-addressable identifiers 458 of the layers stored in the first repository 452A. Suarez, para [0059]); and 
Suarez teaches a manifest that includes vulnerable programming interfaces of a client application that should be prevented and denied when requested. But, does not explicitly teach a manifest that includes authorized programming interfaces of a client application. 
However, Galloway in the same field of endeavor teaches a manifest that includes authorized programming interfaces of a client application (a token received from the user and an indication of an action to be performed by the user within the application platform, determining that the token includes an identification of the action as an action within the software application platform that the user has permission to perform, and based on the identification of the action as a permissible action, providing a response to the application platform indicating that the user is authorized to perform the action within the software application platform. The token may include a set of attributes of the token, a set of identifiers that indicate a plurality of actions within the software application platform that the user has permission to perform, and/or a first encryption of a combination of the set of attributes and the set of identifiers. Galloway, para [0003]) (Once the token has been issued, subsequent action requests are expected to have the token in the authorization header of any communication, which may be processed via an application program interface (API). Galloway, para [0028]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Suarez in view of Galloway. One would be motivated to do so, for the obvious reason of processing the authorized application programming request. 
Suarez teaches a security process that sweeping the manifest to discover any content-addressable identifier associated with the security vulnerability, and flag and prevent using the layer at which the vulnerability was discovered. Suarez does not explicitly teach if the application programming interface request is authorized, then process the application programming interface request; and if the application programming request is unauthorized, then terminate the connection request from the client application. 
However, Joyce teaches if the application programming interface request is authorized, then process the application programming interface request (If the API request is deemed to be a permitted API request, e.g., the API request includes elements that are included in current API whitelist (affirmative determination in block 402), the API gateway 150 will increment one or more API counters that are associated with the API request, and the API request will be executed. Joyce, para [0072] Fig. 4 elements 402 and 404); and
if the application programming request is unauthorized, then terminate the connection request from the client application (if the API request is deemed not to be a permitted API request (negative determination in block 402), the API request will be rejected (block 406) and an error message (e.g., HTTP status code) may be sent from the API gateway 150. The API request will be rejected in response to the whitelist validation operation determining that an identified endpoint path of the client API request is not a permitted API endpoint path [terminate connection request], or that an identified endpoint parameter of the API request is not a permitted API endpoint parameter, or that an identified endpoint parameter value of the API request is not a permitted API endpoint parameter value, or that an identified method of the API request is not a permitted method, or that an identified header of the API request is not a permitted header. Joyce, para [0072] Fig. 4 elements 402 and 406).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Joyce. One would be motivated to do so, to enhance the security of the system by identifying authorized and unauthorized API requests and identify potential security risks and attack patterns. (Joyce, para [0072]).

As per claim 14, Suarez, Galloway, and Joyce teach the information handling system of claim 10. Suarez does not explicitly teach wherein the manifest was generated at build time of client code. 
However, Galloway teaches the manifest was generated at build time of client code (The definition of specific actions and features may be done within the software application security layer during initial development. Galloway, para [0025]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Galloway. One would be motivated to do so, to define the authorized actions and features that can be done by a client application. 

As per claim 15, Galloway teaches a non-transitory computer-readable medium including code that when executed performs a method, the method comprising: 
receiving, a connection request from a client application (the software developer 966 makes a request to an instance service interface 912, such as the instance service interface 212 of FIG. 2, for a security token 974. The request may include credentials or proof of credentials 978 (e.g., username/password, biometric identifying information, one-time passcode, a cryptographic hash of any or all of the aforementioned data, etc.) usable to authenticate the software developer 966. Suarez, para [0085]) (receive a request from a client (e.g., a client device) to access (e.g., download from, upload to, delete from, list images stored in, search the contents of, etc.) a repository assigned to a customer of a computing resource service provider. Suarez, para [0119]);
verifying whether a digital signature of the client application is valid and untampered (Validation of the authentication token may be performed, by, for example, decrypting a set of credentials from the authentication token and verifying that the set of credentials are associated with an entity authorized to have the request received in 1502 to be fulfilled. Suarez, para [0119])( The authorization token may be a string of characters generated by encrypting, such that the token may be decrypted by the key held by a container registry proxy or container registry front-end service, credentials and/or proof of credentials (e.g., a cryptographic hash of credentials) of an entity authorized to make the request and/or a digital signature usable at least in part at least for certain amount of time (e.g., the token may have been generated at least in part using time-based parameters such that the token has an effective expiration date, after which the token is no longer considered valid) for validating access to the repository. Suarez, para [0122]);
subsequent to verifying that the digital signature is valid and untampered, retrieving a manifest that includes application programming interfaces of the client application (In response to receiving the second request, the system may obtain the manifest corresponding to stored container image, and retrieve the set of files for the stored container image as indicated by the manifest. Suarez, para [0022]) (a manifest for the specified container image may be obtained. In some embodiments, this manifest is obtained from a registry metadata storage service, such as the registry metadata service. Suarez, para [0114]);
validating whether an application programming interface request received from the client application is authorized based on the application programming interfaces included in the manifest (the security sweep may scan the registry 302 for occurrences of a content-addressable identifier associated with that particular layer. For example, the security sweep may discover from the manifest 350B that the content-addressable identifier of layer 2.sub.2 listed in the manifest 350B matches the content-addressable identifier provided to the security sweep associated with the insecure layer […] the security sweep 454 may search the manifests in the repository for content-addressable identifiers of layers matching “df9cb78ee4b0.”. Suarez, para [0056]-[0057])( the security sweep 454 searches the manifests of the first repository 452A for a match between the reference identifier 456 and the content-addressable identifiers 458 of the layers stored in the first repository 452A. Suarez, para [0059]); and 
Suarez teaches a manifest that includes vulnerable programming interfaces of a client application that should be prevented and denied when requested. But, does not explicitly teach a manifest that includes authorized programming interfaces of a client application. 
However, Galloway in the same field of endeavor teaches a manifest that includes authorized programming interfaces of a client application (a token received from the user and an indication of an action to be performed by the user within the application platform, determining that the token includes an identification of the action as an action within the software application platform that the user has permission to perform, and based on the identification of the action as a permissible action, providing a response to the application platform indicating that the user is authorized to perform the action within the software application platform. The token may include a set of attributes of the token, a set of identifiers that indicate a plurality of actions within the software application platform that the user has permission to perform, and/or a first encryption of a combination of the set of attributes and the set of identifiers. Galloway, para [0003])(Once the token has been issued, subsequent action requests are expected to have the token in the authorization header of any communication, which may be processed via an application program interface (API). Galloway, para [0028]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Suarez in view of Galloway. One would be motivated to do so, for the obvious reason of processing the authorized application programming request. 
Suarez teaches a security process that sweeping the manifest to discover any content-addressable identifier associated with the security vulnerability, and flag and prevent using the layer at which the vulnerability was discovered. Suarez does not explicitly teach in response to validating that the application programming interface request is authorized, processing the application programming interface request; and in response to validating that the application programming request is unauthorized, terminating the connection request from the client application. 
However, Joyce teaches in response to validating that the application programming interface request is authorized, processing the application programming interface request (If the API request is deemed to be a permitted API request, e.g., the API request includes elements that are included in current API whitelist (affirmative determination in block 402), the API gateway 150 will increment one or more API counters that are associated with the API request, and the API request will be executed. Joyce, para [0072] Fig. 4 elements 402 and 404); and
in response to validating that the application programming request is unauthorized, terminating the connection request from the client application (if the API request is deemed not to be a permitted API request (negative determination in block 402), the API request will be rejected (block 406) and an error message (e.g., HTTP status code) may be sent from the API gateway 150. The API request will be rejected in response to the whitelist validation operation determining that an identified endpoint path of the client API request is not a permitted API endpoint path [terminate connection request], or that an identified endpoint parameter of the API request is not a permitted API endpoint parameter, or that an identified endpoint parameter value of the API request is not a permitted API endpoint parameter value, or that an identified method of the API request is not a permitted method, or that an identified header of the API request is not a permitted header. Joyce, para [0072] Fig. 4 elements 402 and 406).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Joyce. One would be motivated to do so, to enhance the security of the system by identifying authorized and unauthorized API requests and identify potential security risks and attack patterns. (Joyce, para [0072])

As per claim 16, Suarez, Galloway, and Joyce teach the non-transitory computer readable medium of claim 15, wherein the manifest further includes capabilities of the client application (the system may receive a second application programming interface request to launch the stored container image in a container instance of the customer as a running software container. In response to receiving the second request, the system may obtain the manifest corresponding to stored container image, and retrieve the set of files for the stored container image as indicated by the manifest. Suarez, para [0022]).

As per claim 17, Suarez, Galloway, and Joyce teach the non-transitory computer readable medium of claim 15, wherein the method further comprises caching the manifest (a manifest that contains metadata about the set of container image layers corresponding to the specified container image. Individual container image layers may comprise a set of files of the container image. Suarez, para [0021]) (container images may be cached based on previous usage of container images by the customer/developer and/or resource needs of the container image. Suarez, para [0092]) (intelligent caching of container images. Suarez, para [0094] and Fig. 10)

Claim(s) 11, 13 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Suarez et al. US 2017/0177877 A1 (hereinafter “Suarez”) in view of Galloway US 2019/0229922 A1, and further in view of Joyce et al. US 2021/0240551 A1 (hereinafter “Joyce”), and further in view of Doane et al. US 2015/0254451 A1 (hereinafter “Doane”)

As per claims 11 and 18, Suarez, Galloway and Joyce teach the information handling system of claim 10, and the non-transitory computer readable medium of claim 15. Suarez does not explicitly teach wherein the manifest is encapsulated in a custom data segment at an end of an image of the client application.
However, Galloway teaches the manifest is encapsulated in a custom data segment (the token may be included in the header of the request 203. The token and/or the request may be serialized as previously disclosed or, more generally, it may be included in the request in any suitable format. Galloway, para [0037]) (Once the token has been issued, subsequent action requests are expected to have the token in the authorization header of any communication, which may be processed via an application program interface (API). Galloway, para [0028]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Galloway. One would be motivated to do so, to define the authorized actions and features that can be done by a client application. 
And, Doane teaches the manifest is attached at an end of an image of the client application (each virtual machine image may include a manifest that includes metadata associated with certain specifications of the virtual machine image. Doane, para [0038]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Doane. One would be motivated to do so, to define the authorized actions and features that can be done by a client application. 

As per claims 13 and 19, Suarez, Galloway and Joyce teach the information handling system of claim 10, and the non-transitory computer readable medium of claim 15. Suarez does not explicitly teach wherein the digital signature is used to sign an image of client code that includes the manifest. 
However, Doane teaches the digital signature is used to sign an image of client code that includes the manifest (This manifest may be digitally signed instead of the entire virtual machine image, particularly if the virtual machine image is of sufficient size. Thus, the customer may be able to verify the authenticity of the virtual machine image based at least in part on the digitally signed manifest of the selected virtual machine image. Doane, para [0038]) (the vendor may create one or more virtual machine images, digitally sign these one or more virtual machine images and include the agreed upon digital certificate. Doane, para [0013])
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the system of Suarez in view of Doane. One would be motivated to do so, to verify the authenticity of the virtual machine image based at least in part on the digitally signed manifest of the selected virtual machine image. (Doane, para [0038]). 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALID M ALMAGHAYREH whose telephone number is (571)272-0179. The examiner can normally be reached Monday - Thursday 8AM-5PM EST & Friday variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



Respectfully Submitted

/KHALID M ALMAGHAYREH/Examiner, Art Unit 2492