DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 11/5/2025.
In instant Amendment, claims 1, 11 and 22 have been amended; claims 1, 11 and 22 are independent claims. Claims 1-3, 5-15, 17-25, 27-31, 38 and 39 have been examined and are pending. This Action is made Final.
Response to Arguments
Applicant's arguments filed 11/5/2025 with respect to the 35 U.S.C. 102/103 rejections have been considered but are moot in view of new grounds of rejection.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-3, 5-15, 17-25 and 27-29 is/are rejected under 35 U.S.C. 103 as being unpatentable over by Bykampadi et al. (US 2019/0251241 A1) in view of Malatesha et al. (US 2017/0111338 A1).
Regarding Claim 1;
Bykampadi discloses a method, implemented in a Network Function (NF) for optimizing NF service authorization (FIG. 5 and [0051] - In the 5G SBA, services of a particular Network Function (NF) are provided only to authorized NF Service Consumers (e.g., other network functions) upon request. Therefore, service authorization procedures are required to check whether a NF Service Consumer is permitted to access a requested NF Service Producer for consuming a NF Service), the method comprising:
sending to an authorization server, an authorization request for a procedure, the procedure involves a plurality of NF services (FIG. 5 and FIG. 7 and FIG. 8 and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0086]-[0087] - In step 700, as a prerequisite, the NF Service Consumer 402 registers with the NRF 404 and obtains the client_id and client password or client_secret. Also in step 700, the NRF 404's public key is shared with the NF Service Producer 406 (not shown in FIG. 7). The NRF 404's public key is used in some embodiments for generating digital signatures as described elsewhere herein. The NF Service Consumer 402 in step 701 invokes the Nnrf_NFDiscovery_Request (e.g., which may include an expected NF service name, NF type of the expected NF instance, the NF type of the NF Service Consumer, etc.) from the NRF 404 (in a same PLMN). As an OAuth client, the NF Service Consumer 402 in step 701 also sends its client_id and client_secret, or more generally its client credentials, in the request message and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092]-[0094]); and
receiving from the authorization server, an authorization response for the procedure, the authorization response including information authorizing access to the plurality of NF services involved in the procedure (FIG. 5 and FIG. 7 and FIG. 8 and [0088]-[0090] - The NRF 404 in step 702 authenticates the client NF Service Consumer 402 based on the provided client credentials. If the NF Service Consumer 402 is successfully authenticated, the NRF 404 in step 703 checks the stored NF profile information of the target NF and/or NF service to determine whether the access can be permitted to the NF type of the NF Service Consumer 402. If the requested service can be provided to the NF Service Consumer 402 of the declared type, the NRF 404 in step 704 generates a JWT based access token with appropriate claims included. The generated JWT is signed with the NRF 404's private key. The claims in the JWT access token include the identity of the NRF 404 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7), wherein when the procedure beings, the NF sends an access token request with a corresponding procedure name to the authorization server (FIG. 7 and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0085] - FIG. 7 illustrates a message flow for the NF 402 to obtain an access token during network function service discovery with the NRF 404. NF service discovery procedure between NFs and NRF in the same PLMN (e.g., such as in one of the HPLMN or VPLMN of FIG. 3) is defined in clause 4.17.4 of TS 23.502. It is used as the underlying procedure by the NF Service Consumer to obtain an access token from the NRF authorization server 404 and [0087] - The NF Service Consumer 402 in step 701 invokes the Nnrf_NFDiscovery_Request (e.g., which may include an expected NF service name, NF type of the expected NF instance, the NF type of the NF Service Consumer, etc.) from the NRF 404 (in a same PLMN). As an OAuth client, the NF Service Consumer 402 in step 701 also sends its client_id and client_secret, or more generally its client credentials, in the request message), wherein the authorization server generates and sends an access token for the procedure to the NF as the authorization response (FIG. 7 and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0088]-[0090] - ... generated JWT is signed with the NRF 404's private key. The claims in the JWT access token include the identity of the NRF 404 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token. In step 705, the signed JWT access token is included in an Nnrf_NFDiscovery_Request response message that is sent from the NRF 404 to the NF Service Consumer 402. The response message of step 705 may also include an expiration time (e.g., expires_in), an end point address for the discovered NF instance, etc. The scope and expires_in may be equivalent to the corresponding claims in the JWT access token from step 704. The scope field may include all the services that the NF Service Consumer 402 is authorized to access),
wherein:
the access token is used by the NF to access any of other NF involved in the procedure ([0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and[0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0053] - In 5G SBA, there are multiple NFs requesting services from each other. A service authorization framework is required that supports: (i) NF Service Consumer-NF Service Producer interactions; (ii) authentication of the NF Service Consumer that is requesting access to the service(s) of another NF (e.g., services of a NF Service Producer); (iii) obtaining authorization grants during Network Function Service discovery; (iv) using the obtained authorization grants during Network Function Service access; and (v) NF and Network Function Service registration and de-registration and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406),
the access token is used to access procedure between any of two NFs ( [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406); and
the access token further comprises one or more claims indicating the accessible NFs ([0059] - JWT may be used with the OAuth 2.0 authorization framework, as will be described with reference to the OAuth 2.0 client credentials flow of FIG. 4. Step 1 of FIG. 4 may proceed in the manner described above. In step 2 of FIG. 4, a signed or encrypted JSON Web Token or JWT is returned by the authorization server 404 as the access token. The claims in the JWT contain information required for the API resource server 406 to identify the client 402, scope of access, duration, etc. and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer. The NF Service Consumer presents the obtained JWT to the NF Service Producer when requesting access to a service provided by the NF Service Producer and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406 and [0094] - In step 802, the NF Service Producer 406 verifies the access token. Verifying the access token in some embodiments includes checking that the JWT is well formed, checking the signature of the JWT using the NRF 404's public key, validating the standard claims in the access token (e.g., the subject, expiration time, issuer, audience claims, etc.), and checking the client permissions (e.g., the scope in the access token)); and
the access token is verified by one or more other NFs providing one or more services ([0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0053] - In 5G SBA, there are multiple NFs requesting services from each other. A service authorization framework is required that supports: (i) NF Service Consumer-NF Service Producer interactions; (ii) authentication of the NF Service Consumer that is requesting access to the service(s) of another NF (e.g., services of a NF Service Producer); (iii) obtaining authorization grants during Network Function Service discovery; (iv) using the obtained authorization grants during Network Function Service access; and (v) NF and Network Function Service registration and de-registration and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406 and [0094] - In step 802, the NF Service Producer 406 verifies the access token).
Bykampadi further teaches concepts of an expiration time for the access token and a scope of all the services that the NF Service Consumer is authorized to access (i.e., by another NF) ([0089]-[0090]); however, Bykampadi fails to explicitly disclose that the access token is reused by another NF in subsequent service requests.
However, in an analogous art, Malatesha teaches concepts of [a] access token is reused ...in subsequent service requests (Abstract and FIG. 4 and [0010] and [0027] and [0050]-[0052] - FIG. 4 depicts a flow diagram 400 of a process for reusing access tokens to access a network service. Although FIG. 4 is depicted and described in the context of access tokens, embodiments are not limited to access tokens and any type of access data may be used and [0055]).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Malatesha to by another NF of Bykampadi to include concepts of [a] access token is reused ...in subsequent service requests.
One would have been motivated to combine the teachings of Malatesha to Bykampadi to do so as it provides / allows reducing the number of authentication processes that need to be performed by reusing access tokens (Malatesha, [0022]).
Regarding Claim 2;
Bykampadi and Malatesha discloses the method to Claim 1.
Bykampadi further discloses wherein sending the authorization request to the authorization server comprises sending the authorization request to a Network Repository Function (NRF) (FIG. 5-9 and [0061] - The Network Repository Function (NRF) plays the role of the OAuth Authorization server (e.g., authorization server 404 in FIG. 4) and [0086]-[0087] and [0093]-[0094].).
Regarding Claim 3;
Bykampadi and Malatesha discloses the method to Claim 1.
Bykampadi further discloses wherein receiving the authorization response including the information authorizing access to the plurality of NF services comprises receiving at least one token for authorizing access to the plurality of NF services (FIG. 7 and FIG. 8 and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7 and [0092]).
Regarding Claim 5;
Bykampadi and Malatesha discloses the method to Claim 4.
Bykampadi further discloses further comprising sending to each of a plurality of NF producers, a service request for a respective NF service, each service request comprising the one token (FIG. 8 and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - In some embodiments, this involves installing or otherwise running the network slice or function on one or more host devices of the underlying physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type.
Regarding Claim 6;
Bykampadi and Malatesha discloses the method to Claim 5.
Bykampadi further discloses further comprising receiving from each of the plurality of NF producers, a service response for the respective NF service (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type.
Regarding Claim 7;
Bykampadi and Malatesha discloses the method to Claim 3.
Bykampadi further discloses wherein the received authorization response comprises a plurality of tokens, each token for accessing a respective one of the plurality of NF services (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type.
Regarding Claim 8;
Bykampadi and Malatesha discloses the method to Claim 7.
Bykampadi further discloses further comprising sending to each of a plurality of NF producers, a service request for the respective NF service, each service request comprising a different token from the received plurality of tokens (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a “different” token for each specific service type.
Regarding Claim 9;
Bykampadi and Malatesha discloses the method to Claim 8.
Bykampadi further discloses further comprising receiving from each of the plurality of NF producers, a service response for the respective NF service tokens (FIG. 8 – NF Service Response and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure. (As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers, see [0063]) and [0063] and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7).
Regarding Claim 10;
Bykampadi and Malatesha discloses the method to Claim 8.
Bykampadi further discloses further comprising providing at least one of the plurality of tokens to one of the pluralities of NF producers for use to access another of the plurality of NF producers (FIG. 8 and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0053] - In 5G SBA, there are multiple NFs requesting services from each other. A service authorization framework is required that supports: (i) NF Service Consumer-NF Service Producer interactions; (ii) authentication of the NF Service Consumer that is requesting access to the service(s) of another NF (e.g., services of a NF Service Producer); (iii) obtaining authorization grants during Network Function Service discovery; (iv) using the obtained authorization grants during Network Function Service access; and (v) NF and Network Function Service registration and de-registration and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406) As noted, NFs request services from each other thus a service authorization framework is required that supports: (i) NF Service Consumer-NF Service Producer interactions; (ii) authentication of the NF Service Consumer that is requesting access to the service(s) of another NF (e.g., services of a NF Service Producer).
Regarding Claim 11;
Bykampadi discloses a method implemented in a Network Function (NF) for optimizing NF service authorization, the method comprising (FIG. 5 and [0051] - In the 5G SBA, services of a particular Network Function (NF) are provided only to authorized NF Service Consumers (e.g., other network functions) upon request. Therefore, service authorization procedures are required to check whether a NF Service Consumer is permitted to access a requested NF Service Producer for consuming a NF Service), the method comprising:
receiving from an NF service consumer, a service request, the service request comprising information authorizing access to a plurality of NF services involved in a procedure (FIG. 8 – NF Service Request and [0092]-[0094] - In step 801, the NF Service Consumer 402 invokes the API for a specific service on the NF Service Producer 406. The parameters included in the API include the access_token, along with the NF Service Consumer 402 instance id. The instance id must match what is included in the “subject” claim of the access token. In step 802, the NF Service Producer 406 verifies the access token. Verifying the access token in some embodiments includes checking that the JWT is well formed, checking the signature of the JWT using the NRF 404's public key, validating the standard claims in the access token (e.g., the subject, expiration time, issuer, audience claims, etc.), and checking the client permissions (e.g., the scope in the access token). If the checks are successful, the NF Service Producer 406 is assured that the access token received in step 801 was issued by its local NRF 404 and that the access token was issued to the correct NF Service Consumer 402 (e.g., identifier match). In addition, the NF Service Producer 406 knows the exact scope that the NF Service Consumer 402 has been authorized by the NRF 404. In step 803, responsive to successful verification of the access token, the NF Service Producer 406 executes the requested service and provides a NF service response to the NF Service Consumer 402), wherein the received service request comprises a plurality of access tokens each access token for accessing a respective on of the plurality of NF services (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type; and
verifying the received plurality of access tokens (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0094] - In step 802, the NF Service Producer 406 verifies the access token. Verifying the access token in some embodiments includes checking that the JWT is well formed, checking the signature of the JWT using the NRF 404's public key, validating the standard claims in the access token (e.g., the subject, expiration time, issuer, audience claims, etc.), and checking the client permissions (e.g., the scope in the access token). If the checks are successful, the NF Service Producer 406 is assured that the access token received in step 801 was issued by its local NRF 404 and that the access token was issued to the correct NF Service Consumer 402 (e.g., identifier match). In addition, the NF Service Producer 406 knows the exact scope that the NF Service Consumer 402 has been authorized by the NRF 404. In step 803, responsive to successful verification of the access token, the NF Service Producer 406 executes the requested service and provides a NF service response to the NF Service Consumer 402);
sending to the NF service consumer, a service response (FIG. 8 and [0093]-[0094] - In step 801, the NF Service Consumer 402 invokes the API for a specific service on the NF Service Producer 406. The parameters included in the API include the access_token, along with the NF Service Consumer 402 instance id. The instance id must match what is included in the “subject” claim of the access token. In step 802, the NF Service Producer 406 verifies the access token. Verifying the access token in some embodiments includes checking that the JWT is well formed, checking the signature of the JWT using the NRF 404's public key, validating the standard claims in the access token (e.g., the subject, expiration time, issuer, audience claims, etc.), and checking the client permissions (e.g., the scope in the access token). If the checks are successful, the NF Service Producer 406 is assured that the access token received in step 801 was issued by its local NRF 404 and that the access token was issued to the correct NF Service Consumer 402 (e.g., identifier match). In addition, the NF Service Producer 406 knows the exact scope that the NF Service Consumer 402 has been authorized by the NRF 404. In step 803, responsive to successful verification of the access token, the NF Service Producer 406 executes the requested service and provides a NF service response to the NF Service Consumer 402), wherein when the procedure beings, an access token request is received form the NF service Consumer (FIG. 7and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0085] - FIG. 7 illustrates a message flow for the NF 402 to obtain an access token during network function service discovery with the NRF 404. NF service discovery procedure between NFs and NRF in the same PLMN (e.g., such as in one of the HPLMN or VPLMN of FIG. 3) is defined in clause 4.17.4 of TS 23.502. It is used as the underlying procedure by the NF Service Consumer to obtain an access token from the NRF authorization server 404 and [0087] - The NF Service Consumer 402 in step 701 invokes the Nnrf_NFDiscovery_Request (e.g., which may include an expected NF service name, NF type of the expected NF instance, the NF type of the NF Service Consumer, etc.) from the NRF 404 (in a same PLMN). As an OAuth client, the NF Service Consumer 402 in step 701 also sends its client_id and client_secret, or more generally its client credentials, in the request message), wherein the NF generates and sends an access token for the procedure to the NF service consumer as the service response, (FIG. 7 and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0088]-[0090] - ... generated JWT is signed with the NRF 404's private key. The claims in the JWT access token include the identity of the NRF 404 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token. In step 705, the signed JWT access token is included in an Nnrf_NFDiscovery_Request response message that is sent from the NRF 404 to the NF Service Consumer 402. The response message of step 705 may also include an expiration time (e.g., expires_in), an end point address for the discovered NF instance, etc. The scope and expires_in may be equivalent to the corresponding claims in the JWT access token from step 704. The scope field may include all the services that the NF Service Consumer 402 is authorized to access), wherein:
the access token is used by the NF service consumer to access any of other NF service consumer involved in the procedure ([0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406).),
the access token is used to access procedure between any of two NF service consumers ([0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406), and
the access token further comprises one or more claims indicating the accessible NFs ([0059] - JWT may be used with the OAuth 2.0 authorization framework, as will be described with reference to the OAuth 2.0 client credentials flow of FIG. 4. Step 1 of FIG. 4 may proceed in the manner described above. In step 2 of FIG. 4, a signed or encrypted JSON Web Token or JWT is returned by the authorization server 404 as the access token. The claims in the JWT contain information required for the API resource server 406 to identify the client 402, scope of access, duration, etc. and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer. The NF Service Consumer presents the obtained JWT to the NF Service Producer when requesting access to a service provided by the NF Service Producer and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406 and [0094] - In step 802, the NF Service Producer 406 verifies the access token. Verifying the access token in some embodiments includes checking that the JWT is well formed, checking the signature of the JWT using the NRF 404's public key, validating the standard claims in the access token (e.g., the subject, expiration time, issuer, audience claims, etc.), and checking the client permissions (e.g., the scope in the access token)).
Bykampadi further teaches concepts of an expiration time for the access token and a scope of all the services that the NF Service Consumer is authorized to access (i.e., by another NF) ([0089]-[0090]); however, Bykampadi fails to explicitly disclose that the access token is reused by another NF in subsequent service requests.
However, in an analogous art, Malatesha teaches concepts of [a] access token is reused ...in subsequent service requests (Abstract and FIG. 4 and [0010] and [0027] and [0050]-[0052] - FIG. 4 depicts a flow diagram 400 of a process for reusing access tokens to access a network service. Although FIG. 4 is depicted and described in the context of access tokens, embodiments are not limited to access tokens and any type of access data may be used and [0055]).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Malatesha to by another NF of Bykampadi to include concepts of [a] access token is reused ...in subsequent service requests.
One would have been motivated to combine the teachings of Malatesha to Bykampadi to do so as it provides / allows reducing the number of authentication processes that need to be performed by reusing access tokens (Malatesha, [0022]).
Regarding Claim 12;
Bykampadi and Malatesha discloses the method to Claim 11.
Bykampadi further discloses receiving the service request comprising the information authorizing access to the plurality of NF services comprises receiving at least one token for authorizing access to the plurality of NF services (FIG. 8 and [0093]-[0094] - In step 801, the NF Service Consumer 402 invokes the API for a specific service on the NF Service Producer 406. The parameters included in the API include the access_token, along with the NF Service Consumer 402 instance id. The instance id must match what is included in the “subject” claim of the access token. In step 802, the NF Service Producer 406 verifies the access token. Verifying the access token in some embodiments includes checking that the JWT is well formed, checking the signature of the JWT using the NRF 404's public key, validating the standard claims in the access token (e.g., the subject, expiration time, issuer, audience claims, etc.), and checking the client permissions (e.g., the scope in the access token). If the checks are successful, the NF Service Producer 406 is assured that the access token received in step 801 was issued by its local NRF 404 and that the access token was issued to the correct NF Service Consumer 402 (e.g., identifier match). In addition, the NF Service Producer 406 knows the exact scope that the NF Service Consumer 402 has been authorized by the NRF 404. In step 803, responsive to successful verification of the access token, the NF Service Producer 406 executes the requested service and provides a NF service response to the NF Service Consumer 402).
Regarding Claim 13;
Bykampadi and Malatesha discloses the method to Claim 11.
Bykampadi further discloses wherein the received service request comprises one token that is used to access at least some of the plurality of NF services (FIG. 8 and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7).
Regarding Claim 14;
Bykampadi and Malatesha discloses the method to Claim 13.
Bykampadi further discloses further comprising sending, to at least one NF producer, a service request for a respective NF service provided by a respective NF producer, each service request comprising the one token (FIG. 8 – NF Service Request and NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7).
Regarding Claim 15;
Bykampadi and Malatesha discloses the method to Claim 14.
Bykampadi further discloses further comprising receiving from each of the at least one NF producers, a service response for the respective NF service (FIG. 8 – NF Service Request and NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7).
Regarding Claim 17;
Bykampadi and Malatesha discloses the method to Claim 16.
Bykampadi further discloses further comprising sending, to at least one NF producer, a service request for a respective NF service provided by a respective NF producer, each service request comprising a respective one of the plurality of tokens (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type and/or additionally each specific service type can have a series of network functions.
Regarding Claim 18;
Bykampadi and Malatesha discloses the method to Claim 17.
Bykampadi further discloses further comprising receiving from each of the at least one NF producers, a service response for the respective NF service (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type and/or additionally each specific service type can have a series of network functions.
Regarding Claim 19;
Bykampadi and Malatesha discloses the method to Claim 12.
Bykampadi further discloses further comprising receiving from an authorization server, at least one additional token for authorizing access to one of the plurality of NF services (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type.
Regarding Claim 20;
Bykampadi and Malatesha discloses the method to Claim 19.
Bykampadi further discloses further comprising sending, to at least one NF producer, a service request for a respective NF service provided by a respective NF producer, the service request comprising the additional token received from the authorization server (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type.
Regarding Claim 21;
Bykampadi and Malatesha discloses the method to Claim 20.
Bykampadi further discloses further comprising receiving from each of the at least one NF producers, a service response for the respective NF service (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type.
Regarding Clam 22;
Bykampadi discloses a method, implemented in an authorization server, for optimizing Network Function (NF) service authorization (FIG. 5 and [0051] - In the 5G SBA, services of a particular Network Function (NF) are provided only to authorized NF Service Consumers (e.g., other network functions) upon request. Therefore, service authorization procedures are required to check whether a NF Service Consumer is permitted to access a requested NF Service Producer for consuming a NF Service), the method comprising:
receiving from a requesting entity, an authorization request for a procedure, the procedure involving a plurality of NF services (FIG. 8 – NF Service Request and [0092]-[0094] - In step 801, the NF Service Consumer 402 invokes the API for a specific service on the NF Service Producer 406. The parameters included in the API include the access_token, along with the NF Service Consumer 402 instance id. The instance id must match what is included in the “subject” claim of the access token. In step 802, the NF Service Producer 406 verifies the access token. Verifying the access token in some embodiments includes checking that the JWT is well formed, checking the signature of the JWT using the NRF 404's public key, validating the standard claims in the access token (e.g., the subject, expiration time, issuer, audience claims, etc.), and checking the client permissions (e.g., the scope in the access token). If the checks are successful, the NF Service Producer 406 is assured that the access token received in step 801 was issued by its local NRF 404 and that the access token was issued to the correct NF Service Consumer 402 (e.g., identifier match). In addition, the NF Service Producer 406 knows the exact scope that the NF Service Consumer 402 has been authorized by the NRF 404. In step 803, responsive to successful verification of the access token, the NF Service Producer 406 executes the requested service and provides a NF service response to the NF Service Consumer 402) and [0092]);
authorizing the requesting entity and upon a determination that the requesting entity is authorized to perform the procedure (FIG. 5 and FIG. 7and FIG. 8 and [0088]-[0089] - The NRF 404 in step 702 authenticates the client NF Service Consumer 402 based on the provided client credentials. If the NF Service Consumer 402 is successfully authenticated, the NRF 404 in step 703 checks the stored NF profile information of the target NF and/or NF service to determine whether the access can be permitted to the NF type of the NF Service Consumer 402. If the requested service can be provided to the NF Service Consumer 402 of the declared type, the NRF 404 in step 704 generates a JWT based access token with appropriate claims included. The generated JWT is signed with the NRF 404's private key. The claims in the JWT access token include the identity of the NRF 404 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7):
sending, to the requesting entity, an authorization response, the authorization response including information authorizing access to the plurality of NF services involved in the procedure (FIG. 5 and FIG. 7and FIG. 8 and [0088]-[0089] The NRF 404 in step 702 authenticates the client NF Service Consumer 402 based on the provided client credentials. If the NF Service Consumer 402 is successfully authenticated, the NRF 404 in step 703 checks the stored NF profile information of the target NF and/or NF service to determine whether the access can be permitted to the NF type of the NF Service Consumer 402. If the requested service can be provided to the NF Service Consumer 402 of the declared type, the NRF 404 in step 704 generates a JWT based access token with appropriate claims included. The generated JWT is signed with the NRF 404's private key. The claims in the JWT access token include the identity of the NRF 404 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token. and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7), wherein when the procedure beings, the requesting entity sends an access token request with a corresponding procedure name to the authorization server (FIG. 7 and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0085] - FIG. 7 illustrates a message flow for the NF 402 to obtain an access token during network function service discovery with the NRF 404. NF service discovery procedure between NFs and NRF in the same PLMN (e.g., such as in one of the HPLMN or VPLMN of FIG. 3) is defined in clause 4.17.4 of TS 23.502. It is used as the underlying procedure by the NF Service Consumer to obtain an access token from the NRF authorization server 404 and [0087] - The NF Service Consumer 402 in step 701 invokes the Nnrf_NFDiscovery_Request (e.g., which may include an expected NF service name, NF type of the expected NF instance, the NF type of the NF Service Consumer, etc.) from the NRF 404 (in a same PLMN). As an OAuth client, the NF Service Consumer 402 in step 701 also sends its client_id and client_secret, or more generally its client credentials, in the request message), wherein the authorization server generates and sends an access token for the procedure to the questing entity as the authorization response (FIG. 7 and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0088]-[0090] - ... generated JWT is signed with the NRF 404's private key. The claims in the JWT access token include the identity of the NRF 404 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token. In step 705, the signed JWT access token is included in an Nnrf_NFDiscovery_Request response message that is sent from the NRF 404 to the NF Service Consumer 402. The response message of step 705 may also include an expiration time (e.g., expires_in), an end point address for the discovered NF instance, etc. The scope and expires_in may be equivalent to the corresponding claims in the JWT access token from step 704. The scope field may include all the services that the NF Service Consumer 402 is authorized to access), wherein:
the access token is used by the by the requesting entity to access any of the other requesting entity involved in the procedure ([0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406).),
the access token is used to access procedure between any of the two requesting entities ([0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406),
the access token further comprises one or more claims indicating the accessible NFs ([0059] - JWT may be used with the OAuth 2.0 authorization framework, as will be described with reference to the OAuth 2.0 client credentials flow of FIG. 4. Step 1 of FIG. 4 may proceed in the manner described above. In step 2 of FIG. 4, a signed or encrypted JSON Web Token or JWT is returned by the authorization server 404 as the access token. The claims in the JWT contain information required for the API resource server 406 to identify the client 402, scope of access, duration, etc. and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer. The NF Service Consumer presents the obtained JWT to the NF Service Producer when requesting access to a service provided by the NF Service Producer and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406 and [0094] - In step 802, the NF Service Producer 406 verifies the access token. Verifying the access token in some embodiments includes checking that the JWT is well formed, checking the signature of the JWT using the NRF 404's public key, validating the standard claims in the access token (e.g., the subject, expiration time, issuer, audience claims, etc.), and checking the client permissions (e.g., the scope in the access token)); and
the access token is verified by one or more other questing entities providing services to the requesting entity ([0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0053] - In 5G SBA, there are multiple NFs requesting services from each other. A service authorization framework is required that supports: (i) NF Service Consumer-NF Service Producer interactions; (ii) authentication of the NF Service Consumer that is requesting access to the service(s) of another NF (e.g., services of a NF Service Producer); (iii) obtaining authorization grants during Network Function Service discovery; (iv) using the obtained authorization grants during Network Function Service access; and (v) NF and Network Function Service registration and de-registration and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406 and [0094] - In step 802, the NF Service Producer 406 verifies the access token).
Bykampadi further teaches concepts of an expiration time for the access token and a scope of all the services that the NF Service Consumer is authorized to access (i.e., by another NF) ([0089]-[0090]); however, Bykampadi fails to explicitly disclose that the access token is reused by another NF in subsequent service requests.
However, in an analogous art, Malatesha teaches concepts of [a] access token is reused ...in subsequent service requests (Abstract and FIG. 4 and [0010] and [0027] and [0050]-[0052] - FIG. 4 depicts a flow diagram 400 of a process for reusing access tokens to access a network service. Although FIG. 4 is depicted and described in the context of access tokens, embodiments are not limited to access tokens and any type of access data may be used and [0055]).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Malatesha to by another NF of Bykampadi to include concepts of [a] access token is reused ...in subsequent service requests.
One would have been motivated to combine the teachings of Malatesha to Bykampadi to do so as it provides / allows reducing the number of authentication processes that need to be performed by reusing access tokens (Malatesha, [0022]).
Regarding Clam 23;
Bykampadi and Malatesha discloses the method to Claim 22.
Bykampadi further discloses wherein the authorization server comprises a Network Repository Function (NRF) (FIG. 5-9 and [0061] - The Network Repository Function (NRF) plays the role of the OAuth Authorization server (e.g., authorization server 404 in FIG. 4) and [0086]-[0087] and [0093]-[0094].).
Regarding Clam 24;
Bykampadi and Malatesha discloses the method to Claim 22.
Bykampadi further discloses wherein the requesting entity comprises a NF consumer and/or producer (FIG. 8 – NF Service Consume rand and [0088]-[0089)
Regarding Clam 25;
Bykampadi and Malatesha discloses the method to Claim 22.
Bykampadi further discloses wherein sending the authorization response including the information authorizing access to the plurality of NF services comprises sending at least one token for authorizing access to the plurality of NF services (FIG. 5 and FIG. 7and FIG. 8 and [0088]-[0089] - The NRF 404 in step 702 authenticates the client NF Service Consumer 402 based on the provided client credentials. If the NF Service Consumer 402 is successfully authenticated, the NRF 404 in step 703 checks the stored NF profile information of the target NF and/or NF service to determine whether the access can be permitted to the NF type of the NF Service Consumer 402. If the requested service can be provided to the NF Service Consumer 402 of the declared type, the NRF 404 in step 704 generates a JWT based access token with appropriate claims included. The generated JWT is signed with the NRF 404's private key. The claims in the JWT access token include the identity of the NRF 404 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7).
Regarding Clam 27;
Bykampadi and Malatesha discloses the method to Claim 25.
Bykampadi further discloses wherein sending the authorization response comprises sending a plurality of tokens, each token for accessing a respective one of the plurality of NF services (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type and/or additionally each specific service type can have a series of network functions.
Regarding Clam 28;
Bykampadi and Malatesha discloses the method to Claim 27.
Bykampadi further discloses wherein at least one of the plurality of tokens provided to the requesting entity is to be provided by the requesting entity to one of a plurality of NF producers for use by that one NF producer to access another of the plurality of NF producers (FIG. 8 and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0038] - For example, the network elements/functions 202 and 204 may represent NF Service Consumers, NF Service Producers, Authorization Servers (e.g., NRFs), etc. which interact for service authorization as described in further detail herein and [0053] - In 5G SBA, there are multiple NFs requesting services from each other. A service authorization framework is required that supports: (i) NF Service Consumer-NF Service Producer interactions; (ii) authentication of the NF Service Consumer that is requesting access to the service(s) of another NF (e.g., services of a NF Service Producer); (iii) obtaining authorization grants during Network Function Service discovery; (iv) using the obtained authorization grants during Network Function Service access; and (v) NF and Network Function Service registration and de-registration and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer and [0088]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field mav include all the services that the NF Service Consumer 402 is authorized to access and [0092] - The access token is included in an API that is invoked by the NF Service Consumer 402 to access one or more NFs of the NF Service Producer 406) As noted, NFs request services from each other thus a service authorization framework is required that supports: (i) NF Service Consumer-NF Service Producer interactions; (ii) authentication of the NF Service Consumer that is requesting access to the service(s) of another NF (e.g., services of a NF Service Producer).
Regarding Clam 29;
Bykampadi and Malatesha discloses the method to Claim 25.
Bykampadi further discloses further comprising sending at least one additional token for authorizing access to one of the plurality of NF services (FIG. 8 – NF Service Response and [0036] - For example, although only single elements/functions are shown in the FIG. 1 embodiment, this is for simplicity and clarity of description only. A given alternative embodiment may of course include larger numbers of such system elements, as well as additional or alternative elements of a type commonly associated with conventional system implementations and [0037] - It is also to be noted that while FIG. 1 illustrates system elements as singular functional blocks, the various subnetworks that make up the 5G network are partitioned into so-called network slices. Network slices (network partitions) comprise a series of network function (NF) sets (i.e., function chains) for each corresponding service type using network function virtualization (NFV) on a common physical infrastructure and [0063] - The scope in the JWT access token indicates the authorized level of access for the NF Service Consumer. If needed, the scope will include NF services that the NF Service Consumer is authorized to access in the NF Service Producer... NF Service Producers play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0089]-[0090] - In some embodiments, the NRF 404 may restrict access to specific services in the NF Service Producer 406. In such cases, the NRF 404 in step 704 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token... The scope field may include all the services that the NF Service Consumer 402 is authorized to access and [0093]-[0094] - In step 800-1, the NF Service Consumer 402 registers with the NRF 404, such as using the message flow of FIG. 5 or FIG. 6. In step 800-2, the NF Service Consumer 402 discovers the target instance from the NRF 404 and obtains the access token to be used for authorization, such as using the message flow of FIG. 7). As noted, a series of NF sets (i.e., subnetworks) for each corresponding service type can have different NF producers thus requiring a token for each specific service type and/or additionally each specific service type can have a series of network functions.
Claim(s) 30, 31, 38, 39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bykampadi et al. (US 2019/0251241 A1) in view of Malatesha et al. (US 2017/0111338 A1) and further in view of Bykampadi et al. (US 2019/0253894 A1) (hereinafter Bykampadi ‘894).
Regarding Claim 30;
Bykampadi and Malatesha discloses the method to Claim 22.
Bykampadi and Malatesha fails to explicitly disclose determining that the requesting entity is a roaming entity, and, upon a determination that the requesting entity is a roaming entity: forwarding the authorization request to a second authorization server, the second authorization server being in a home network of the roaming entity; receiving a first authorization response from the second authorization server and wherein sending an authorization response to the requesting entity comprises sending, to the requesting entity, a second authorization response, the second authorization response including information authorizing access to the plurality of NF services.
However, in an analogous art, Bykampadi ‘894 teaches determining that the requesting entity is a roaming entity (FIG. 5 and FIG. 7 and FIG. 8 and [0051] - During roaming scenarios, the NF in a VPLMN (e.g., VPLMN 310) requests one or more services from a NF in the HPLMN (e.g., HPLMN 330). Therefore, service authorization procedures are required that check whether the NF Service Consumer in the VPLMN is permitted to access a requested NF Service Producer in the HPLMN for consuming a NF service), and, upon a determination that the requesting entity is a roaming entity (FIG. 7 - Authorization Server (vNRF)): forwarding the authorization request to a second authorization server (FIG. 7 – Authorization Server (hNRF)), the second authorization server being in a home network of the roaming entity (FIG. 7 - FIG. 7 – Authorization Server (hNRF) and FIG. 8 and [0051] - During roaming scenarios, the NF in a VPLMN (e.g., VPLMN 310) requests one or more services from a NF in the HPLMN (e.g., HPLMN 330). Therefore, service authorization procedures are required that check whether the NF Service Consumer in the VPLMN is permitted to access a requested NF Service Producer in the HPLMN for consuming a NF service and [0053] In 5G SBA, there are multiple NFs requesting services from each other. A service authorization framework is required that supports: (i) NF Service Consumer—NF Service Producer interactions when the two NFs are in different PLMNs (e.g., in roaming scenarios); (ii) authentication of the NF Service Consumer that is requesting access to the service(s) of another NF (e.g., services of a NF Service Producer) in a different PLMN; (iii) obtaining authorization grants during Network Function Service discovery that allow the NF Service Consumer to obtain service access of a NF in a different PLMN; (iv) using the obtained authorization grants during Network Function Service access; and (v) NF and Network Function Service registration and de-registration. In addition, a service authorization framework should be scalable for different network scenarios, including: (i) whether granularity of authorization is for a NF, or for each service within the NF; (ii) whether the granularity is per user; and (iii) whether authorization is time-based, has a duration associated with it, etc. and [0063] - NF Service Producers, which in the case of a roaming scenario are in the HPLMN, play the role of the OAuth resource server (e.g., resource server 406 in FIG. 4) and [0088]-[0091] - NF service discovery procedure between NFs and NRF in the same PLMN (e.g., such as in one of the HPLMN or VPLMN of FIG. 3) is defined in clause 4.17.4 of TS 23.502. It is used as the underlying procedure by the NF Service Consumer to obtain an access token from the NRF authorization server... The vNRF 404-1 (e.g., the local NRF for the NF Service Consumer 402) in step 702 authenticates the client NF Service Consumer 402 based on the provided client credentials. If the NF Service Consumer 402 is successfully authenticated, the vNRF 404-1 identifies the NRF in the HPLMN (i.e., hNRF 404-2) based on the home PLMN ID included in the Nnrf_NFDiscovery_Request received in step 701. The vNRF 404-1 then requests discovery from the hNRF 404-2 in step 703 by sending an Nnrf_NFDiscovery_Request to the hNRF 404-2. The vNRF 404-1 thus discovers with the hNRF 404-2 on behalf of the NF Service Consumer 402. The vNRF 404-1 forward parameters obtained from the NF Service Consumer 402, such as the NF Service Consumer type, etc. to the hNRF 404-2); receiving a first authorization response from the second authorization server (FIG. 7 – Nnrf_NFDisovery_Request and Nnrf_ NFDisovery__Request_Respone and [0093]-[0098] - The response message of step 706 may also include an expiration time (e.g., expires_in), an end point address for the discovered NF instance, etc. The scope and expires_in may be equivalent to the corresponding claims in the JWT access token from step 705. The scope field may include all the services that the NF Service Consumer 402 is authorized to access. In step 707, the vNRF 404-1 forwards the response message received in step 706 to the NF Service Consumer 402) and wherein sending an authorization response to the requesting entity comprises sending, to the requesting entity, a second authorization response, the second authorization response including information authorizing access to the plurality of NF services. (FIG. 5 and FIG. 7 and FIG. 8 and , a second authorization response, the second authorization response including information authorizing access to the plurality of NF services and [0093]-[0098] - If the requested service can be provided to the NF Service Consumer 402 of the declared type, the hNRF 404-2 in step 705 generates a JWT based access token with appropriate claims included. The generated JWT is signed with the hNRF 404-2's private key. The claims in the JWT access token include the identity of the hNRF 404-2 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance (e.g., NF Service Producer 406) that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the hNRF 404-2 may restrict access to specific services in the NF Service Producer 406. In such cases, the hNRF 404-2 in step 705 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token. In step 706, the signed JWT access token is included in an Nnrf_NFDiscovery_Request response message that is sent from the hNRF 404-2 to the vNRF 404-1. The response message of step 706 may also include an expiration time (e.g., expires_in), an end point address for the discovered NF instance, etc. The scope and expires_in may be equivalent to the corresponding claims in the JWT access token from step 705. The scope field may include all the services that the NF Service Consumer 402 is authorized to access. In step 707, the vNRF 404-1 forwards the response message received in step 706 to the NF Service Consumer 402).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Bykampadi ‘894 to the 5G communication system environment, see [0025] of Bykampadi and Malatesha to include determining that the requesting entity is a roaming entity, and, upon a determination that the requesting entity is a roaming entity: forwarding the authorization request to a second authorization server, the second authorization server being in a home network of the roaming entity; receiving a first authorization response from the second authorization server and wherein sending an authorization response to the requesting entity comprises sending, to the requesting entity, a second authorization response, the second authorization response including information authorizing access to the plurality of NF services.
One would have been motivated to combine the teachings of Bykampadi ‘894 to Bykampadi and Malatesha to do so as it provides / allows for increased network efficiency and/or subscriber convenience, security management issues for roaming service authorization for communication systems (Bykampadi ‘894, [0008] and [0013]).
Regarding Clam 31;
Bykampadi and Malatesha and Bykampadi ‘894 discloses the method to Claim 30.
Bykampadi ‘894 further teaches wherein at least one of the first authorization server and the second authorization server comprises a Network Repository Function (NRF) (FIG. 7 - Authorization Server (vNRF) and Authorization Server (hNRF)).
Similar rationale and motivation is noted for the combination of Bykampadi ‘894 to Bykampadi and Malatesha and Bykampadi ‘894, as per Claim 30, above.
Regarding Claim 38;
Bykampadi and Malatesha discloses the method to Claim 22.
Bykampadi and Malatesha fails to explicitly disclose generating the authorization response the authorization response including information authorizing access to at least one NF service; and determining that the requesting entity is a second authorization server, the second authorization server being in a visited network, and, upon a determination that the requesting entity is a second authorization server in a visited network, sending the authorization response to the requesting entity comprises sending the authorization response to the second authorization server in the visited network.
However, in an analogous art, Bykampadi ‘894 teaches generating the authorization response the authorization response including information authorizing access to at least one NF service (FIG. 5 and FIG. 7 and FIG. 8 and , a second authorization response, the second authorization response including information authorizing access to the plurality of NF services and [0093]-[0098] - If the requested service can be provided to the NF Service Consumer 402 of the declared type, the hNRF 404-2 in step 705 generates a JWT based access token with appropriate claims included. The generated JWT is signed with the hNRF 404-2's private key. The claims in the JWT access token include the identity of the hNRF 404-2 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance (e.g., NF Service Producer 406) that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the hNRF 404-2 may restrict access to specific services in the NF Service Producer 406. In such cases, the hNRF 404-2 in step 705 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token. In step 706, the signed JWT access token is included in an Nnrf_NFDiscovery_Request response message that is sent from the hNRF 404-2 to the vNRF 404-1. The response message of step 706 may also include an expiration time (e.g., expires_in), an end point address for the discovered NF instance, etc. The scope and expires_in may be equivalent to the corresponding claims in the JWT access token from step 705. The scope field may include all the services that the NF Service Consumer 402 is authorized to access. In step 707, the vNRF 404-1 forwards the response message received in step 706 to the NF Service Consumer 402); and determining that the requesting entity is a second authorization server, the second authorization server being in a visited network, and, upon a determination that the requesting entity is a second authorization server in a visited network, sending the authorization response to the requesting entity comprises sending the authorization response to the second authorization server in the visited network (FIG. 5 and FIG. 7 and FIG. 8 and , a second authorization response, the second authorization response including information authorizing access to the plurality of NF services and [0093]-[0098] - If the requested service can be provided to the NF Service Consumer 402 of the declared type, the hNRF 404-2 in step 705 generates a JWT based access token with appropriate claims included. The generated JWT is signed with the hNRF 404-2's private key. The claims in the JWT access token include the identity of the hNRF 404-2 (e.g., the issuer), the identity of the NF Service Consumer 402 (e.g., the subject), the identity of the NF instance (e.g., NF Service Producer 406) that provides the requested service (e.g., the audience), the expiration time, etc. In some embodiments, the hNRF 404-2 may restrict access to specific services in the NF Service Producer 406. In such cases, the hNRF 404-2 in step 705 may include an authorized set of services in a separate claim (e.g., the scope) in the JWT access token. In step 706, the signed JWT access token is included in an Nnrf_NFDiscovery_Request response message that is sent from the hNRF 404-2 to the vNRF 404-1. The response message of step 706 may also include an expiration time (e.g., expires_in), an end point address for the discovered NF instance, etc. The scope and expires_in may be equivalent to the corresponding claims in the JWT access token from step 705. The scope field may include all the services that the NF Service Consumer 402 is authorized to access. In step 707, the vNRF 404-1 forwards the response message received in step 706 to the NF Service Consumer 402).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Bykampadi ‘894 to the 5G communication system environment, see [0025] of Bykampadi and Malatesha to include generating the authorization response the authorization response including information authorizing access to at least one NF service; and determining that the requesting entity is a second authorization server, the second authorization server being in a visited network, and, upon a determination that the requesting entity is a second authorization server in a visited network, sending the authorization response to the requesting entity comprises sending the authorization response to the second authorization server in the visited network.
One would have been motivated to combine the teachings of Bykampadi ‘894 to Bykampadi and Malatesha to do so as it provides / allows for increased network efficiency and/or subscriber convenience, security management issues for roaming service authorization for communication systems (Bykampadi ‘894, [0008] and [0013]).
Regarding Clam 39;
Bykampadi and Malatesha and Bykampadi ‘894 discloses the method to Claim 38.
Bykampadi ‘894 further teaches wherein at least one of the first authorization server and the second authorization server comprises a Network Repository Function (NRF) (FIG. 7 - Authorization Server (vNRF) and Authorization Server (hNRF)).
Similar rationale and motivation is noted for the combination of Bykampadi ‘894 to Bykampadi and Malatesha and Bykampadi ‘894, as per Claim 38, above.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KARI L SCHMIDT/Primary Examiner, Art Unit 2439
Prosecution Insights