SYSTEM AND METHOD FOR AUTHORIZING AN ACCESS TOKEN USING A DISTRIBUTED CACHE

§103 §112

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 10/14/2025 has been entered. Response to Amendments / Arguments Regarding the rejection(s) of claims under 35 USC 103: Applicant's arguments, filed 08/13/2025, have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further analysis the rejection is further maintained under Schincariol et al. (US 20190199782 A1) in view of Dalzell et al. (US 20120131660 A1) in further view of Larose et al. (US 20210084020 A1). DETAILED ACTION This is a reply to the arguments filed on 08/13/2025, in which, claims 1-20 are pending. Claims 1, 8, and 15 are independent. When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments. Claim Objections Claim 1 is objected. The claim recites “wherein the updated access token including at least one role of a user identified in the login request" which is objected to as introducing new matter not supported by the original disclosure. The original specification discloses that access tokens may include user roles only "in embodiments wherein a specific tenant is considered" (paragraph [0046]), and describes a masking process that removes "permission information" from access tokens (paragraphs [0005], [0047]-[0048]). However, the specification does not clearly distinguish between permission information and role information, nor does it explicitly state that roles are preserved in the updated access token after masking. The limitation requiring that the updated access token "including at least one role" introduces subject matter that goes beyond what is disclosed in the original specification. The original disclosure suggests that the masking process affects the token content generally, and does not provide clear guidance that roles would be treated differently from permissions during this process. This limitation appears to add new functionality or requirements not contemplated by the original disclosure, specifically the retention of role information in the masked/updated token, which constitutes new matter that cannot be added to the application after filing. The applicant should consider the following changes: remove the limitation entirely, modify the limitation to be consistent with the disclosure, or add appropriate disclosure to the specification that clearly distinguishes between permission information and role information. Independent claims 8 and 15 are objected to under similar rationale. Dependent claims are further objected as their dependencies to the independent claims. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-20 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement. Specifically, claim limitation "wherein the updated access token including at least one role of a user identified in the login request" lacks adequate written description support in the specification. The specification fails to clearly disclose that roles are retained in the updated/masked access token after the permission masking process. Paragraph [0047] indicates that "a token session state and permissions for the access token" are stored in the distributed cache, and paragraph [0048] describes masking "the permissions" from the access token. The specification does not explicitly distinguish between permission information (which is masked/removed) and role information (which would be retained), nor does it provide adequate description showing that roles remain in the updated access token after the masking process. The fact that the original token "may include" user roles in specific tenant scenarios does not provide sufficient written description for the positive claim limitation that the updated token "including at least one role." Dependent claims are rejected under similar rationale. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Schincariol et al. (US 20190199782 A1, referred to as Schincariol), in view of Dalzell et al. (US 20120131660 A1, referred to as Dalzell) in further view of Larose et al. (US 20210084020 A1, referred to as Larose). In reference to claim 1, A method, performed by at least one processor, for authorizing a client application to access resources using a distributed cache, the method comprising: receiving, from the client application, a login request at an identity management (IDM) tool (Schincariol: [0034] Provides for the IDM system receiving a login request containing user credentials from a client application.) Providing, by the IDM tool to the distributed cache, a token session state of a first access token and permission information of the first access token (Schincariol: [0037]-[0039] Provides for the IDM system providing the access token and associated roles (permission information) to the data storage system, which includes a cache; see [0056], the cache used to store identity information may be distributed.) Receiving, at an application programming interface (API) gateway from the client application, a service request comprising a updated access token (Schincariol: [0022]-[0026] Provides for proxy nodes receiving requests with an access token from the client application.) Validating the updated access token using the distributed cache (Schincariol: [0026]-[0027] Provides for validating the access token using the cache within the data storage system.) Providing a response to the client application based on the validation (Schincariol: [0027]-[0040] Provides for a response (the requested information) is provided to the client application based on the validation of the access token.) Shincariol does not explicitly teach that the updated access token is an access token in which the permission information is masked. However, Dalzell discloses: Masking the permission information from the first access token and providing an updated access token to the client application with the permission information masked and Wherein the updated token excludes any permission information (Dalzell: [0003] and [0023]-[0026] Provides for generates a separate, smaller "identity claim" that excludes the full claims/permissions..) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Schincariol, which provides a method for authorizing client applications to access resources using distributed cache-based token validation with permission information, with the teachings of Dalzell, which introduces masking permission information from access tokens and providing updated tokens with excluded permission details. One of ordinary skill in the art would recognize the ability to incorporate Dalzell's permission masking technique into Schincariol's authentication system to reduce token size and improve efficiency. One of ordinary skill in the art would be motivated to make this modification in order to reduce bandwidth consumption by transmitting smaller tokens without full permission information. Schincariol in view of Dalzell do not explicitly disclose wherein the updated access token includes at least one role of a user identified in the login request. However, Larose teaches: Wherein the updated access token including at least one role of a user identified in the login request (Larose: [0009], [0049], [0070] Provides for that the access token includes the user's identity and their authorization roles.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Schincariol in view of Dalzell, which together provide a method for authorizing client applications using masked access tokens with distributed cache validation, with the teachings of Larose, which introduces including user roles in access tokens alongside user identity information. One of ordinary skill in the art would recognize the ability to incorporate Larose's role-based token structure into the combined authentication system to maintain essential authorization information even in masked tokens. One of ordinary skill in the art would be motivated to make this modification in order to enable basic authorization decisions at the API gateway without requiring cache lookups for every request. In reference to claim 2, The method of claim 1, wherein the validating the updated access token comprises determining that a token signature, a token expiration, and a token session state of the updated access token are valid (Schincariol: [0027] and [0036]-[0037] Provides for validating aspects of the access token, including checking its validity and verifying a digital signature.) In reference to claim 3, The method of claim 2, wherein the validating the updated access token further comprises checking the permission information for the updated access token in the distributed cache in response to determining that the token signature, the token expiration, and the token session state of the access token are valid (Schincariol: [0027] and [0037]-[0039] Provides for checking the validity of the access token, then retrieving associated roles (permission information) from the cache.) In reference to claim 4, The method of claim 1, wherein the providing the response to the client application comprises: in response to determining the permission information exists in the distributed cache, forwarding the service request to a microservice; and processing the service request at the microservice (Schincariol: [0021]-[0022] and [0039]-[0040] Provides for a system where a proxy server component handles client requests, validates access tokens using cached permission information, and retrieves data from storage nodes. The proxy server determines the appropriate storage node that holds the requested information after validating permissions. ) In reference to claim 5, The method of claim 4, wherein the processing the service request at the microservice comprises: identifying whether the microservice comprises resources corresponding the service request; and providing a service response from the microservice to the API gateway based on the identifying (Schincariol: [0022] and [0039]-[0040] Provides for after validating permissions, the proxy server component identifies the appropriate storage node that contains the requested information. The storage nodes store data and respond to requests by providing the data to the proxy server component, which then forwards it to the client.) In reference to claim 6, The method of claim 1, further comprising: revoking the login request in response to determining that at least one of the token signature, the token expiration, and the token session state are invalid (Schincariol: [0027] and [0043]-[0044] Provides for preventing the user from accessing resources when the token signature, expiration, or session state are invalid.) In reference to claim 7, The method of claim 6, further comprising sending an error message to the client application in response to determining that at least one of the token signature, the token expiration, and the token session state are invalid (Schincariol: [0044] Provides for a process where, after determining that the user is not authorized to access the information the system notifies the user that access has been denied. This notification corresponds to sending an error message to the client application.) In reference to claim 8, An apparatus for authorizing a client application to access resources using a distributed cache, the apparatus comprising: a memory storing instructions; and at least one processor configured to execute the instructions to: receive, from the client application, a login request at an identity management (IDM) tool (Schincariol: [0034] Provides for the IDM system receiving a login request containing user credentials from a client application.) Provide, by the IDM tool to the distributed cache, a token session state of a first access token and permission information of the first access token (Schincariol: [0034] Provides for the IDM system receiving a login request containing user credentials from a client application.) Receive, at an application programming interface (API) gateway from the client application, a service request comprising a updated access token (Schincariol: [0022]-[0026] Provides for proxy nodes receiving requests with an access token from the client application.) Validate the updated access token using the distributed cache (Schincariol: [0026]-[0027] Provides for validating the access token using the cache within the data storage system.) Provide a response to the client application based on the validation (Schincariol: [0027]-[0040] Provides for a response (the requested information) is provided to the client application based on the validation of the access token.) Shincariol does not explicitly teach that the updated access token is an access token in which the permission information is masked. However, Dalzell discloses: Masking the permission information from the first access token and providing an updated access token to the client application with the permission information masked and Wherein the updated token excludes any permission information (Dalzell: [0003] and [0023]-[0026] Provides for generates a separate, smaller "identity claim" that excludes the full claims/permissions..) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Schincariol, which provides a method for authorizing client applications to access resources using distributed cache-based token validation with permission information, with the teachings of Dalzell, which introduces masking permission information from access tokens and providing updated tokens with excluded permission details. One of ordinary skill in the art would recognize the ability to incorporate Dalzell's permission masking technique into Schincariol's authentication system to reduce token size and improve efficiency. One of ordinary skill in the art would be motivated to make this modification in order to reduce bandwidth consumption by transmitting smaller tokens without full permission information. Schincariol in view of Dalzell do not explicitly disclose wherein the updated access token includes at least one role of a user identified in the login request. However, Larose teaches: Wherein the updated access token including at least one role of a user identified in the login request (Larose: [0009], [0049], [0070] Provides for that the access token includes the user's identity and their authorization roles.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Schincariol in view of Dalzell, which together provide a method for authorizing client applications using masked access tokens with distributed cache validation, with the teachings of Larose, which introduces including user roles in access tokens alongside user identity information. One of ordinary skill in the art would recognize the ability to incorporate Larose's role-based token structure into the combined authentication system to maintain essential authorization information even in masked tokens. One of ordinary skill in the art would be motivated to make this modification in order to enable basic authorization decisions at the API gateway without requiring cache lookups for every request. In reference to claim 9, The apparatus of claim 8, wherein the validating the updated access token comprises determining that a token signature, a token expiration, and a token session state of the updated access token are valid. (Schincariol: [0027] and [0036]-[0037] Provides for validating aspects of the access token, including checking its validity and verifying a digital signature.) In reference to claim 10, The apparatus of claim 9, wherein the validating the updated access token further comprises checking the permission information for the updated access token in the distributed cache in response to determining that the token signature, the token expiration, and the token session state of the access token are valid (Schincariol: [0027] and [0037]-[0039] Provides for checking the validity of the access token, then retrieving associated roles (permission information) from the cache.) In reference to claim 11, The apparatus of claim 8, wherein the providing the response to the client application comprises: in response to determining the permission information exists in the distributed cache, forwarding the service request to a microservice; and processing the service request at the microservice (Schincariol: [0021]-[0022] and [0039]-[0040] Provides for a system where a proxy server component handles client requests, validates access tokens using cached permission information, and retrieves data from storage nodes. The proxy server determines the appropriate storage node that holds the requested information after validating permissions.) In reference to claim 12, The apparatus of claim 11, wherein the at least one processor is further configured to process the service request at the microservice to: identify whether the microservice comprises resources corresponding the service request; and provide a service response from the microservice to the API gateway based on the identifying (Schincariol: [0022] and [0039]-[0040] Provides for after validating permissions, the proxy server component identifies the appropriate storage node that contains the requested information. The storage nodes store data and respond to requests by providing the data to the proxy server component, which then forwards it to the client.) In reference to claim 13, The apparatus of claim 8, wherein the at least one processor is further configured to: revoke the login request in response to determining that at least one of the token signature, the token expiration, and the token session state are invalid (Schincariol: [0027] and [0043]-[0044] Provides for preventing the user from accessing resources when the token signature, expiration, or session state are invalid.) In reference to claim 14, The apparatus of claim 13, wherein the at least one processor is further configured to send an error message to the client application in response to determining that at least one of the token signature, the token expiration, and the token session state are invalid (Schincariol: [0044] Provides for a process where, after determining that the user is not authorized to access the information the system notifies the user that access has been denied. This notification corresponds to sending an error message to the client application.) In reference to claim 15, A non-transitory computer-readable recording medium having recorded thereon instructions executable by at least one processor to perform a method of authorizing a client application to access resources using a distributed cache, the method comprising: receiving, from the client application, a login request at an identity management (IDM) tool (Schincariol: [0034] Provides for the IDM system receiving a login request containing user credentials from a client application.) Providing, by the IDM tool to the distributed cache, a token session state of a first access token and permission information of the first access token (Schincariol: [0037]-[0039] Provides for the IDM system providing the access token and associated roles (permission information) to the data storage system, which includes a cache.) Receiving, at an application programming interface (API) gateway from the client application, a service request comprising a updated access token (Schincariol: [0022]-[0026] Provides for proxy nodes receiving requests with an access token from the client application.) Validating the updated access token using the distributed cache (Schincariol: [0026]-[0027] Provides for validating the access token using the cache within the data storage system.) Providing a response to the client application based on the validation (Schincariol: [0027]-[0040] Provides for a response (the requested information) is provided to the client application based on the validation of the access token.) Shincariol does not explicitly teach that the updated access token is an access token in which the permission information is masked. However, Dalzell discloses: Masking the permission information from the first access token and providing an updated access token to the client application with the permission information masked and Wherein the updated token excludes any permission information (Dalzell: [0003] and [0023]-[0026] Provides for generates a separate, smaller "identity claim" that excludes the full claims/permissions..) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Schincariol, which provides a method for authorizing client applications to access resources using distributed cache-based token validation with permission information, with the teachings of Dalzell, which introduces masking permission information from access tokens and providing updated tokens with excluded permission details. One of ordinary skill in the art would recognize the ability to incorporate Dalzell's permission masking technique into Schincariol's authentication system to reduce token size and improve efficiency. One of ordinary skill in the art would be motivated to make this modification in order to reduce bandwidth consumption by transmitting smaller tokens without full permission information. Schincariol in view of Dalzell do not explicitly disclose wherein the updated access token includes at least one role of a user identified in the login request. However, Larose teaches: Wherein the updated access token including at least one role of a user identified in the login request (Larose: [0009], [0049], [0070] Provides for that the access token includes the user's identity and their authorization roles.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Schincariol in view of Dalzell, which together provide a method for authorizing client applications using masked access tokens with distributed cache validation, with the teachings of Larose, which introduces including user roles in access tokens alongside user identity information. One of ordinary skill in the art would recognize the ability to incorporate Larose's role-based token structure into the combined authentication system to maintain essential authorization information even in masked tokens. One of ordinary skill in the art would be motivated to make this modification in order to enable basic authorization decisions at the API gateway without requiring cache lookups for every request. In reference to claim 16, The non-transitory computer-readable recording medium as claimed in claim 15, wherein the validating the updated access token comprises determining that a token signature, a token expiration, and a token session state of the updated access token are valid (Schincariol: [0027] and [0036]-[0037] Provides for validating aspects of the access token, including checking its validity and verifying a digital signature.) In reference to claim 17, The non-transitory computer-readable recording medium as claimed in claim 16, wherein the validating the updated access token further comprises checking the permission information for the updated access token in the distributed cache in response to determining that the token signature, the token expiration, and the token session state of the access token are valid (Schincariol: [0027] and [0037]-[0039] Provides for checking the validity of the access token, then retrieving associated roles (permission information) from the cache.) In reference to claim 18, The non-transitory computer-readable recording medium as claimed in claim 15, wherein the providing the response to the client application comprises: in response to determining the permission information exists in the distributed cache, forwarding the service request to a microservice; and processing the service request at the microservice (Schincariol: [0021]-[0022] and [0039]-[0040] Provides for a system where a proxy server component handles client requests, validates access tokens using cached permission information, and retrieves data from storage nodes. The proxy server determines the appropriate storage node that holds the requested information after validating permissions.) In reference to claim 19, The non-transitory computer-readable recording medium as claimed in claim 18, wherein the processing the service request at the microservice comprises: identifying whether the microservice comprises resources corresponding the service request; and providing a service response from the microservice to the API gateway based on the identifying (Schincariol: [0022] and [0039]-[0040] Provides for after validating permissions, the proxy server component identifies the appropriate storage node that contains the requested information. The storage nodes store data and respond to requests by providing the data to the proxy server component, which then forwards it to the client.) In reference to claim 20, The non-transitory computer-readable recording medium as claimed in claim 15, further comprising: revoking the login request in response to determining that at least one of the token signature, the token expiration, and the token session state are invalid (Schincariol: [0027] and [0043]-[0044] Provides for preventing the user from accessing resources when the token signature, expiration, or session state are invalid.) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AIDAN EDWARD SHAUGHNESSY whose telephone number is (703)756-1423. The examiner can normally be reached on Monday-Friday from 7:30am to 5pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson, can be reached at telephone number (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/usptoautomated-interview-request-air-form. /A.E.S./Examiner, Art Unit 2432 /SYED A ZAIDI/Primary Examiner, Art Unit 2432