METHODS AND APPARATUS FOR ALIASING SCOPES IN ACCESS TOKENS

§101 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This Office Action is in response to the amendment filed on 3/2/2026. In instant Amendment, claims 1, 6, 8, 13, 15 and 20 have been amended; claims 7 and 14 have been canceled; and claims 1, 8 and 15 are independent claims. Claims 1-6, 8-13 and 15-20 have been examined and are pending. This Action is made Final. Response to Arguments Applicant's arguments filed 3/2/2026 with respect to the 35 U.S.C. 101 rejection have been fully considered but they are not persuasive. Applicant Argues: As presently amended, each of the independent claims 1, 8, and 15 recites, in part, "generat[ing] an access token for the identity to access the online resource, the access token to include the hexadecimal value in place of the scope assignment." MPEP § 2106.02(a)(2) states that claims do not recite a mental process when they do not contain limitations that can practically be performed in the human mind, for instance when the human mind is not equipped to perform the claim limitations. See SRIInt'l, Inc. v. Cisco Systems, Inc., 930 F.3d 1295, 1304 (Fed. Cir. 2019). Applicant respectfully submits that "generat[ing] an access token for the identity to access the online resource, the access token to include the hexadecimal value in place of the scope assignment" is a limitation that cannot be practically be performed in the human mind and therefore the presently amended independent claims, as a whole, do not recite a mental process. Accordingly, Applicant respectfully submits that independent claims 1, 8, and 15, when considered as a whole, do not recite an abstract idea. For the above reasons, the independent claims 1, 8, and 15 recite patent eligible subject matter and are therefore in condition for allowance. Moreover, the dependent claims 2-6, 9-13, and 16-20 are similarly allowable because they depend from an allowable base claim. Therefore, Applicant respectfully requests that the Examiner reconsider and withdraw the 35 U.S.C. § 101 rejections of claims 1-20 and that the claims be allowed. Examiner’s Response: The examiner respectfully disagrees. The examiner respectfully notes that the human mind with the aid of pencil/paper can “generat[ing] an access token for the identity to access the online resource, the access token to include the hexadecimal value in place of the scope assignment.” The examiner notes as claimed there is no positive recitation of the entity accessing the online resource just the intended use of the token. Thus, the human mind with the aid of pencil/paper is capable of performing the aforementioned step of generating an access token for the identity [to access the online resource] the access token to include the hexadecimal value in place of the scope assignment . Therefore, the claims recite an abstract idea and the examiner finds this argument not persuasive. Applicant's arguments filed 3/2/2026 with respect to the 35 U.S.C. 103 rejection have been considered but are moot in view of new grounds of rejection. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claim(s) 1-20 is/are rejected under 35 U.S.C. 101 as being directed to an abstract idea without being integrated into a practical application or being significantly more. Regarding claim 1, and representative claim(s) 8 and 15, the claim recites the limitations “detect a request to create an identity to access an online resource...;” “determine that an alliance has not been created for the at least one scope assignment...” “generate the alias for the scope assignment,” and “generate an access token for the identity to access the online resource...” Broadly interpreted, the aforementioned steps are directed to mental processes as said steps could be performed in the human mind. Therefore, the claims recite an abstract idea. Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. It is noted that the claims recite additional limitation/elements (i.e., a apparatus w/ interface circuitry, machine readable instructions, and programing circuitry, etc.). However, said additional elements are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer functions) such that it amounts no more than mere instructions to apply the exception or abstract idea using generic computer components. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims do not include additional elements/limitations/embodiments that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter. Regarding claims 2-7, 9-14, and 16-20, claims 2-7, 9-14, and 16-20, are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea and the claims do not positively recite any other operations that could be considered as the abstract idea is being integrated into a practical application or significantly more. It is noted that claim(s) 2, and representative claim(s) 9 and 16 recites the limitations: “...update the identity...”. It is noted that claim(s) 3, and representative claim(s) 10 and 17 recites the limitations: “...map the aliases...”. It is noted that claim(s) 4, and representative claim(s) 11 and 18 recites the limitations: “...count a total number of characters...”. It is noted that claim(s) 5, and representative claim(s) 12 and 19 recites the limitations: “...compare the total number of characters...” It is noted that claim(s) 6, and representative claim(s) 13, and 20 recites the limitations: “wherein the alias is at least one... value... or... identifier...”. It is noted that claim(s) 7, and representative claim(s) and 14 recites the limitations: “...generate an access token for the identity...”. Said steps are either directed to mental processes and/or are in a form of insignificant extra-solution activities or are recited at a high-level of generality; such that it amounts to no more than mere instructions to apply the exception or abstract idea using generic computer components. The aforementioned steps are not sufficient to consider that the abstract idea is being integrated into a practical application or significantly more. Therefore, claims 2-7, 9-14, and 16-20, are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-6, 8-13 and 15-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Feijoo et al. (US 2018/0295135 A1) in view of Zhang (US 20220232010 A1) and Smolny et al. (US 20220232003 A1) and Kumnick (US 2015/0319158 A1). Regarding Claim 1; Feijoo discloses an apparatus comprising: interface circuitry (FIG. 1); machine readable instructions (FIG. 1);; and programmable circuitry to at least one of instantiate or execute the machine readable instructions to (FIG. 1): detect a request to create an identity to access an online resource, the request including at least one scope assignment associated with a user of the online resource ([0009] - ...the alias identity may be stored in the entry at a time when the user is accessing the first secure application... storing the alias identity in the entry may include storing the authentication scope received from the first secure application into the entry that is being created or modified), determine ... an alias .... for the at least one scope assignment, the alias to represent two more scopes assigned to the user (FIG. 4 – Authorization Scope (i.e., alias) with Scopes of Access (i.e., represents n or more scopes of access) and [0057] - FIG. 4 shows an example of associations between authorization scopes and corresponding scopes of access that may be maintained in an authorization database of a multiple-identity authorization endpoint); and ...wherein the alias... indicates the user’s scope of access to the online resource (FIG. 4 – Authorization Scope (i.e., alias) with Scopes of Access (i.e., represents n or more scopes of access) and [0004] - In response to successfully authenticating the user on behalf of a first secure application based on the login credentials for the alias identity, an access token is generated that contains both the alias identity attributes and the principal identity attributes. The access token is transmitted to an authorization endpoint in the first secure application. The access token causes the authorization endpoint in the first secure application to grant, based on the authorization scope of the alias identity, a scope of access to protected resources in the first secure application and [0057] - FIG. 4 shows an example of associations between authorization scopes and corresponding scopes of access that may be maintained in an authorization database of a multiple-identity authorization endpoint); and generate an access token for the identity to access the online source, the access token to include... the scope assignment (FIG. 3 -- Al and FIG. 4 – Authorization Scope (i.e., alias) with Scopes of Access (i.e., represents n or more scopes of access) and [0004] - In response to successfully authenticating the user on behalf of a first secure application based on the login credentials for the alias identity, an access token is generated that contains both the alias identity attributes and the principal identity attributes. The access token is transmitted to an authorization endpoint in the first secure application. The access token causes the authorization endpoint in the first secure application to grant, based on the authorization scope of the alias identity, a scope of access to protected resources in the first secure application and [0052] and [0057]); and Feijoo fails to explicitly disclose: determine that an alias has not been created...; generate the alias for the scope assignment, the alias having less characters than the scope assignment, [wherein the alias] is a hexadecimal value that [indicates the user’s scope of access to the online resource]; and [generate an access token for the identity to access the online resource, the access token to include] the hexadecimal value in place of [the scope assignment]. However, in an analogous art, Zhang teaches determine that an alias has not been created... ([0021] - ...the authorization service 112 queries or otherwise searches the alias database 116 for any existing uses of that alias to ensure the alias is unique among registered applications. In this regard, when an existing usage of an autogenerated alias exists, the authorization service 112 discards the alias and repeats the steps for generating a new alias until arriving at a unique alias that is not currently in use and/or registered in the alias database 116...). Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang to the alias scope(s) of Feijoo to include determine that an alias has not been created... One would have been motivated to combine the teachings of Zhang to Feijoo to do so as it provides / allows authorizing access to protected resources using ... aliases to improve security (Zhang, [0001]). Further, in an analogous art, Smolny teaches generate the alias for the scope assignment, the alias having less characters than the scope assignment (FIG. 5 – 504 (Scope Alias) and 502 (Corresponding Scopes), depicts Scope Alias (i.e., alias) having less characters than Corresponding Scopes (i.e., scope assignment) and [0069] - For example, each character used for a scope results in 1.33 characters in an access token. For example, the scope cloud_controller.admin uaa.scim clients.read includes 44 characters, which results in approximately 59 characters in the access token. An authorization server may implement token scope character limits (i.e., a character length limit on the scopes field can be assigned against generated access tokens) and [0073]-[0074] - When an authorization server, such as, for example, authorization server 106 in FIG. 1, places scope alias “ALL” 504 in a scopes field of a generated access token, that particular access token has the same level of access permissions as all of the individual scopes “SERVICE1” 510, “SERVICE2” 512, “SERVICE3” 514, “SERVICE4” 516, “SERVICE5” 518, and “SERVICE6” 520, while decreasing the size of the scopes field). Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Smolny to alias scope(s)... of Feijoo in view of Zang to include generate the alias for the scope assignment, the alias having less characters than the scope assignment. One would have been motivated to combine the teachings of Smolny to Feijoo in view of Zang to do so as it provides / allows to decreas[e] a size of scopes fields in access tokens using a scope alias to represent a plurality of scopes while maintaining a same level of protected resource access permissions for the access tokens as the plurality of individual scopes that the scope alias represents, thus, improves/decreases network response times which enables faster protected resource access and increased system performance (Smolny, [0071]). However, in an analogous art, Kumnick teaches [wherein the “code”] is a hexadecimal value that [indicates the user’s scope of permission] ([0033] - A “token code” may be any string of characters that serve as evidence of permission for using a value token (e.g., a payment token). In some embodiments, a token code may be a hexadecimal value); and [generate an ... token for the identity ..., the ... token to include] the hexadecimal value in place of [the permission] ([0005] – and ([0033] - A “token code” may be any string of characters that serve as evidence of permission for using a value token (e.g., a payment token). In some embodiments, a token code may be a hexadecimal value), Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Kumnick to token of Feijoo in view of Zang and Smolny to include [wherein the “code”] is a hexadecimal value that [indicates the user’s scope of permission]; and [generate an ... token for the identity ..., the ... token to include] the hexadecimal value in place of [the permission] One would have been motivated to combine the teachings of Kumnick to Feijoo in view of Zang and Smolny to do so as it provides / allows to a token for use in multiple domains (Kumnick, [0021]). Regarding Claim 2; Feijoo in view of Zhang and Smolny and Kumnick disclose the apparatus to Claim 1. Feijoo further discloses wherein the programmable circuitry is to update the identity to include the alias and the scope assignment (FIG. 1 and FIG. 4 – Authorization Scope (i.e., alias) with Scopes of Access (i.e., represents n or more scopes of access) and FIG. 5 – Principal Identity to Authorization Scope Set and [0009] - ...the alias identity may be stored in the entry at a time when the user is accessing the first secure application... storing the alias identity in the entry may include storing the authentication scope received from the first secure application into the entry that is being created or modified), Regarding Claim 3; Feijoo in view of Zhang and Smolny and Kumnick disclose the apparatus to Claim 1. Feijoo further discloses wherein the programmable circuitry is to map the alias to the scope assignment (FIG. 1 and FIG. 4 – Authorization Scope (i.e., alias) with Scopes of Access (i.e., represents n or more scopes of access) and FIG. 5 and [0009]) Regarding Claim 4; Feijoo in view of Zhang and Smolny and Kumnick disclose the apparatus to Claim 1. Smolny further teaches wherein the programmable circuitry is to count a total number of characters in the scope assignment before generating the alias ([0069] - For example, each character used for a scope results in 1.33 characters in an access token. For example, the scope cloud_controller.admin uaa.scim clients.read includes 44 characters, which results in approximately 59 characters in the access token. An authorization server may implement token scope character limits (i.e., a character length limit on the scopes field can be assigned against generated access tokens) and [0071] - Thus, illustrative embodiments provide one or more technical solutions that overcome a technical problem with access tokens with large scopes fields (e.g., 2 KB or greater in size)... The reduced size of access tokens generated by illustrative embodiments improves/decreases network response times, which enables faster protected resource access and increased system performance and ([0074] - places scope alias ... in a scopes field of a generated access token...). Similar rationale and motivation is noted for the combination of Smolny to Feijoo in view of Zhang and Smolny and Kumnick, as per claim 1, above. Regarding Claim 5; Feijoo in view of Zhang and Smolny and Kumnick disclose the apparatus to Claim 4. Smolny further teaches wherein the programmable circuitry is to: compare the total number of characters in the scope assignment to a threshold number of characters ([0069] - For example, each character used for a scope results in 1.33 characters in an access token. For example, the scope cloud_controller.admin uaa.scim clients.read includes 44 characters, which results in approximately 59 characters in the access token. An authorization server may implement token scope character limits (i.e., a character length limit on the scopes field can be assigned against generated access tokens); determine that the total number of characters satisfies the threshold number of characters ([0069] - For example, each character used for a scope results in 1.33 characters in an access token. For example, the scope cloud_controller.admin uaa.scim clients.read includes 44 characters, which results in approximately 59 characters in the access token. An authorization server may implement token scope character limits (i.e., a character length limit on the scopes field can be assigned against generated access tokens); and generate the alias ([0074] - places scope alias ... in a scopes field of a generated access token...) Similar rationale and motivation is noted for the combination of Smolny to Feijoo in view of Zhang and Smolny and Kumnick, as per claim 1, above. Regarding Claim 6; Feijoo in view of Zhang and Smolny and Kumnick disclose the apparatus to Claim 1. Feijoo further discloses wherein the alias is at least one of a hexadecimal value or a globally unique identifier (FIG. 2 and FIG. 3- Authorization Scope and FIG. 4). Zhang and Smolny additionally teach wherein the alias is at least one of a hexadecimal value or a globally unique identifier (Zhang, [0021] and Smolny [0075]-[0076]). Similar rationale and motivation is noted for the combination of Smolny and Feijoo to Feijoo in view of Zhang and Smolny and Kumnick, as per claim 1, above. Regarding Claim(s) 8-13; claim(s) 8-13 is/are directed to a/an medium associated with the apparatus claimed in claim(s) 1-6. Claim(s) 8-14 is/are similar in scope to claim(s) 1-6, and is/are therefore rejected under similar rationale. Regarding Claim(s) 15-20; claim(s) 15-20 is/are directed to a/an method associated with the apparatus claimed in claim(s) 1-6. Claim(s) 15-20 is/are similar in scope to claim(s) 1-6, and is/are therefore rejected under similar rationale. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KARI L SCHMIDT/Primary Examiner, Art Unit 2439