DETAILED ACTION
This application has been examined. Claims 1,3-13,15-20 are pending. Claims 2,14 are cancelled.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Making Final
Applicant's arguments filed 9/30/2025 have been fully considered but they are moot in view of the new grounds for rejection.
The claim amendments regarding -- ‘embedding, by the first computing system, the first token and the second token into a main token’ -- clearly change the literal scope of the independent and dependent claims and/or the range of equivalents for such claims. The said amendments alter the scope of the claims but do not overcome the disclosure by the prior art as shown below.
The Examiner is presenting new grounds for rejection as necessitated by the claim amendments and is thus making this action FINAL.
Response to Arguments
Applicant's arguments filed 9/30/2025 have been fully considered but they are moot in view of the new grounds for rejection.
The Applicant presents the following argument(s) [in italics]:
…Lee fails to describe that a first token and a second token are embedded in the main token. Rather, Lee describes that the linked service token is stored in association with the identity token… in Lee, the token used for performing interactions with an external service is linked to the identity token, and is not embedded in any tokens…
The Examiner respectfully disagrees with the Applicant.
While Sondhi-Lee substantially disclosed the claimed invention Sondhi-Lee does not disclose (re. Claim 1)
embedding, by the first computing system, the first token and the second token into a main token; and sending, from the first computing system to the second computing system, the main token.
Choi Figure 4,Paragraph 56 disclosed embed the biometric-based security at the certificate level.
Choi disclosed (re. Claim 1) embedding (Choi-Figure 4,Paragraph 56,embed the biometric-based security at the certificate level) , by the first computing system, the first token and the second token into a main token; (Choi-Figure 4,Paragraph 68, To generate the first modified public key, the second party may concatenate the second public key signed with the second private key and the received first public key signed with the first private key. Consequently, the first modified public key may include the first public key and the second public key signed with the first private key and the second private key, respectively.)
and sending, from the first computing system to the second computing system, the main token including the first token and the second token embedded in the main token.(Choi-Paragraph 72, The second party may transmit the first modified public key to the third party)
Sondhi, Lee and Choi are analogous art because they present concepts and practices regarding provision of access tokens. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Choi into Sondhi-Lee. The motivation for the said combination would have been to enable using biometric keys such that even if a user may be authenticated by the device or the OS, the public key or the authentication information may be signed with the private key only if the user is verified to be a legitimate owner of the certificate. In other words, the certificate itself may dictate which and/or how the biometric data should be used in order to be authorized to use the public and private keys generated from the certificate.(Choi-Paragraph 56)
Priority
The effective date of the claims described in this application is March 21, 2022.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1,3-4,6-13,15-16,18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sondhi (USPGPUB 20160080361) further in view of Lee (USPGPUB 20220021677) further in view of Choi (USPGPUB 2022/0116231)
Regarding Claim 1
Sondhi Paragraph 46 disclosed wherein if client application 204 requests access to a particular resource (or a particular scope including that resource) from resource server 210, then resource server 210 may redirect the request to OAuth authorization server 220. OAuth authorization server 220 may invoke user consent orchestration 226 in order to ask resource owner 202 to verify that client application 204 should be granted access to the particular resource (or particular scope). User consent orchestration 226 indicates, to resource owner 202, the scope to which client application 204 is seeking access, and provides resource owner 202 with the opportunity to consent to or decline access of that scope. OAuth authorization server 220 may ask resource owner 220 to verify that client application 204 should be granted access specified by the particular scope (as indicated in resources & scopes registry 224), including the particular resource. In response to receiving consent from resource owner 202, OAuth authorization server 220 may generate an access token and store, in token-scope registry 222, a mapping between that access token and the particular scope. OAuth authorization server 220 can provide the access token to client application 204.
Sondhi disclosed (re. Claim 1) a method, comprising:
receiving, by a first computing system, a first message indicating that a resource owner has authorized a client application to access both (A) a first access-restricted resource controlled by the resource owner, and (B) a second access- restricted resource controlled by the resource owner; in response to the first message. (Sondhi-Paragraph 46, In response to receiving consent from resource owner 202, OAuth authorization server 220 may generate an access token and store, in token-scope registry 222, a mapping between that access token and the particular scope. OAuth authorization server 220 can provide the access token to client application 204.)
While Sondhi substantially disclosed the claimed invention Sondhi does not disclose (re. Claim 1) authorizing a client application to make application programming interface (API) calls to both (A) a first access-restricted resource controlled by the resource owner, and (B) a second access-restricted resource controlled by the resource owner; in response to the first message.
While Sondhi substantially disclosed the claimed invention Sondhi does not disclose (re. Claim 1) generating, by the first computing system, both (A) a first token that is configured to authenticate to a first API endpoint to access the first access- restricted resource but is not configured to authenticate to a second API endpoint to access the second access-restricted resource and (B) a second token that is configured to authenticate to the second API endpoint to access the second access-restricted resource but is not configured to authenticate to the first API endpoint to access the first access-restricted resource.
While Sondhi substantially disclosed the claimed invention Sondhi does not disclose (re. Claim 1)
embedding, by the first computing system, the first token and the second token into a main token; and sending, from the first computing system to the second computing system, the main token.
Lee Figure 3, Figure 5,Paragraph 14,Paragraph 51 disclosed identity tokens that are associated with linked service tokens used in API access to external services. The linked service token are configuration elements used in authenticating API access to the external service. The linked service token for a subset of external services may be a secret key or token.
Lee Paragraph 69 disclosed wherein the identity token may function as a ‘keychain’ containing specific credentials/tokens or ‘keys’ (e.g., API authentication tokens or keys) for identification and utilization of the resource.
Lee disclosed (re. Claim 1) authorizing a client application to make application programming interface (API) calls (Lee-Paragraph 90,Paragraph 93,enable API interactions between a client device and the computing platform and wherein API translation layer 130 functions to facilitate the translation of instructions received during application service execution or other forms of execution)
Lee disclosed (re. Claim 1) generating, by the first computing system, both (A) a first token that is configured to authenticate to a first API endpoint to access the first access-restricted resource but is not configured to authenticate to a second API endpoint to access the second access-restricted resource,(Lee-Figure 5,Paragraph 38, configuring at least one linked service token (Sondhi20), and linking or associating the linked service token to the identity token ) and (B) a second token that is configured to authenticate to the second API endpoint to access the second access-restricted resource but is not configured to authenticate to the first API endpoint to access the first access-restricted resource; (Lee-Figure 3,Figure 5,Paragraph 90, programmatically creating, configuring, and/or otherwise setting up identity tokens, linked service tokens ) and
Sondhi and Lee are analogous art because they present concepts and practices regarding provision of access tokens. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Lee into Sondhi. The motivation for the said combination would have been to enable a platform API service 114 that functions to enable API interactions between a client device and the computing platform and wherein API translation layer 130 functions to facilitate the translation of instructions received during application service execution or other forms of execution. (Lee-Paragraph 90,Paragraph 93)
Sondhi-Lee disclosed (re. Claim 1) sending, from the first computing system to a second computing system, (Sondhi-Paragraph 46, OAuth authorization server 220 can provide the access token to client application 204.) the first token and the second token to enable the second computing system to use the first token to make a first API call to the first API endpoint to access the first access-restricted resource, and to use the second token to make a second API call to the second API endpoint to access the second access- restricted resource.(Lee-Paragraph 19, the access tokens may be issued to the application computing platform. This may involve an authorization service issuing the access tokens with the approval of the external service.)
While Sondhi-Lee substantially disclosed the claimed invention Sondhi-Lee does not disclose (re. Claim 1)
embedding, by the first computing system, the first token and the second token into a main token; and sending, from the first computing system to the second computing system, the main token.
Choi Figure 4,Paragraph 56 disclosed embed the biometric-based security at the certificate level.
Choi disclosed (re. Claim 1) embedding (Choi-Figure 4,Paragraph 56,embed the biometric-based security at the certificate level) , by the first computing system, the first token and the second token into a main token; (Choi-Figure 4,Paragraph 68, To generate the first modified public key, the second party may concatenate the second public key signed with the second private key and the received first public key signed with the first private key. Consequently, the first modified public key may include the first public key and the second public key signed with the first private key and the second private key, respectively.)
and sending, from the first computing system to the second computing system, the main token including the first token and the second token embedded in the main token.(Choi-Paragraph 72, The second party may transmit the first modified public key to the third party)
Sondhi, Lee and Choi are analogous art because they present concepts and practices regarding provision of access tokens. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Choi into Sondhi-Lee. The motivation for the said combination would have been to enable using biometric keys such that even if a user may be authenticated by the device or the OS, the public key or the authentication information may be signed with the private key only if the user is verified to be a legitimate owner of the certificate. In other words, the certificate itself may dictate which and/or how the biometric data should be used in order to be authorized to use the public and private keys generated from the certificate.(Choi-Paragraph 56)
Regarding Claim 13
Claim 13 (re. system) recites substantially similar limitations as Claim 1. Claim 13 is rejected on the same basis as Claim 1.
Regarding Claim 20
Claim 20 (re. non-transitory computer readable medium) recites substantially similar limitations as Claim 1. Claim 20 is rejected on the same basis as Claim 1.
Regarding Claim 3,15
Sondhi-Lee-Choi disclosed (re. Claim 3,15) receiving, by the second computing system, the main token; extracting, by the second computing system, first data representing the first token from the main token to obtain a copy of the first token; (Sondhi-Paragraph 102, OAuth authorization server reads the value of the particular token attribute from the particular service profile )
and using, by the second computing system, the copy of the first token to make the first API call to the first API endpoint.(Lee-Figure 5)
Regarding Claim 4,16
Sondhi-Lee-Choi disclosed (re. Claim 4,16) configuring, by the first computing system, the main token to further enable the second computing system to use the main token to both (A) to authenticate to the first API endpoint to access the first access-restricted resource, and (B) to authenticate to the second API endpoint to access the second access-restricted resource.(Lee-Figure 5,Paragraph 93, using linked service tokens to authenticate the interactions.)
Regarding Claim 6,18
Sondhi-Lee-Choi disclosed (re. Claim 6,18) wherein: the second computing system comprises the client application; and sending the main token to the second computing system comprises sending the main token to the client application.(Lee-Paragraph 19, the access tokens may be issued to the application computing platform. This may involve an authorization service issuing the access tokens with the approval of the external service.)
Regarding Claim 7,19
Sondhi-Lee-Choi disclosed (re. Claim 7) receiving, by the client application, the main token; extracting, by the client application, (Sondhi-Paragraph 102, OAuth authorization server reads the value of the particular token attribute from the particular service profile ) first data representing the first token from the main token to obtain a copy of the first token that is used to make the first API call; (Sondhi-Paragraph 45, for each such access token, OAuth authorization server 220 stores, in token-scope registry 222, a mapping between that access token and the particular scope (selected from among the scopes stored in resources & scope registry 224) that is assigned to that access token. Different access tokens for the same resource server may have different scopes assigned to them. Thus, when client application 204 presents an access token to OAuth authorization server 220, OAuth authorization server 220 may refer to token-scope registry 222 to determine the scope that is mapped to that access token, and then may refer to resources & scope registry 224 to determine the resources that are accessible within that scope. )
and using, by the client application, the copy of the first token to make the first API call to the first API endpoint. (Lee-Figure 5,Paragraph 93, using linked service tokens to authenticate the interactions.)
Regarding Claim 8
Sondhi-Lee-Choi disclosed (re. Claim 8) wherein the second computing system further comprises an API gateway, (Lee-Paragraph 96, the API translation layer 130 can include one or more API gateway service. An API gateway service functions as a connector API interface that facilitates API interactions) and the method further comprises: receiving, by the API gateway and from the client application, the main token; (Lee-Paragraph 19, the access tokens may be issued to the application computing platform. This may involve an authorization service issuing the access tokens with the approval of the external service.)
extracting, by the API gateway, (Sondhi-Paragraph 102, OAuth authorization server reads the value of the particular token attribute from the particular service profile ) first data representing the first token from the main token to obtain a copy of the first token that is used to make the first API call; and using, by the API gateway, the copy of the first token to make the first API call to the first API endpoint. (Lee-Figure 5,Paragraph 93, using linked service tokens to authenticate the interactions.)
Regarding Claim 9
Sondhi-Lee-Choi disclosed (re. Claim 9) wherein the second computing system comprises an API gateway, a token lookup service, and a storage medium accessible to the token lookup service, and the method further comprises: storing, in the storage medium, first data representing the first token and second data representing the second token;
receiving, by the API gateway and from the client application, a request to make the first API call to the first API endpoint; in response to the request, retrieving, by the token lookup service, the first data from the storage medium to obtain a copy of the first token that is used to make the first API call to the first API endpoint; and using, by the API gateway, the copy of the first token to make the first API call to the first API endpoint.(Sondhi-Paragraph 45, for each such access token, OAuth authorization server 220 stores, in token-scope registry 222, a mapping between that access token and the particular scope (selected from among the scopes stored in resources & scope registry 224) that is assigned to that access token. Different access tokens for the same resource server may have different scopes assigned to them. Thus, when client application 204 presents an access token to OAuth authorization server 220, OAuth authorization server 220 may refer to token-scope registry 222 to determine the scope that is mapped to that access token, and then may refer to resources & scope registry 224 to determine the resources that are accessible within that scope. )
Regarding Claim 10
Sondhi-Lee-Choi disclosed (re. Claim 10) wherein: storing the first data and the second data in the storage medium further comprises: embedding the first data representing the first token and the second data representing the second token into a main token, (Lee-Paragraph 69, the identity token may function as a ‘keychain’ containing specific credentials/tokens or ‘keys’ (e.g., API authentication tokens or keys) for identification and utilization of the resource.)
and
storing a copy of the main token in the storage medium; retrieving the first data from the storage medium further comprises: retrieving the copy of the main token from the storage medium on a first occasion, (Lee-Paragraph 23, linked service token can be securely stored within a database system of the identity management system and used only within the application computing platform, Paragraph 66, linked service tokens are preferably stored in a data system of the computing platform. The linked service token may be indexed and made queryable using the identity token.) and
extracting the first data representing the first token from the copy of the main token of the first occasion; (Sondhi-Paragraph 102, OAuth authorization server reads the value of the particular token attribute from the particular service profile ) and retrieving the second data from the storage medium comprises: retrieving the copy of the main token from the storage medium on a second occasion, and extracting the first token from the main token on the second occasion.(Sondhi-Paragraph 45, Different access tokens for the same resource server may have different scopes assigned to them. Thus, when client application 204 presents an access token to OAuth authorization server 220, OAuth authorization server 220 may refer to token-scope registry 222 to determine the scope that is mapped to that access token, and then may refer to resources & scope registry 224 to determine the resources that are accessible within that scope.)
Regarding Claim 11
Sondhi-Lee-Choi disclosed (re. Claim 11) wherein the first computing system further comprises an authorization service configured to generate the main token, and the method further comprises: sending, from the authorization service to the client application, an opaque token corresponding to the main token; (Lee-Paragraph 37, identity token is preferably a single alpha and/or numeric text token that can serve as a secret token.)
determining, by the API gateway and based at least in part on receipt of the opaque token from the client application on the first occasion, that the client application has requested that the first API call be made to the first access-restricted resource; and determining, by the API gateway and based at least in part on receipt of the opaque token from the client application on the second occasion, that the client application has requested that the second API call be made to the second access-restricted resource. (Sondhi-Paragraph 45, Different access tokens for the same resource server may have different scopes assigned to them. Thus, when client application 204 presents an access token to OAuth authorization server 220, OAuth authorization server 220 may refer to token-scope registry 222 to determine the scope that is mapped to that access token, and then may refer to resources & scope registry 224 to determine the resources that are accessible within that scope.)
Regarding Claim 12
Sondhi-Lee-Choi disclosed (re. Claim 12) wherein the first computing system further comprises an authorization service configured to generate the first token and the second token, and the method further comprises: sending, from the authorization service to the client application, an opaque token corresponding to each of the first token and the second token; (Lee-Paragraph 37, identity token is preferably a single alpha and/or numeric text token that can serve as a secret token.)
determining, by the API gateway and based at least in part on receipt of the opaque token from the client application on a first occasion, that the client application has requested that the first API call be made to the first access-restricted resource; and determining, by the API gateway and based at least in part on receipt of the opaque token from the client application on a second occasion, that the client application has requested that the second API call be made to the second access-restricted resource. (Sondhi-Paragraph 45, Different access tokens for the same resource server may have different scopes assigned to them. Thus, when client application 204 presents an access token to OAuth authorization server 220, OAuth authorization server 220 may refer to token-scope registry 222 to determine the scope that is mapped to that access token, and then may refer to resources & scope registry 224 to determine the resources that are accessible within that scope.)
Claim(s) 5,17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sondhi (USPGPUB 20160080361) further in view of Lee (USPGPUB 20220021677) further in view of Choi (USPGPUB 2022/0116231) further in view of Gu (USPGPUB 20210194847)
Regarding Claim 5,17
While Sondhi-Lee-Choi substantially disclosed the claimed invention Sondhi-Lee-Choi does not disclose (re. Claim 5,17) generating the first token comprises adding a first signature to the first token that is based at least in part on content of the first token; generating the second token comprises adding a second signature to the second token that is based at least in part on content of the second token;
Gu Paragraph 20,Paragraph 247 disclosed an access key (AK) and a signature that is calculated by using an AK/secret access key (SK) with a signature algorithm, and the obtaining a second authentication token of the user includes decrypting the signature by using the signature algorithm, to obtain the second authentication token of the first user based on key information obtained after the decryption. Signature encryption and signature decryption are performed on the key information, thereby improving security of the cloud system.
Gu disclosed (re. Claim 5,17) the first token comprises adding a first signature to the first token that is based at least in part on content of the first token; (Gu-Paragraph 20,Paragraph 247,an access key (AK) and a signature that is calculated by using an AK/secret access key (SK) with a signature algorithm)
generating the second token comprises adding a second signature to the second token that is based at least in part on content of the second token; (Gu-Paragraph 20,Paragraph 247,an access key (AK) and a signature that is calculated by using an AK/secret access key (SK) with a signature algorithm)
Sondhi and Gu are analogous art because they present concepts and practices regarding provision of access tokens. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Gu into Sondhi-Lee. The motivation for the said combination would have been to enable signature encryption and signature decryption to be performed on the key information, thereby improving security of the cloud system.(Gu-Paragraph 20)
Sondhi-Lee-Gu disclosed (re. Claim 5,17) configuring the main token comprises adding a third signature to the main token that is based at least in part on the first signature and the second signature.(Lee-Paragraph 19, signing messages using the linked service token in part, including the linked service token in part or whole in a bearer token.)
Conclusion
Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREG C BENGZON whose telephone number is (571)272-3944. The examiner can normally be reached on Monday - Friday 8 AM - 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GREG C BENGZON/ Primary Examiner, Art Unit 2444