DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Claim Objections
Claims 1, 3, 7 and 14 are objected to because of the following informalities:
In Claim 1, Lines 3-5, see “wherein the redirected request for service is an initial request for service made by a client to the sever for one or more services of the server” should read “wherein the redirected request for service is an initial request for service made by a client to the server for one or more services of the server”
In Claim 3, Lines 5-6, “wherein the third access token includes authorization information allowing the server to access one or more other services one or more other servers” should read “wherein the third access token includes authorization information allowing the server to access one or more other services of the one or more other servers”
In Claim 7, Lines 1-2, see “wherein the server is a database server configured to provide access to one database services of a database” should read “wherein the server is a database server configured to provide access to one or more database services of a database”
In Claim 14, Lines 1-2, see “wherein the server is a database server configured to provide access to one database services of a database” should read “wherein the server is a database server configured to provide access to one or more database services of a database”


Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 3-5 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the application regards as the invention.

	Regarding claim 3, it is unclear due to the lack of antecedent basis for “the token”, as to which token it is referring to (e.g., first token, second token, third access token). The claim is therefore rendered indefinite. For the purpose of examination, “the token” will be interpreted as the third access token. 

	Regarding claims 4-5, the claims are rejected because they are dependent on a rejected claim and fail to cure the deficiencies. 


Appropriate corrections are required. 








Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.



Claims 1-7 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.

	Claim 1 recites the limitation of “A computing system that includes one or more processors configured to execute computer executable code…”. The “computing system” appears to be software per se (due to the processors being read as software per se and the computer executable code being read as a signal, therefore, the entire claim may be regarded as software per se – See Applicant’s Specification, Paragraph [0011], “A processing unit in a node can be provided with one or more physical processors that each support one or more virtual processors”). The claimed computing system (software) does not define any structural and/or functional interrelationships between hardware components, which permit the system’s functionality to be realized. Software by itself is not capable of causing functional change in the computing system (transform underlying claimed subject matter to a different state or thing), nor machine (tied to another statutory class, such as a particular apparatus), nor manufacture, nor composition of matter (i.e. tangible) and is therefore deemed non-statutory.

	Claims 2-7 are dependent to the previously rejected claim, therefore pertaining to non-statutory subject matter. Claims 2-7 are rejected due to similar deficiencies as the previously rejected claim. 






Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-2, 6-9 and 13-16 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kobayashi (U.S. PGPub. 2015/0350179). 

	Regarding claim 1, Kobayashi teaches A computing system that includes one or more processors configured to execute computer executable code, wherein the one or more processors are further configured to (Kobayashi, Paragraph [0177], see “The computer may comprise one or more of a central processing unit (CPU)…or separate computer processors. The computer executable instructions may be provided to the computer, for example, from a network or the storage medium”):
	obtain, from a server, a redirected request for service from the server, wherein the redirected request for service is an initial request for service made by a client to the server for one or more services of the server (Kobayashi, Paragraph [0054], see “the user issues a request to start an authorization cooperation service that requires access to a protected resource”) (Kobayashi, Paragraph [0056], see “the resource server 400 issues a redirection request expressed as the HTTP/1.1 status code 302 to the browser on the client PC 200 so that the browser on the client PC 200 requests an OAuth authorization”, where “resource server 400” is being read as a server, which issues a redirected request for service from the server, wherein the redirected request for service is an initial request for service made by a client);
	obtain at least authentication credentials of the client, wherein the authentication credentials of the client are needed to verify the identity of the client (Kobayashi, Paragraph [0060], see “upon receiving the redirection request, the client PC 200 requests the authorization server 500 to authenticate the user and grant an authorization according to the redirection request…upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “user ID and a password” is being read as authentication credentials of the client, which are needed to verify the identity of the client);
	generate a first token based at least on the authentication credentials of the client, wherein the first token includes authentication information associated with the client that indicates that the identity of the client has been verified (Kobayashi, Paragraph [0066], see “If the authorization confirmation has succeeded, in step S5.6, the authorization server module 510 performs access token issue processing for generating the access token that allows access to the resource server 400”, where a first token is generated based at least on the authentication credentials (i.e., If the authorization confirmation has succeeded using the authentication credentials of the user)) (Kobayashi, Paragraph [0067], see “The authorization server module 510 registers the generated access token into the Table 3…the authorization server module 510 stores scope information and the user ID contained in a record of an authentication token already registered in the token table into the scope and the user ID”, where the token includes authentication information associated with the client that indicates that the identity of the client has been verified); and
	provide the first token to the client, thereby allowing the client to send the first token to the server to indicate that the identity of the client has been verified at least partly based on the authentication information (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client) (Kobayashi, Paragraph [0073], see “the web-hosted client module 310 of the web-hosted client 300 returns a response containing the script that allows the web browser 230 on the client PC 200 to acquire the access token…the client script 220 running on the web server 201, which has received the script for acquiring the access token, acquires the access token by executing the script. As a result, in step S4.15, the client script 220 can access the resource server 400”, where the client sends the token to the server to indicate that the identity of the client has been verified (e.g., thereby allowing access to the resource server 400)). 

	Regarding claim 2, Kobayashi teaches The computing system of claim 1, wherein the one or more processors are further configured to:
	verify the identity of the client based on the obtained authentication credentials of the client (Kobayashi, Paragraph [0050], see “The authorization server 500 has a function of verifying a pair of user ID information and password information, i.e., authentication information, and generating information indicating that a user or a client is authenticated if the combination is a valid combination, thereby authenticating each user or each client”).

	Regarding claim 6, Kobayashi teaches The computing system of claim 1, wherein the one or more processors are further configured to:
	request the authentication credentials from the client (Kobayashi, Paragraph [0060], see upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “the authorization server 500 returns a login screen 2000 to the browser on the client PC 200 to authenticate the user” is being read as requesting the authentication credentials from the client), and
	send the first token to the client (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client).

	Regarding claim 7, Kobayashi teaches The computing system of claim 1, wherein the server is a database server configured to provide access to one database services of a database (Kobayashi, Paragraph [0047], see “The resource server 400 includes a resource server module 410. The resource server module 410 includes a token authority confirmation unit 420, and a resource request processing unit 430”, where “resource server 400” is being read as a database server) (Kobayashi, Paragraph [0102], see “Upon receiving the access token information…the resource server 400 determines whether to permit or reject the access to the resource for which the request is received based on the acquired information”, where the database server (resource server 400) is configured to provide access to one database services of a database).

	Regarding claim 8, Kobayashi teaches A computer-implemented method for providing security in a computing environment that includes at least one client and at least one server configured to provide one or more services (Kobayashi, FIG. 4, see “1000” which is being read as at least one client and see “RESOURCE SERVER 400” which is being read as at least one server configured to provide one or more services), wherein the computer-implemented method is implemented at least partially by one or more physical processors configured to process executable computer code, and wherein the computer-implemented method comprises (Kobayashi, Paragraph [0177], see “The computer may comprise one or more of a central processing unit (CPU)…or separate computer processors. The computer executable instructions may be provided to the computer, for example, from a network or the storage medium”):
	obtaining, from a server, a redirected request for service, wherein the redirected request for service is an initial request for service made by the client to the server for one or more services of the server (Kobayashi, Paragraph [0054], see “the user issues a request to start an authorization cooperation service that requires access to a protected resource”) (Kobayashi, Paragraph [0056], see “the resource server 400 issues a redirection request expressed as the HTTP/1.1 status code 302 to the browser on the client PC 200 so that the browser on the client PC 200 requests an OAuth authorization”, where “resource server 400” is being read as a server, which issues a redirected request for service from the server, wherein the redirected request for service is an initial request for service made by a client),
	obtaining at least authentication credentials of the client, wherein the authentication credentials of the client are needed to verify the identity of the client (Kobayashi, Paragraph [0060], see “upon receiving the redirection request, the client PC 200 requests the authorization server 500 to authenticate the user and grant an authorization according to the redirection request…upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “user ID and a password” is being read as authentication credentials of the client);
	generating a first token based at least on the authentication credentials of the client, wherein the first token includes authentication information associated with the client and indicates that the identity of the client has been verified (Kobayashi, Paragraph [0066], see “If the authorization confirmation has succeeded, in step S5.6, the authorization server module 510 performs access token issue processing for generating the access token that allows access to the resource server 400”, where a first token is generated based at least on the authentication credentials (i.e., If the authorization confirmation has succeeded using the authentication credentials of the user)) (Kobayashi, Paragraph [0067], see “The authorization server module 510 registers the generated access token into the Table 3…the authorization server module 510 stores scope information and the user ID contained in a record of an authentication token already registered in the token table into the scope and the user ID”, where the token includes authentication information associated with the client that indicates that the identity of the client has been verified); and
	providing the first token to the client, thereby allowing the client to send the first token to the server to indicate that the identity of the client has been verified (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client) (Kobayashi, Paragraph [0073], see “the web-hosted client module 310 of the web-hosted client 300 returns a response containing the script that allows the web browser 230 on the client PC 200 to acquire the access token…the client script 220 running on the web server 201, which has received the script for acquiring the access token, acquires the access token by executing the script. As a result, in step S4.15, the client script 220 can access the resource server 400”, where the client sends the token to the server to indicate that the identity of the client has been verified (e.g., thereby allowing access to the resource server 400).

	Regarding claim 9, Kobayashi teaches The computer-implemented method of claim 8, wherein the computer-implemented method further comprises:
	verifying the identity of the client based on the obtained authentication credentials of the client (Kobayashi, Paragraph [0050], see “The authorization server 500 has a function of verifying a pair of user ID information and password information, i.e., authentication information, and generating information indicating that a user or a client is authenticated if the combination is a valid combination, thereby authenticating each user or each client”).

	Regarding claim 13, Kobayashi teaches The computer-implemented method of claim 8, wherein the computer-implemented method further comprises:
	requesting the authentication credentials from the client (Kobayashi, Paragraph [0060], see upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “the authorization server 500 returns a login screen 2000 to the browser on the client PC 200 to authenticate the user” is being read as requesting the authentication credentials from the client), and
	sending the first token to the client (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client).

	Regarding claim 14, Kobayashi teaches The computer-implemented method of claim 8, wherein the server is a database server configured to provide access to one database services of a database (Kobayashi, Paragraph [0047], see “The resource server 400 includes a resource server module 410. The resource server module 410 includes a token authority confirmation unit 420, and a resource request processing unit 430”, where “resource server 400” is being read as a database server) (Kobayashi, Paragraph [0102], see “Upon receiving the access token information…the resource server 400 determines whether to permit or reject the access to the resource for which the request is received based on the acquired information”, where the database server (resource server 400) is configured to provide access to one database services of a database).

	Regarding claim 15, Kobayashi teaches A non-transitory computer readable storage medium storing at least executable code that when executed provides security in a computing environment that includes at least one client and at least one server configured to provide one or more services, and wherein the executable code when executed further (Kobayashi, FIG. 4, see “1000” which is being read as at least one client and see “RESOURCE SERVER 400” which is being read as at least one server configured to provide one or more services) (Kobayashi, Paragraph [0177], see “The computer may comprise one or more of a central processing unit (CPU)…or separate computer processors. The computer executable instructions may be provided to the computer, for example, from a network or the storage medium”):
	obtains, from the server, a redirected request for service, wherein the redirected request for service is an initial request for service made by the client to the server for one or more services of the server (Kobayashi, Paragraph [0054], see “the user issues a request to start an authorization cooperation service that requires access to a protected resource”) (Kobayashi, Paragraph [0056], see “the resource server 400 issues a redirection request expressed as the HTTP/1.1 status code 302 to the browser on the client PC 200 so that the browser on the client PC 200 requests an OAuth authorization”, where “resource server 400” is being read as a server, which issues a redirected request for service from the server, wherein the redirected request for service is an initial request for service made by a client);
	obtains at least authentication credentials of the client, wherein the authentication credentials of the client are needed to verify the identity of the client (Kobayashi, Paragraph [0060], see “upon receiving the redirection request, the client PC 200 requests the authorization server 500 to authenticate the user and grant an authorization according to the redirection request…upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “user ID and a password” is being read as authentication credentials of the client);
	generates a first token based at least on the authentication credentials of the client, wherein the first token includes authentication information associated with the client and indicates that the identity of the client has been verified (Kobayashi, Paragraph [0066], see “If the authorization confirmation has succeeded, in step S5.6, the authorization server module 510 performs access token issue processing for generating the access token that allows access to the resource server 400”, where a first token is generated based at least on the authentication credentials (i.e., If the authorization confirmation has succeeded using the authentication credentials of the user)) (Kobayashi, Paragraph [0067], see “The authorization server module 510 registers the generated access token into the Table 3…the authorization server module 510 stores scope information and the user ID contained in a record of an authentication token already registered in the token table into the scope and the user ID”, where the token includes authentication information associated with the client that indicates that the identity of the client has been verified); and
	provides the first token to the client, thereby allowing the client to send the first token to the server to indicate that the identity of the client has been verified (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client) (Kobayashi, Paragraph [0073], see “the web-hosted client module 310 of the web-hosted client 300 returns a response containing the script that allows the web browser 230 on the client PC 200 to acquire the access token…the client script 220 running on the web server 201, which has received the script for acquiring the access token, acquires the access token by executing the script. As a result, in step S4.15, the client script 220 can access the resource server 400”, where the client sends the token to the server to indicate that the identity of the client has been verified (e.g., thereby allowing access to the resource server 400).

	Regarding claim 16, Kobayashi teaches The non-transitory computer readable storage medium of claim 15, wherein the executable code when executed further:
	verifies the identity of the client based on the obtained authentication credentials of the client (Kobayashi, Paragraph [0050], see “The authorization server 500 has a function of verifying a pair of user ID information and password information, i.e., authentication information, and generating information indicating that a user or a client is authenticated if the combination is a valid combination, thereby authenticating each user or each client”).









Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 3, 10, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kobayashi, in view of Roth et al. (U.S. PGPub. 2017/0324782), hereinafter Roth.  

	Regarding claim 3, Kobayashi does not teach the following limitation(s) as taught by Roth: The computing system of claim 1, wherein the one or more processors are further configured to:
	obtain a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers (Roth, Paragraph [0022], see “…a request from a customer may trigger one or more other requests from one service to another. A customer may, for instance submit a first request to a first service and fulfillment of the request may include submission, by the first service, of one or more second requests to one or more second services…”, where “submission, by the first service, of one or more second requests to one or more second services” is analogous to the server (i.e., first service) requesting access to one or more services of one or more other servers) (Roth, Paragraph [0086], see “…the customer 702 may submit a request and an electronic signature for the request to the first service 706…Upon receipt of the request and the electronic signature for the request, the first service 706 may provide the request and the electronic signature to the authentication service 710. The authentication service 710 may provide, in response to the request from the first service 706, an authentication response comprising an authentication determination and additional authentication information”, where “the first service 706 may provide the request and the electronic signature to the authentication service 710” is analogous to obtaining a second token, due to the second token being provided by the server (i.e., the first service) and requests access to one or more other services of one or more other servers. In this case, the customer sends a request for a second service. The request is first received by the first service, where the first service forwards the request to the authentication service. The request sent by the customer and subsequently sent by the first service comprises a request to access one or more other service. Therefore, the request sent by the first service to the authentication service is provided by the server (i.e., first service) and ultimately requests access to one or more services indicated by the customer’s request, wherein the request comprises a signature, which is analogous to a second token); and
	generate a third access token, wherein the third access token includes authorization information allowing the server to access one or more other services one or more other servers, thereby allowing the server to send the token to the one or more other servers to indicate that it has been authorized to access the one or more other services from one or more other servers (Roth, Paragraph [0086], see “…The authentication service 710 may provide, in response to the request from the first service 706, an authentication response comprising an authentication determination and additional authentication information. The additional authentication information may include a signing key usable to sign requests to one or more other services so as to be verifiable by the one or more services…”) (Roth, Paragraph [0087], see “The additional authentication information may also include one or more tokens, where the one or more tokens may be specific to one or more services. A token may comprise a service-specific authentication response…The service-specific authentication response may include information specific to the corresponding service 708…the service-specific authentication response may include policy associated with the customer 702 and applicable to the corresponding service 708, an attestation to the identity of the customer 702, and an electronic signature generated based at least in part on a secret key shared between the corresponding service 708 and the authentication service 710”, where “The additional authentication information may also include one or more tokens, where the one or more tokens may be specific to one or more services” is analogous to generating a third access token, where “A token may comprise a service-specific authentication response…the service-specific authentication response may include…an attestation to the identity of the customer 702, and an electronic signature generated based at least in part on a secret key shared between the corresponding service 708 and the authentication service 710” is analogous to the third access token (i.e., one or more tokens specific to one or more services) provided to the first service including authorization information allowing the first service to access one or more other services of one or more other servers (i.e., corresponding service 708), which enables the first service to send the corresponding token to the one or more other services to indicate that it has been authorized to access the one or more other services). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, by implementing techniques for access control using impersonation, comprising of obtaining a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers and generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of one or more other servers, disclosed of Roth. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for security for diverse computing systems, comprising of obtaining a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers and generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of one or more other servers. This allows for better security management, as well as a more user friendly environment by allowing the user to request access to a specific service to a first server, wherein the first server redirects the user to the requested service after appropriate authentication. Instead of having the user communicate with a plurality of different services, the user can initiate a request with a first service, and the first service can acquire any resources needed to fulfill the users’ request. Roth is deemed as analogous art due to the art disclosing techniques for requesting access to one or more other services by a first service and generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of one or more other servers (Roth, Paragraphs [0086 – 0087]). 

Regarding claim 10, Kobayashi does not teach the following limitation(s) as taught by Roth: The computer-implemented method of claim 8, wherein the computer-implemented method further comprises:
obtaining a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers in the computing environment (Roth, Paragraph [0022], see “…a request from a customer may trigger one or more other requests from one service to another. A customer may, for instance submit a first request to a first service and fulfillment of the request may include submission, by the first service, of one or more second requests to one or more second services…”, where “submission, by the first service, of one or more second requests to one or more second services” is analogous to the server (i.e., first service) requesting access to one or more services of one or more other servers) (Roth, Paragraph [0086], see “…the customer 702 may submit a request and an electronic signature for the request to the first service 706…Upon receipt of the request and the electronic signature for the request, the first service 706 may provide the request and the electronic signature to the authentication service 710. The authentication service 710 may provide, in response to the request from the first service 706, an authentication response comprising an authentication determination and additional authentication information”, where “the first service 706 may provide the request and the electronic signature to the authentication service 710” is analogous to obtaining a second token, due to the second token being provided by the server (i.e., the first service) and requests access to one or more other services of one or more other servers. In this case, the customer sends a request for a second service. The request is first received by the first service, where the first service forwards the request to the authentication service. The request sent by the customer and subsequently sent by the first service comprises a request to access one or more other service. Therefore, the request sent by the first service to the authentication service is provided by the server (i.e., first service) and ultimately requests access to one or more services indicated by the customer’s request, wherein the request comprises a signature, which is analogous to a second token); and
	generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of the one or more other servers, thereby allowing the server to send the third token to the one or more other servers to indicate that it has been authorized to access the one or more other services from one or more other servers (Roth, Paragraph [0086], see “…The authentication service 710 may provide, in response to the request from the first service 706, an authentication response comprising an authentication determination and additional authentication information. The additional authentication information may include a signing key usable to sign requests to one or more other services so as to be verifiable by the one or more services…”) (Roth, Paragraph [0087], see “The additional authentication information may also include one or more tokens, where the one or more tokens may be specific to one or more services. A token may comprise a service-specific authentication response…The service-specific authentication response may include information specific to the corresponding service 708…the service-specific authentication response may include policy associated with the customer 702 and applicable to the corresponding service 708, an attestation to the identity of the customer 702, and an electronic signature generated based at least in part on a secret key shared between the corresponding service 708 and the authentication service 710”, where “The additional authentication information may also include one or more tokens, where the one or more tokens may be specific to one or more services” is analogous to generating a third access token, where “A token may comprise a service-specific authentication response…the service-specific authentication response may include…an attestation to the identity of the customer 702, and an electronic signature generated based at least in part on a secret key shared between the corresponding service 708 and the authentication service 710” is analogous to the third access token (i.e., one or more tokens specific to one or more services) provided to the first service including authorization information allowing the first service to access one or more other services of one or more other servers (i.e., corresponding service 708), which enables the first service to send the corresponding token to the one or more other services to indicate that it has been authorized to access the one or more other services). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, by implementing techniques for access control using impersonation, comprising of obtaining a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers and generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of one or more other servers, disclosed of Roth. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for security for diverse computing systems, comprising of obtaining a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers and generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of one or more other servers. This allows for better security management, as well as a more user-friendly environment by allowing the user to request access to a specific service to a first server, wherein the first server redirects the user to the requested service after appropriate authentication. Instead of having the user communicate with a plurality of different services, the user can initiate a request with a first service, and the first service can acquire any resources needed to fulfill the users’ request. Roth is deemed as analogous art due to the art disclosing techniques for requesting access to one or more other services by a first service and generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of one or more other servers (Roth, Paragraphs [0086 – 0087]). 

Regarding claim 17, Kobayashi does not teach the following limitation(s) as taught by Roth: The non-transitory computer readable storage medium of claim 15, wherein the executable code when executed further:
obtains a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers in the computing environment (Roth, Paragraph [0022], see “…a request from a customer may trigger one or more other requests from one service to another. A customer may, for instance submit a first request to a first service and fulfillment of the request may include submission, by the first service, of one or more second requests to one or more second services…”, where “submission, by the first service, of one or more second requests to one or more second services” is analogous to the server (i.e., first service) requesting access to one or more services of one or more other servers) (Roth, Paragraph [0086], see “…the customer 702 may submit a request and an electronic signature for the request to the first service 706…Upon receipt of the request and the electronic signature for the request, the first service 706 may provide the request and the electronic signature to the authentication service 710. The authentication service 710 may provide, in response to the request from the first service 706, an authentication response comprising an authentication determination and additional authentication information”, where “the first service 706 may provide the request and the electronic signature to the authentication service 710” is analogous to obtaining a second token, due to the second token being provided by the server (i.e., the first service) and requests access to one or more other services of one or more other servers. In this case, the customer sends a request for a second service. The request is first received by the first service, where the first service forwards the request to the authentication service. The request sent by the customer and subsequently sent by the first service comprises a request to access one or more other service. Therefore, the request sent by the first service to the authentication service is provided by the server (i.e., first service) and ultimately requests access to one or more services indicated by the customer’s request, wherein the request comprises a signature, which is analogous to a second token); and
	generates a third token, wherein the third token includes authorization information allowing the server to access one or more other services of the one or more other servers, thereby allowing the server to send the third token to the one or more other servers to indicate that it has been authorized to access the one or more other services from one or more other servers (Roth, Paragraph [0086], see “…The authentication service 710 may provide, in response to the request from the first service 706, an authentication response comprising an authentication determination and additional authentication information. The additional authentication information may include a signing key usable to sign requests to one or more other services so as to be verifiable by the one or more services…”) (Roth, Paragraph [0087], see “The additional authentication information may also include one or more tokens, where the one or more tokens may be specific to one or more services. A token may comprise a service-specific authentication response…The service-specific authentication response may include information specific to the corresponding service 708…the service-specific authentication response may include policy associated with the customer 702 and applicable to the corresponding service 708, an attestation to the identity of the customer 702, and an electronic signature generated based at least in part on a secret key shared between the corresponding service 708 and the authentication service 710”, where “The additional authentication information may also include one or more tokens, where the one or more tokens may be specific to one or more services” is analogous to generating a third access token, where “A token may comprise a service-specific authentication response…the service-specific authentication response may include…an attestation to the identity of the customer 702, and an electronic signature generated based at least in part on a secret key shared between the corresponding service 708 and the authentication service 710” is analogous to the third access token (i.e., one or more tokens specific to one or more services) provided to the first service including authorization information allowing the first service to access one or more other services of one or more other servers (i.e., corresponding service 708), which enables the first service to send the corresponding token to the one or more other services to indicate that it has been authorized to access the one or more other services). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, by implementing techniques for access control using impersonation, comprising of obtaining a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers and generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of one or more other servers, disclosed of Roth. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for security for diverse computing systems, comprising of obtaining a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers and generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of one or more other servers. This allows for better security management, as well as a more user-friendly environment by allowing the user to request access to a specific service to a first server, wherein the first server redirects the user to the requested service after appropriate authentication. Instead of having the user communicate with a plurality of different services, the user can initiate a request with a first service, and the first service can acquire any resources needed to fulfill the users’ request. Roth is deemed as analogous art due to the art disclosing techniques for requesting access to one or more other services by a first service and generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of one or more other servers (Roth, Paragraphs [0086 – 0087]). 

	Regarding claim 20, Kobayashi as modified by Roth teaches The non-transitory computer readable storage medium of claim 17, wherein the executable code when executed further:
	requests the authentication credentials from the client (Kobayashi, Paragraph [0060], see upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “the authorization server 500 returns a login screen 2000 to the browser on the client PC 200 to authenticate the user” is being read as requesting the authentication credentials from the client), and
	sends the first token to the client (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client).


Claims 4-5, 11-12 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Kobayashi, in view of Roth, in further view of FAN (U.S. PGPub. 2018/0375863), hereinafter Fan.

	Regarding claim 4, Kobayashi as modified by Roth do not teach the following limitation(s) as taught by Fan: The computing system of claim 3, wherein the second token includes the first token and identifies the server (Fan, Paragraph [0008], see “where the password-free login request includes a third token, the third token includes a second token, and the second token is an access token indicating that the second website grants password-free login permission after user login succeeds”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) includes the second token (being read as the first token) (Fan, Paragraph [0046], see “Token can include three types of information: a website identifier signed by payment website A by using a private key of the website, a current time signed by using the private key of the website, and the user name in the login information”, where “website” is analogous to a server and wherein the tokens contain a website identifier).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Roth, by implementing techniques for a website login method that involves redirecting a user, comprising of a second token including a first token and wherein the second token identifies the server, disclosed of Fan. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for security for diverse computing systems, comprising of a second token including a first token and wherein the second token identifies the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. By including the first token (already authenticated credentials) within the second token, the computing system can avoid re-authenticating the user’s credentials. Fan is deemed as analogous art due to the art disclosing techniques for a second token including a first token and wherein the second token identifies the server (Fan, Paragraph [0008]). 

	Regarding claim 5, Kobayashi as modified by Roth do not teach the following limitation(s) as taught by Fan: The computing system of claim 3, wherein the second token is the first token that is signed by the server (Fan, Paragraph [0148], see “the third token may include a signed version of the second token, such as where the second token is signed by the first website…”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) is a signed version of the second token (being read as the first token)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Roth, by implementing techniques for a website login method that involves redirecting a user, comprising of the second token being the first token that is signed by the server, disclosed of Fan.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for security for diverse computing systems, comprising of a second token being the first token that is signed by the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. Having the second token be the first token that is signed by the server allows for the computing system to grant access to the user based on the signature of the server whilst avoiding the need to re-authenticate the user’s credentials. Fan is deemed as analogous art due to the art disclosing techniques for a second token being the first token that is signed by the server (Fan, Paragraph [0148]). 

	Regarding claim 11, Kobayashi as modified by Roth do not teach the following limitation(s) as taught by Fan: The computer-implemented method of claim 10, wherein the second token includes the first token and identifies the server (Fan, Paragraph [0008], see “where the password-free login request includes a third token, the third token includes a second token, and the second token is an access token indicating that the second website grants password-free login permission after user login succeeds”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) includes the second token (being read as the first token) (Fan, Paragraph [0046], see “Token can include three types of information: a website identifier signed by payment website A by using a private key of the website, a current time signed by using the private key of the website, and the user name in the login information”, where “website” is analogous to a server and wherein the tokens contain a website identifier).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Roth, by implementing techniques for a website login method that involves redirecting a user, comprising of a second token including a first token and wherein the second token identifies the server, disclosed of Fan. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for security for diverse computing systems, comprising of a second token including a first token and wherein the second token identifies the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. By including the first token (already authenticated credentials) within the second token, the computing system can avoid re-authenticating the user’s credentials. Fan is deemed as analogous art due to the art disclosing techniques for a second token including a first token and wherein the second token identifies the server (Fan, Paragraph [0008]). 

	Regarding claim 12, Kobayashi as modified by Roth do not teach the following limitation(s) as taught by Fan: The computer-implemented method of claim 10, wherein the second token is the first token that is signed by the server (Fan, Paragraph [0148], see “the third token may include a signed version of the second token, such as where the second token is signed by the first website…”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) is a signed version of the second token (being read as the first token)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Roth, by implementing techniques for a website login method that involves redirecting a user, comprising of the second token being the first token that is signed by the server, disclosed of Fan.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for security for diverse computing systems, comprising of a second token being the first token that is signed by the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. Having the second token be the first token that is signed by the server allows for the computing system to grant access to the user based on the signature of the server whilst avoiding the need to re-authenticate the user’s credentials. Fan is deemed as analogous art due to the art disclosing techniques for a second token being the first token that is signed by the server (Fan, Paragraph [0148]). 

	Regarding claim 18, Kobayashi as modified by Roth do not teach the following limitation(s) as taught by Fan: The non-transitory computer readable storage medium of claim 17, wherein the second token includes the first token and identifies the server (Fan, Paragraph [0008], see “where the password-free login request includes a third token, the third token includes a second token, and the second token is an access token indicating that the second website grants password-free login permission after user login succeeds”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) includes the second token (being read as the first token) (Fan, Paragraph [0046], see “Token can include three types of information: a website identifier signed by payment website A by using a private key of the website, a current time signed by using the private key of the website, and the user name in the login information”, where “website” is analogous to a server and wherein the tokens contain a website identifier).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Roth, by implementing techniques for a website login method that involves redirecting a user, comprising of a second token including a first token and wherein the second token identifies the server, disclosed of Fan. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for security for diverse computing systems, comprising of a second token including a first token and wherein the second token identifies the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. By including the first token (already authenticated credentials) within the second token, the computing system can avoid re-authenticating the user’s credentials. Fan is deemed as analogous art due to the art disclosing techniques for a second token including a first token and wherein the second token identifies the server (Fan, Paragraph [0008]). 

	Regarding claim 19, Kobayashi as modified by Roth do not teach the following limitation(s) as taught by Fan: The non-transitory computer readable storage medium of claim 17, wherein the second token is the first token that is signed by the server (Fan, Paragraph [0148], see “the third token may include a signed version of the second token, such as where the second token is signed by the first website…”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) is a signed version of the second token (being read as the first token)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Roth, by implementing techniques for a website login method that involves redirecting a user, comprising of the second token being the first token that is signed by the server, disclosed of Fan.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for security for diverse computing systems, comprising of a second token being the first token that is signed by the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. Having the second token be the first token that is signed by the server allows for the computing system to grant access to the user based on the signature of the server whilst avoiding the need to re-authenticate the user’s credentials. Fan is deemed as analogous art due to the art disclosing techniques for a second token being the first token that is signed by the server (Fan, Paragraph [0148]). 




Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of issued Patent 11,409,893, Application No. 16/199,485. Although the claims at issue are not identical, they are not patentably distinct from each other. Claim 1 of the reference patent covers all the limitations of claim 1 of the instant application and, as such, anticipates claim 1 of the instant application.


Instant Application No.     17/864,387

Reference Patent No.     11,409,893 

Claim 1: A computing system that includes one or more processors configured to execute computer executable code, wherein the one or more processors are further configured to:



obtain, from a server, a redirected request for service from the server, wherein the redirected request for service is an initial request for service made by a client to the server for one or more services of the server;




obtain at least authentication credentials of the client, wherein the authentication credentials of the client are needed to verify the identity of the client;







generate a first token based at least on the authentication credentials of the client, wherein the first token includes authentication information associated with the client that indicates that the identity of the client has been verified; and



provide the first token to the client, thereby allowing the client to send the first token to the server to indicate that the identity of the client has been verified at least partly based on the authentication information










Claim 1: A computing system that includes one or more processors configured to execute computer executable code, wherein the one or more processors are further configured to:



obtain, from a first server, a redirected request for service, wherein the redirected request for service is an initial request for service made by a client to the first server for one or more services of the first server;




obtain at least authentication credentials of the client, wherein the authentication credentials of the client are needed to verify the identity of the client;







generate a first token based on at least the authentication credentials of the client, wherein the first token includes authentication information associated with the client, indicating that the identity of the client has been verified; 



provide the generated first token to the client, thereby allowing the client to send the first token to the first server to indicate that the identity of the client has been verified at least partly based on the authentication information;


obtain a second token, wherein the second token has been provided by the first server and requests access to one or more other services of one or more other servers, after the client has sent the first token to the server to indicate that the identity of the client has been verified, and wherein the one or more other servers are different than the first server that has received the first token; and


generate a third access token, wherein the third access token includes authorization information allowing the first server to access the one or more other services of the one or more other servers, thereby allowing the first server to send the third token to the one or more other servers to indicate that it has been authorized to access the one or more other services from the one or more other servers.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on (571) 272-3951.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2499