SYSTEMS AND METHODS FOR ADJUSTING ACCESS PARAMETERS OF AUTHENTICATION TOKENS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment Applicant's submission filed on 1/6/2026 has been entered. Claims 1-20 are pending. Response to Arguments Applicant’s arguments with respect to claims 1-3, 5-13 and 15-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 5-13, and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Medan et al. (US 10,951,661 hereinafter Medan) in view of Sharma et al. (US 11,086,643 hereinafter Sharma) and further in view of Miel et al. (US 2024/0250812 hereinafter Miel). Regarding claim 1, Medan discloses a system for adjusting access parameters for an authorization token, the system comprising: memory; and one or more processors, coupled to the memory, configured to cause the system to perform operations comprising: receiving an authorization request associated with a first authorization token for a user account (FIG. 1-6, col. 2, lines 17-21, col. 4, lines 5-16; i.e. receiving a request from a user associated with an authorized account to access the programing interfaces); determining that access parameters for the first authorization token do not include resources associated with the authorization request (FIG. 1-6, col. 2, lines 17-21, col. 4, lines 5-16, col. 8, lines 19-45; i.e. determining based on the request parameters for the API that the publisher of the API intends that the client only be able to access a subset of the API while the client is entitled to access more API); in response to determining to grant the authorization request, transmitting a response to the authorization request and processing a second set of features using a comprehensive model to generate a second degree of confidence (FIG. 1-6, col. 2, lines 17-21, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. the API host processes the request and determines whether the client is authorized to access more API than allowed), wherein the second degree of confidence indicates a likelihood of adjusting the access parameters for the first authorization token, and wherein the second set of features comprises approved and declined authorization requests associated with the user account; using the second degree of confidence, determining to adjust the access parameters for the first authorization token to include the resources associated with the authorization request (FIG. 1-6, col. 2, lines 17-21, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. determining whether to modify or adjust the assertion to include the privilege information for the portions of the API that the client is authorized to access); in response to determining to adjust the access parameters for the first authorization token, adjusting the access parameters for the first authorization token to include the resources associated with the authorization request (FIG. 1-6, col. 2, lines 17-21, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. the custom authorizer modifies or replaces the assertion to includes privilege information for the portions of the API that the client is authorized to access); and generating a notification to a user associated with the user account indicating the adjusted access parameters for the first authorization token (FIG. 1-6, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. notifying the client of the new authorized API). Medan does not explicitly disclose processing, using a real time model, the authorization request and a first set of features to generate a first degree of confidence, wherein the first degree of confidence indicates a likelihood of adjusting access parameters for the first authorization token; determining by comparing the first degree of confidence to a threshold degree of confidence, to grant the authorization request; wherein the second degree of confidence indicates a likelihood of adjusting the access parameters for the first authorization token, and wherein the second set of features comprises approved and declined authorization requests associated with the user account. However, Sharma discloses processing, using a real time model, the authorization request and a first set of features to generate a first degree of confidence, wherein the first degree of confidence indicates a likelihood of adjusting access parameters for the first authorization token (FIG. 4, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62); wherein the second degree of confidence indicates a likelihood of adjusting the access parameters for the first authorization token, and wherein the second set of features comprises approved and declined authorization requests associated with the user account (FIG. 4, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62). Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Medan and Sharma in order to provide efficient assistance to users of data management systems while adequately protecting the privacy and security of the users (Sharma, col. 1, lines 49-67). Miel discloses determining by comparing the first degree of confidence to a threshold degree of confidence, to grant the authorization request (¶ [0065]). Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Medan, Sharma and Miel in order to prevent potentially unauthorized communication during a secured session by performing a mid-session reauthentication (Miel, ¶ [0001]-[0002]). Regarding claim 2, Medan discloses a method for adjusting parameters of authorization tokens, the method comprising: receiving an authorization request associated with a first authorization token for a user account (FIG. 1-6, col. 2, lines 17-21, col. 4, lines 5-16; i.e. receiving a request from a user associated with an authorized account to access the programing interfaces); determining that access parameters for the first authorization token do not include resources associated with the authorization request (FIG. 1-6, col. 2, lines 17-21, col. 4, lines 5-16, col. 8, lines 19-45; i.e. determining based on the request parameters for the API that the publisher of the API intends that the client only be able to access a subset of the API while the client is entitled to access more API); in response to determining to grant the authorization request, transmitting a response to the authorization request and processing a second set of features using a comprehensive model to determine whether to adjust the access parameters for the first authorization token to include the resources associated with the authorization request (FIG. 1-6, col. 2, lines 17-21, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. the API host processes the request and determines whether the client is authorized to access more API than allowed), wherein the second set of features comprises approved and declined authorization requests associated with the user account; in response to determining to adjust the access parameters for the first authorization token, adjusting the access parameters for the first authorization token to include the resources associated with the authorization request (FIG. 1-6, col. 2, lines 17-21, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. the custom authorizer modifies or replaces the assertion to includes privilege information for the portions of the API that the client is authorized to access); and generating a notification to a user associated with the user account indicating the adjusted access parameters for the first authorization token (FIG. 1-6, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. notifying the client of the new authorized API). Medan does not explicitly disclose processing, using a real time model, the authorization request and a first set of features to generate a first degree of confidence, wherein the first degree of confidence indicates a likelihood of adjusting access parameters for the first authorization token; using the first degree of confidence and a threshold degree of confidence, determine whether to grant the authorization request; wherein the second set of features comprises approved and declined authorization requests associated with the user account. However, Sharma discloses processing, using a real time model, the authorization request and a first set of features to generate a first degree of confidence, wherein the first degree of confidence indicates a likelihood of adjusting access parameters for the first authorization token (FIG. 4, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62); wherein the second set of features comprises approved and declined authorization requests associated with the user account (FIG. 4, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62). Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Medan and Sharma in order to provide efficient assistance to users of data management systems while adequately protecting the privacy and security of the users (Sharma, col. 1, lines 49-67). Miel discloses using the first degree of confidence and a threshold degree of confidence, determine whether to grant the authorization request (¶ [0065]). Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Medan, Sharma and Miel in order to prevent potentially unauthorized communication during a secured session by performing a mid-session reauthentication (Miel, ¶ [0001]-[0002]). Regarding claim 3, Medan in view of Sharma and Miel discloses the method of claim 2, wherein the first set of features comprises: a list of recent authorization requests associated with the first authorization token; a list of recent authorization requests associated with the user account, wherein the user account is associated with the first authorization token and at least one other authorization token; a location associated with the authorization request; or an extent of resource access associated with the authorization request (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14). Regarding claim 5, Medan in view of Sharma and Miel discloses the method of claim 2, wherein the second set of features comprises: a full list of authorization requests associated with the first authorization token, comprising a category, extent, location and approval status of each resource access request; a full list of authorization requests associated with the user account, comprising a category, extent, location and approval status of each resource access request; and a record of incorrect and fraudulent resource authorization requests associated with the user account (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14). Regarding claim 6, Medan in view of Sharma and Miel discloses the method of claim 2, wherein the first authorization token comprises parameters restricting its use of the user account, comprising: a category of resource access associated with the user account; a set of locations for access to the user account; a timeframe for access to the user account; and an extent of each access to the user account (Medan, col. 1, lines 44-67; col. 5, lines 28-46; Sharma, col. 10, lines 34-51). Regarding claim 7, Medan in view of Sharma and Miel discloses the method of claim 2, wherein the comprehensive model processes the second set of features to generate a target coverage for the first authorization token (Sharma, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62). Regarding claim 8, Medan in view of Sharma and Miel discloses the method of claim 7, further comprising: determine a first discrepancy using the target coverage and the parameters defining the first authorization token; and using the first discrepancy, updating the parameters defining the first authorization token (Medan, col. 8, lines 12-24; Sharma, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62). Regarding claim 9, Medan in view of Sharma and Miel discloses the method of claim 2, further comprising: using an output of the comprehensive model, determining to issue a second authorization token (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14); selecting a set of parameters for the second authorization token using the output of the comprehensive model (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14); generating the second authorization token using the set of parameters (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14); and sending a notification to the user indicating that the second authorization token is associated with the set of parameters (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14). Regarding claim 10, Medan in view of Sharma and Miel discloses the method of claim 2, further comprising: receiving feedback comprising a first set of outcomes associated with the adjusted authorization token (Sharma, col. 11, line 56-col. 12, line 14); and using the first set of outcomes as training data, updating the comprehensive model Sharma, col. 11, line 56-col. 12, line 14). Regarding claim 11, Medan in view of Sharma and Miel discloses the method of claim 2, further comprising: determining not to adjust parameters defining the first authorization token; and revoking access of the first authorization token to the user account. Regarding claim 12, Medan discloses one or more non-transitory computer-readable media comprising instructions that, when executed by one or more processors, cause operations comprising: receiving an authorization request associated with a first authorization token for a user account (FIG. 1-6, col. 2, lines 17-21, col. 4, lines 5-16; i.e. receiving a request from a user associated with an authorized account to access the programing interfaces); determining that access parameters for the first authorization token do not include resources associated with the authorization request (FIG. 1-6, col. 2, lines 17-21, col. 4, lines 5-16, col. 8, lines 19-45; i.e. determining based on the request parameters for the API that the publisher of the API intends that the client only be able to access a subset of the API while the client is entitled to access more API); in response to determining to decline the authorization request, transmitting a response to the authorization request and processing a second set of features using a comprehensive model to determine whether to adjust the access parameters for the first authorization token to include the resources associated with the authorization request (FIG. 1-6, col. 2, lines 17-21, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. the API host processes the request and determines whether the client is authorized to access more API than allowed), wherein the second set of features comprises approved and declined authorization requests associated with the user account; in response to determining to adjust the access parameters for the first authorization token, adjusting the access parameters for the first authorization token to include the resources associated with the authorization request (FIG. 1-6, col. 2, lines 17-21, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. the custom authorizer modifies or replaces the assertion to includes privilege information for the portions of the API that the client is authorized to access); and generating a notification to a user associated with the user account indicating the declined authorization request and the adjusted access parameters for the first authorization token (FIG. 1-6, col. 6, lines 26-34, col. 8, lines 19-45, col. 10, lines 33-59; i.e. notifying the client of the new authorized API). Medan does not explicitly disclose processing, using a real time model, the authorization request and a first set of features to generate a first degree of confidence, wherein the first degree of confidence indicates a likelihood of adjusting access parameters for the first authorization token; using the first degree of confidence and a threshold degree of confidence, determine whether to grant the authorization request; wherein the second set of features comprises approved and declined authorization requests associated with the user account. However, Sharma discloses processing, using a real time model, the authorization request and a first set of features to generate a first degree of confidence, wherein the first degree of confidence indicates a likelihood of adjusting access parameters for the first authorization token (FIG. 4, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62); wherein the second set of features comprises approved and declined authorization requests associated with the user account (FIG. 4, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62). Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Medan and Sharma in order to provide efficient assistance to users of data management systems while adequately protecting the privacy and security of the users (Sharma, col. 1, lines 49-67). Miel discloses using the first degree of confidence and a threshold degree of confidence, determine whether to grant the authorization request (¶ [0065]). Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Medan, Sharma and Miel in order to prevent potentially unauthorized communication during a secured session by performing a mid-session reauthentication (Miel, ¶ [0001]-[0002]). Regarding claim 13, Medan in view of Sharma and Miel discloses the one or more non-transitory computer-readable media of claim 12, wherein the first set of features comprises: a list of recent authorization requests associated with the first authorization token; a list of recent authorization requests associated with the user account; a location associated with the authorization request; and an extent of resource access associated with the authorization request (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14). Regarding claim 15, Medan in view of Sharma and Miel discloses the one or more non-transitory computer-readable media of claim 12, wherein the second set of features comprises: a full list of authorization requests associated with the first authorization token, comprising a category, extent, location and approval status of each resource access request; a full list of authorization requests associated with the user account, comprising a category, extent, location and approval status of each resource access request; and a record of incorrect and fraudulent resource authorization requests associated with the user account (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14). Regarding claim 16, Medan in view of Sharma and Miel discloses the one or more non-transitory computer-readable media of claim 12, wherein the first authorization token comprises parameters restricting its use of the user account, comprising: a category of resource access associated with the user account; a set of locations for access to the user account; a timeframe for access to the user account; and an extent of each access to the user account (Medan, col. 1, lines 44-67; col. 5, lines 28-46; Sharma, col. 10, lines 34-51). Regarding claim 17, Medan in view of Sharma and Miel discloses the one or more non-transitory computer-readable media of claim 12, wherein the comprehensive model processes the second set of features to generate a target coverage for the first authorization token (Sharma, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62). Regarding claim 18, Medan in view of Sharma and Miel discloses the one or more non-transitory computer-readable media of claim 17, further comprising: determine a first discrepancy using the target coverage and the access parameters defining the first authorization token; using the first discrepancy, updating the access parameters defining the first authorization token (Medan, col. 8, lines 12-24; Sharma, col. 3, line 52-col. 4, line 13, col. 12, lines 15-62). Regarding claim 19, Medan in view of Sharma and Miel discloses the one or more non-transitory computer-readable media of claim 12, further comprising: using an output of the comprehensive model, determining to issue a second authorization token (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14); selecting a set of parameters for the second authorization token using the output of the comprehensive model (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14); generating the second authorization token using the set of parameters (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14); sending a notification to the user indicating that the second authorization token is associated with the set of parameters (Medan, col. 1, lines 44-67; Sharma, col. 11, line 56-col. 12, line 14). Regarding claim 20, Medan in view of Sharma and Miel discloses the one or more non-transitory computer-readable media of claim 12, further comprising: receiving feedback comprising a first set of outcomes associated with the adjusted authorization token (Sharma, col. 11, line 56-col. 12, line 14); and using the first set of outcomes as training data, updating the comprehensive model (Sharma, col. 11, line 56-col. 12, line 14). Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Medan et al. (US 10,951,661 hereinafter Medan) in view of Sharma et al. (US 11,086,643 hereinafter Sharma) and Miel et al. (US 2024/0250812 hereinafter Miel) and further in view of Duttagupta et al. (US 2022/0366490 hereinafter Duttagupta). Regarding claim 4, Medan in view of Sharma and Miel discloses the method of claim 2. Medan in view of Sharma and Miel does not explicitly disclose wherein the real time model processes the first set of features to generate a probability of granting the authorization request using a logistic regression algorithm (¶ [0028]). However, Duttagupta discloses Therefore, it would have been obvious to one of ordinary skill in the art before effective filing date of the claimed invention to combine Medan, Sharma, Miel and Duttagupta in order to automate decision making by implementing a supervised learning approach that is trained based on unstructured data (Duttagupta, ¶ [0001]-[0002], [0016]). Regarding claim 14, see claim 4 above for the same reasons of rejections. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHI D NGUY whose telephone number is (571)270-7311. The examiner can normally be reached Monday-Friday 9-5 ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571)270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /C.D.N/Examiner, Art Unit 2435 /AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2435