DETAILED ACTION
Response to Amendment
The Amendment filed on 05/01/2026 has been entered. Claims 2 and 12 are
pending. Claims 1, 3-11, and 13-20 remained rejected. Applicant’s amendments to the
Specifications and the claims have overcome the objections previously set forth
in the Non-Final Office Action mailed 07/10/2024.
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. CN 202410382470.2, filed on 03/29/2024.
Response to Objections
Applicant’s amendments to the specifications and claims filed on 05/01/2026 have been
reconsidered. Applicant’s amendments to the specifications and the claims have been accepted. Objections to the specifications and the claims are withdrawn.
Response to Arguments
Applicant’s arguments with respect to the amended claims, filed 05/01/2026, have been fully considered and are persuasive. The examiner agrees that although the primary reference Zhang discloses a method of permission management comprising, inter alia, Zhang fails to remedy the following features:
(1) providing a token creation interface to a user, the token creation interface comprising a first control for selecting the workspace and a second control for
selecting a permission type;
(2) obtaining the token creation request based on input information received in the
token creation interface; and
(3) verifying the token information with token management data, the token management data being generated based on the token creation request of the user associated with the application, the token creation request indicating at least a specified permission of at least one workspace of the user in the platform, wherein the platform supports creation of the at least one workspace, and the at least one
workspace is configured to create and manage one or more applications.
Examiner agrees that Zhang fails to disclose the above features (1), (2), and (3) recited in amended Claim 1, and thus the § 102 rejection of Claim 1 should be withdrawn. However, a new ground(s) of rejection is made in view of Chanda (US 20230254352 A1). Chanda remedies the deficiencies of Zhang noted above. The rejection is necessitated by the claim amendments and is directly caused by the changes in the reply. Applicant's arguments are considered moot in light of the newly found prior art: Chanda (US 20230254352 A1). Please see detailed rejection below.
Regarding applicant’s request to consider “…any filed IDSs not previously considered, by initialing and returning each form PTO-1449” (page 15 of the applicant’s remark), the IDS filed on 5/5/25 herein initialized and attached with the final action.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148
USPQ 459 (1966), that are applied for establishing a background for determining
obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating
obviousness or nonobviousness.
Claim(s) 1, 3-9, 11, 13-20 is/are rejected under 35 U.S.C. 103 as being unpatentable by Zhang (CN 114528571 A) in view of Chanda (US-20230254352-A1).
Regarding claim 1, Zhang discloses a method of permission management ([Page 15, lines 39-41] “ Operations S601 to S603 are 39 performed by the server, and the server performs permission management for the demander to 40 access the API service resource corresponding to the API interface”), comprising:
receiving a usage request for an application of a platform, the usage request comprising token information (([Page 1, lines 27-30] “These open application programming interfaces are usually called open APIs. The platform is displayed, and developers can access and use related service resources through these open APIs without accessing the source code in the server or understanding the details of the internal working mechanism”, an application of a platform is an open platform invoking API or service resources or permissions; [Page 2, lines 38-42] “In a second aspect, embodiments of the present disclosure provide a data processing method. The above data processing method includes: receiving an access request sent by a demand side, and the information carried in the access request includes: user account, token information related to invocation timing, address information of the target service resource requested to be invoked, and the above-mentioned target service resource needs”; [Page 4, lines 2-6] “The above-mentioned data processing module is used for decrypting and authorizing the above-mentioned token information to obtain an access response result. The above-mentioned result sending module is used for sending the above-mentioned access response result to the demand side.”, Page 3 discloses user request as access request which includes token information of user account and the application of a platform (platform is displayed and developers can access through the access response result);
verifying the token information with token management data, the token management data being generated based on the token creation request of the target user associated with the application, the token creation request indicating at least a specified permission of at least one [workspace] of the user in the platform ([page 11, lines 58-60, page 12 lines 1-4] “Based on the above operations S201 to S205, in the resource access method provided by the embodiments of the present disclosure, the overall logic of resource access is to generate token information by real-time encryption and calculation according to the resource access information and encryption algorithm pre-obtained from the server at the calling time., and the token information is related to the calling time and the access rights of the user account to the service resources, so that the token information generated corresponding to the request at different times and the request of different users is different, effectively realizing the authorization verification”, discloses user request as access request which includes generating token information of user account; [Page 7, lines 38-48] “For example, in the system architecture composed of the first demand side 110 and the server side 130, referring to the single-dotted line in FIG. The development of online shopping applications through a software development app) or a browser (for example, a web version software development system, the first user 101 develops online shopping applications through the web version software development system) at runtime, by executing the embodiments of the present disclosure The provided resource access method initiates an access request to the server 130 for calling the target service resource, and receives an access response result from the server 130 . The server 130 analyzes and processes the received access request by executing the data processing method provided by the embodiment of the present disclosure, and calls the service resource for calculation of the access response result (for example, the data obtained according to the access request, the query result, and the query result)”, page 8 discloses the “first user” as the first user 101 is the software developer; [page 8, lines 43-49] “In an implementation scenario, referring to the one-dot chain line in FIG. 1 , the first user 101 is, for example, a software developer, and the software developer develops applications or web version software based on the software installed in the terminal devices 111 , 112 , and 113 . The system performs an application development process. During this process, the software developer will perform one or more operations on the interactive interface corresponding to the software development application or the web version software development system, thereby receiving the first user 101 on the terminal device”; target user is developer of open APIs (interactive interface); and [Page 15, lines 38-41] “Referring to FIG. 6 , the data processing method provided by the embodiment of the present disclosure includes the following operations: S601, S602, and S603. Operations S601 to S603 are performed by the server, and the server performs permission management for the demander to access the API service resource corresponding to the API interface”; [Page 14, lines 43-45] “In operation S601, an access request sent by a demand side is received, and the information carried in the access request includes: user account, token information related to the invocation timing, address information of the target service resource requested to be invoked, and the target service resource to be executed by the above-mentioned target service resource.”; Page 14 discloses verifying the token with token management data (applicant discloses token management data as “being generated based on a token creation request or access request”); [[Page 15,lines 5-7] “According to an embodiment of the present disclosure, resource access information and encryption algorithms can be transmitted between the sender and receiver of information corresponding to the demand side (110 or 120 in the example of FIG. 1 ) and the server (130 of the example in FIG. 1 ) through an agreed medium , for example, it is transmitted by mail, or the demand side obtains data packets by accessing a specific access address given by the server (the access password is shared by both sender and receiver)” and Page 13 discloses the application is created by the first user or developer (user 1) with the platform of applications (applicant discloses the usage request “comprising token information”);
in response to the token information being verified, determining whether a usage permission corresponding to the token information matches the usage request ([page 11, lines 31-35] “From the perspective of the server side, since the association between the user account and the access authority of the service resource is pre-configured and stored on the server side, after receiving the access request, the server side decrypts the token information and obtains the authority Verification, to determine whether the user account of the current user has call/access rights to the target service resource), page 10 discloses “a usage permission corresponding to usage request” as resource access rights corresponds to token information of access request; and
in response to the usage permission matching the usage request, responding to the usage request with the application ([Page 11, lines 15-17] “In operation S204, the access request carrying the above-mentioned user account, the above-mentioned token information, the above-mentioned address information and the above-mentioned target instruction is sent to the server”; [Page 11, lines28-29] “In the above operations S204-S205, the demand side may obtain the corresponding authority verification result from the server side according to the user account and token information.”; [Page 11, lines 51-52] “…so as to obtain the corresponding data processing result, and send the target service resource to the corresponding target service resource for execution. The data processing result is fed back to the demand side as an access response result”); page 1 discloses the “instruction” as “the resource needs to execute; at the above-mentioned calling time, according to the resource access information (permission) and encryption algorithm pre-obtained from the server”; page 3 discloses user request as access request which includes token information of user account and target application of a platform (platform is displayed and developers can access through the access response result; and page 10 discloses “permissions” as access rights and “access response result” as in “usage request result”).
Although Zhang discloses a method of permission management for verifying token information, Zhang does not explicitly disclose the limitation listed below.
However, Chanda further discloses providing a token creation interface to a user, the token creation interface comprising a first control for selecting a workspace ([0089] “In FIG. 4A, which is similar to FIG. 3D, except that the user interacts with a user interface element 405 of a user interface 401 to include a workspace to the video conference and content collaboration meeting. When a participant selects the user interface element 405, the system presents a user interface 410 (shown in FIG. 4B) on the display of the client-side node (network node). In one implementation, only the meeting owner or the participant(s) who setup the meeting is allowed to add the workspace to the meeting. In another implementation, any participant in the video conference and content collaboration can initiate the workflow presented in FIGS. 4A to 4E to include a workspace in the video conference and content collaboration meeting. The meeting participant can select any one of existing workspaces (or canvases) listed in user interface 410 or create a new workspace (or canvas) and add the selected existing workspace or canvas or the new workspace or canvas to the video conference and content collaboration meeting. The meeting owner or participant(s) who setup the video conference and content collaboration meeting from their network node can allow other participants (i.e., users of other network nodes) to participate in the video conference aspect as well as allow the other participants to view and interact with the selected existing workspace or canvas or the new workspace or canvas”; [0141] “The process continues at operation 935 in which the client-side node receives an event with a list of workspaces available to the participants or the user linked to the client-side node. The participant can then select the workspace to include in the video conferencing and collaboration meeting. The client-side node of the participant who initiated the add workspace event displays the list of available workspaces. Other client-side nodes of participants in the video conferencing and collaboration meeting do not display such list of available workspaces. The client-side node receives a user interface event selecting A workspace to add to the video conferencing and collaboration meeting (operation 937). The client-side node then receives a list of participants in the meeting that require temporary permission to view the content in the workspace (operation 939). The client-side network node receives a selection of participants to temporarily view the workspace (operation 941). Finally, the client-side network node receives an event to display the selected workspace to client-side nodes linked to participants in the collaboration meeting at operation 943. The workspace is then displayed on displays of the client-side network nodes”), discloses a first control for selecting the workspace”,
and a second control for selecting a permission type([0091] “FIG. 4D presents a user interface example 420 which can be presented to the meeting owner or the meeting participant who has added the workspace in the video conference and the content collaboration meeting. The user interface 420 may only be visible to the meeting owner or participant who has added the workspace in the collaboration meeting. The user interface presents a dialog box 425 that provides the list of meeting participants who are requesting permission to access the workspace or who are available to gain access to the workspace. The meeting owner, meeting host or the participant who is the owner of the workspace (or who has selected the workspace to be part of the video conference and the content collaboration meeting) when presented with the dialog box 425 can select participants using check-boxes or other controls such as radio buttons to provide permission to requesting and/or available participants. The meeting owner can then press the admit button to provide access to selected participants”); [0114] “The technology disclosed can include a permission model which can use an identity (such as a user ID or UID) of a participant when assigning the participant to a breakout group. The system can include a permission control system that can manage access to content in the spatial event map based on assignment of participants to breakout groups. The permission control system can use UIDs of participants and their respective assignments to breakout groups to allow access to participants to content in the spatial event map during breakout sessions”); discloses a control for selecting the workspace’s permission types that accepts developer's/admins permission grant;
obtaining a token creation request based on input information received in the token creation interface ([0146] “FIG. 12 presents a client-side process flowchart 1201 for setting authorizations for a member of a breakout meeting group. The process starts at a process operation 1205 in which the client-side network node parses the workspace data to identify a data canvas such as a portion of a workspace attached to a breakout meeting room. The client-side network node includes logic to match a user identifier of a digital assets in the data canvas with identifiers of participants that are members of a breakout group (operation 1207). If the identifier is matched (operation 1209), the client-side network node renders the digital asset or content revealing graphical object that are authorized by first level authorization in the breakout room (operation 1211). The client-side network node renders placeholders in breakout room for graphical objects that are authorized by second level authorization (operation 1213). In other words, any content either requiring first level or second level authorization will only be displayed if the user is a member of the breakout group. The client-side network node sends an ERLink (external resource link) to request authorization from content owner for digital assets requiring second level authorization. The client-side network node receives an access token to access the graphical object at operation 1215. If the access token is valid (operation 1217), the client-side network node displays the thumbnail of graphical objects in breakout meeting room (operation 1219). Further details of two-level authorization scheme implemented by the technology disclosed are described in the U.S. patent application Ser. No. 17/200,731, entitled, “User Experience Container Level Identity Federation and Content Security” filed on Mar. 12, 2021 (Attorney Docket No. 1032-2)”); and
wherein the platform supports creation of the at least one workspace, and the at least one workspace is configured to create and manage one or more applications ([0076] “The collaboration server 107 can include or can be in communication with a federated authorization engine can include an OAuth storage database to store access tokens providing access to the digital assets. As mentioned above, the event map stack database 109 includes a workspace data set (e.g., a spatial event map) including events in the collaboration workspace and digital assets, such as graphical objects, distributed at virtual coordinates in the virtual workspace. Examples of digital assets are presented above in the description of FIG. 1A, such as images, music, video, documents, application windows and/or other media. Other types of digital assets, such as graphical objects can also exist on the workspace such as annotations, comments, and text entered by the users”; The platform is the combination of hardware, software, and communication protocols that enable software to operate effectively; applications to perform specific tasks, solve problems, or deliver services in various field; [0079] “Specifically, FIG. 2A presents an example user interface 201 that includes user interface elements related to content collaboration, video conferencing and breakout room technology disclosed herein. The user interface element 202 (labeled as “create new workspace”) can be selected to create a new workspace for use in a content collaboration session or a video conference. The user interface element 203 (labeled as “start new meeting”) can be selected by the user to start a new video conference or a new content collaboration session. The video conference and content collaboration session initiated in such manner can be considered an ad-hoc meeting. An ad-hoc meeting can be started at any time without needing to send prior invitations to participants. The user interface element 204 (labeled as “send”) can be used to send a collaboration workspace, a message or an invitation to another user to join a collaboration session. The user interface element 205 (labeled as “notifications”) can be used to view notifications received from other users (or participants) or notifications received from the collaboration server. The user interface element 206 (labeled as “profile”) can be selected to view and edit the user profile of the user. The user interface element 207 (labeled as “my workspaces”) can be selected to view workspaces that the user has created. The selection of the user interface element 207 can also list workspaces that the user did not create but was invited to participate during video conferences or content collaboration sessions. The workspaces are listed in the user interface. For example, a workspace 208 is listed in the top-left corner. The title of the workspace is “my bluescape”. It includes the name of the participant who created the workspace “Survi Gopal”. The date on which the workspace was last modified is also presented in the user interface element 208 representing the workspace. At the bottom of the user interface element 208, a list of users who participated in the collaboration session is also presented. The list of users can include the initials of users' names or other graphical icons representing the users. When the number of users participating in a video conference or a content collaboration session is large, only a selected number of users can be presented in the user interface element 208. The user interface element can also present other relevant information related to the workspace such as whether it is “secret”. A workspace designated as “secret” may not be available for view by participants outside the organization that owns the content of the collaboration meeting. In some cases, users with certain level of security clearance can participate in video collaboration conference or content collaboration session that is designated as “secret”. It is understood that the technology disclosed can use multiple levels of security settings for collaboration meetings. The user can select the user interface element 208 to open the workspace and view the content, details list of participants and other information related to the workspace”).
Zhang in view of Chanda are analogous in a token system used to manage user access. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Zhang to incorporate the teachings of Chanda to determine creating a workspace. Doing so allows operating a system for controlling display of a workspace (Chanda [0005] “A system and method for operating a system are provided for controlling display of a workspace, whereas a workspace is a digital construct for organizing content by assigning coordinates or locations to particular digital assets in a virtual space having two or three dimensions in a whiteboard. The digital assets in the virtual workspace can be displayed on a display client according to their coordinates in the virtual workspace”).
Regarding the electronic device, comprising claim 11, and the non-transitory computer-readable storage medium, comprising claim 20, the claims recite similar limitations as the method claim 1, therefore, rejected based on the same rationale as claim 1.
Zhang teaches the method of claim 11, an electronic device, comprising:
at least one processing unit ([Page 19, lines 40-41] “Referring to FIG. 10 , an electronic device 1000 provided by an embodiment of the present disclosure includes a processor 1001”); and
at least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, in response to the instructions being executed by the at least one processing unit causing the electronic device to perform a method of permission management comprising: ([Page 19, lines 40-46] “Referring to FIG. 10 , an electronic device 1000 provided by an embodiment of the present disclosure includes a processor 1001 , a communication interface 1002 , a memory 1003 and a communication bus 1004 , wherein the processor 1001 , the communication interface 1002 and the memory 1003 communicate with each other through the communication bus 1004 The memory 1003 is used to store computer programs; the processor 1001 is used to implement the above-mentioned resource access method or data processing method when executing the program stored in the memory); ([Page 19, lines 59-60, page 20 lines 1-6] “According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, such as, but not limited to, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM) , erasable programmable read only memory (EPROM or flash memory), portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing. In this disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device”); and
a non-transitory computer-readable storage medium having a computer program stored thereon, the computer program being executable by a processor to implement a method of permission management ([page 19, lines 40-46] “Referring to FIG. 10 , an electronic device 1000 provided by an embodiment of the present disclosure includes a processor 1001 , a communication interface 1002 , a memory 1003 and a communication bus 1004 , wherein the processor 1001 , the communication interface 1002 and the memory 1003 communicate with each other through the communication bus 1004 The memory 1003 is used to store computer programs; the processor 1001 is used to implement the above-mentioned resource access method or data processing method when executing the program stored in the memory); ([Page 20, lines 4-6] “In this disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device”).
Regarding claim 3, Zhang in view of Chanda teaches, the method of claim 1, outlined above. Although Zhang discloses token identification information; Zhang does not explicitly disclose the below limitation of inputting a token identification.
However; Chanda further teaches the method of claim 2, wherein the token creation interface further comprises one or more of: a third control for inputting a token identification ([0070] “For example, the video conferencing and collaboration system can support “participant accounts” of users of the video conferencing and collaboration system, which rely on authorization protocols to establish participant operative identities (OIDs) for access to virtual workspaces and spatial event maps associated therewith. The participants in the collaboration session can login to the workspace using credentials of their “participant accounts” which can be maintained by a collaboration application using a “user accounts table”. These identities are also referred to as internal identities. The technology disclosed also allows users to login to the workspace using external identities provided by external identity providers such as Google™, Okta™, Azure Active Directory, etc. The combination of a participant account and the internal or external identity provider, referred to as a participant operative identity OID, generate a record, such as workspace access tokens, for the display client of the network node of the participant which enables access to the workspace. A participant account may have multiple identity providers available. Thus, to login to a workspace, the participant may select an identity provider. Upon successful login, a workspace access token, such as a Security Assertion Markup Language SAML token is delivered to the display client, linking the participant account identifier, the identity service provider and a workspace domain defined by authorizations associated with the operative identifier, thereby establishing a participant operative identity for utilization of resources within a workspace domain. See, Security Assertion Markup Language, Wikipedia, Mar. 11, 2021”), discloses a control for inputting token identification such as the participant operative identity OID, combines the participant’s account data with the IdP’s unique identifier , and is used to issue an access token; ([0072] “For example, logging in to the workspace can require establishing a first level authorization protocol. The first level authorization protocol can include use of internal or external identities for authentication during login to identify the user. The collaboration server (or other server that is part of the video conferencing and collaboration system) can include a data structure (such as a table or a data set) listing users (or participant OIDs) authorized to receive a spatial event map (or SEM)”); or a fourth control for specifying valid time of a token.
Zhang in view of Chanda are analogous in a token system used to manage user access. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Zhang to incorporate the teachings of Chanda to determine creating a workspace. Doing so allows operating a system for controlling display of a workspace (Chanda [0005] “A system and method for operating a system are provided for controlling display of a workspace, whereas a workspace is a digital construct for organizing content by assigning coordinates or locations to particular digital assets in a virtual space having two or three dimensions in a whiteboard. The digital assets in the virtual workspace can be displayed on a display client according to their coordinates in the virtual workspace”).
Regarding the non-transitory storage medium, comprising claims 13, the claim recite similar limitations as the method claim 3, therefore, rejected based on the same rational as claim 3.
Regarding claim 4, Zhang in view of Chanda teaches, the method of claim 1, outlined above.
Zhang teaches the method of claim 1, further comprising: in response to receiving the token creation request, performing an encryption processing on a first token generated based on the token creation request to update the token management data ([Page 15, lines 43-46] “In operation S601, an access request sent by a demand end is received, where information carried in the access request includes: the method comprises the steps of a user account, token information related to a calling opportunity, address information of a target service resource requested to be called and a target instruction to be executed by the target service resource”; [Page 15, lines 48-51] “The token information is generated according to the resource access information and encryption algorithm pre-obtained from the server when the demand side calls the target service resource; wherein the resource access information is related to the access authority of the user account to the service resource link”; [Page 16, lines 7-11] “On the one hand, since the token information corresponding to each access request is calculated in real time by each demand side at the calling time (recalculation is required for each request), the timeliness does not need to be considered, so the demand side does not need to work hard to tokenize In the development of regular update or replacement, the server does not need to face the pressure of frequent token update”), page 16 discloses a first token is generated and perform encryption based on the token creation request for the token information to be updated by real time.
Regarding the non-transitory storage medium, comprising claims 14, the claim recite similar limitations as the method claim 4, therefore, rejected based on the same rational as claim 4.
Regarding claim 5, Zhang in view of Chanda teaches, the method of claims 4, outlined above.
Zhang teaches the method of claim 4, further comprising: providing a first token information corresponding to the first token to the user ([Page 15, lines 58-60, page 16, lines 1-5] “In one embodiment, after the above-mentioned operations S201 to S203 are performed on the demand side, operation S204 is performed, and an access request carrying the above-mentioned user account, the above-mentioned token information, the above-mentioned address information and the above-mentioned target instruction is sent to the server side. Correspondingly, the server side receives the access request sent by the demand side (corresponding to operation S601). Next, the server performs operation S602 to obtain an access response result, and performs operation S603 to send the access response result to the demand side. Correspondingly, the access response result sent by the server is received at the demand side (corresponding to operation S205)”), page 15 discloses an access request or usage request including first token information corresponding to the first token creation to the developer or user 1; page 14 discloses the first token information as token information is generated and perform encryption and updated by real time.
Regarding the non-transitory storage medium, comprising claims 15, the claim recite similar limitations as the method claim 5, therefore, rejected based on the same rational as claim 5.
Regarding claim 6, Zhang in view of Chanda teaches, the method of claim 1, outlined above.
Zhang teaches the method of claim 1, wherein in response to the token information being verified, determining whether a usage permission corresponding to the token information matches the usage request, the determining comprising (([page 11, lines 31-35] “From the perspective of the server side, since the association between the user account and the access authority of the service resource is pre-configured and stored on the server side, after receiving the access request, the server side decrypts the token information and obtains the authority Verification, to determine whether the user account of the current user has call/access rights to the target service resource), page 10 discloses “a usage permission corresponding to usage request” as resource access rights corresponds to token information of access request):
in response to the token information being verified, obtaining identity information corresponding to the token information ([page 14, lines 36-41] “According to an embodiment of the present disclosure, the above-mentioned confirmation information includes: user account (used to indicate user identity, which can also be described as user identification, such as the login name, user name, mobile phone number, etc. of an open platform), payment information, purchase specific Service resources (for example, the purchased service resources for image recognition), and the purchase validity period of specific service resources; [page 16, lines 58-58] “In sub-operation S7013, the above-mentioned character string information is split to obtain the decrypted timestamp information and the user login password”; [page 17, lines 12-15] “In the above operation S702, performing identity verification on the user corresponding to the above user account according to the above decrypted resource access information, including: verifying whether the decrypted time stamp information is consistent with the time stamp information corresponding to the above access request”, [Page 2] “According to an embodiment of the present disclosure, the above-mentioned decrypting and authority verification of the above-mentioned token information to obtain an access response result includes: decrypting the above-mentioned token information to obtain decrypted resource access information; according to the above-mentioned decrypted resource access information , perform identity verification”); and
determining whether the usage permission corresponding to the identity information matches the usage request ([page 17, lines 16-20] “After verification, the decrypted time stamp information is consistent with the time stamp information corresponding to the above access request, and the decrypted user login password is consistent with the above target user login password Under the circumstance, it is determined that the identity verification of the user account corresponding to the above-mentioned user account has passed”, page 17 discloses the usage request identity information matches or is consistent with the usage request or token information of the access request ).
Regarding the non-transitory storage medium, comprising claims 16, the claim recite similar limitations as the method claim 6, therefore, rejected based on the same rational as claim 6.
Regarding claim 7, Zhang in view of Chanda teaches the method of claim 6 outlined above. Zhang teaches the method of claim 6, wherein determining whether the usage permission corresponding to the identity information matches the usage request comprises (([page 17, lines 16-20] “After verification, the decrypted time stamp information is consistent with the time stamp information corresponding to the above access request, and the decrypted user login password is consistent with the above target user login password Under the circumstance, it is determined that the identity verification of the user account corresponding to the above-mentioned user account has passed”, page 17 discloses the usage request identity information matches or is consistent with the usage request or token information of the access request )):
providing the identity information, an application identification of the application and an action corresponding authentication information from the permission management module ([page 15, lines 38-41] “Referring to FIG. 6 , the data processing method provided by the embodiment of the present disclosure includes the following operations: S601, S602, and S603. Operations S601 to S603 are performed by the server, and the server performs permission management for the demander to access the API service resource corresponding to the API interface”, page 14 discloses server granting the action or permission containing authentication information to the user from the application or API service resource; [page 15, lines 43-46] “In operation S601, an access request sent by a demand side is received, and the information carried in the access request includes: user account, token information related to the invocation timing, address information of the target service resource requested to be invoked, and the target service resource to be executed by the above-mentioned target service resource. Instruction”; [Page 14, line 56] “In operation S603, the above-mentioned access response result is sent to the demander”, page 15 discloses providing the identity information and an associated action (e.g. instruction); [page 15, lines 35-38] “In operation S703a, if the identity verification of the user account is passed, it is determined whether the user account has the right to call the target service resource according to a preconfigured relationship between the user account and the access authority of the service resource), page 15 discloses the permission management system corresponding to identity information;
teaches obtaining authentication information from the permission management module, the authentication information indicating whether the usage permission determined based on the identity information matches the application identification and the action ([page 11, lines “For example, in the implementation scenario of operation S205, after the Token information Token1 is decrypted and right is verified by the server, the obtained decrypted resource access information is: i is1And according to the pre-configured and stored association relationship between the user account and the access authority of the service resource, the resource access information I can be determined1The corresponding resource access authority is as follows: cAHaving access rights to API service resource 1, CA”; note that the authentication information indicating usage permission is interpreted as the token resource access information; “[Page 16, lines 43-59] “In sub-operation S7011, preconfigured target resource access information is queried from a 43 database according to the user account, where the target resource access information includes: a 44 target access key used by the user account to access the authorized service resource. For example, the target access key corresponding to the API service resource 1 authorized by the 47 user account CA is: "rVkR76M9". In sub-operation S7012, according to a decryption algorithm matching the above encryption 50 algorithm, the above-mentioned target access key obtained by query is used as a decryption key, 51 and the above-mentioned token information is decrypted and calculated to obtain character string 52 information. Perform decryption calculation, and the obtained string information is, for example: 55 "1632721553d! $x0u824_^644i@F". 5In sub-operation S7013, the above-mentioned character string information is split to obtain the 57 decrypted timestamp information and the user login password”; [Page 17, lines 1-10] “Split the string information according to the order consistent with the merging during encryption. For example, according to the sequence of timestamp information first and user login password last, the decrypted timestamp information is: "1632721553", and the decrypted user login password is: "d!$x0u824_^644i@F". In operation S702, an identity verification is performed on the user corresponding to the user 6 account according to the decrypted resource access information. The above preconfigured target resource access information includes, in addition to the target 9 access key, the target user login password associated with the above user account”; “In the operation S702, performing identity verification on the user corresponding to the user account according to the decrypted resource access information includes: verifying whether the decrypted timestamp information is consistent with the timestamp information corresponding to the access request; verifying whether the decrypted user login password is consistent with the target user login password; determining that the identity of the user account corresponding to the user account passes the verification under the condition that the decrypted timestamp information obtained by the verification is consistent with the timestamp information corresponding to the access request and the decrypted user login password is consistent with the target user login password; and determining that the identity verification of the user account corresponding to the user account fails under the condition that the decrypted timestamp information obtained through verification is inconsistent with the timestamp information corresponding to the access request and/or the decrypted user login password is inconsistent with the target user login password.”; “Based on the above, when the user is subjected to identity verification, whether a user login password obtained after decryption according to token information in the current access request is matched with a user account or not is verified, whether timestamp information carried in the current access request is a timestamp when the access request is initiated or not is also verified, if the timestamp information is inconsistent, verification is not passed, so that access to service resources by a forged request initiated by illegally intercepted token information can be blocked, and the safety of a server is effectively ensured.”; “In operation S703a, when the identity of the user account passes the identity verification, it is determined whether the user account has a calling right for the target service resource according to a pre-configured association relationship between the user account and an access right of the service resource”, note that the authentication information indicating whether the usage permission determined based on the identity information (interpreted as the authentication information indicating usage permission is interpreted as the token resource access information) matches the application identification and the action (interpreted as the action corresponding to the usage request).
Regarding the non-transitory storage medium, comprising claims 17, the claim recite similar limitations as the method claim 7, therefore, rejected based on the same rational as claim 7.
Regarding claim 8, Zhang in view of Chanda teaches, the method of claims 1 , outlined above. Zhang teaches the method of claim 1, further comprising: in response to the token information failing to be verified, denying the usage request ([Page 11, lines 41-46] “In this way, when performing permission verification, it is possible to obtain the verification result of user A's access to the target service resource: API service resource 2 does not have access permission, so the access response result of access failure will be fed back to the demander. Correspondingly, on the demand side, the result of receiving the access response from the server is: access failed”).
Regarding the non-transitory storage medium, comprising claims 18, the claims recite similar limitations as the method claim 8, therefore, rejected based on the same rational as claim 8.
Regarding claim 9, Zhang in view of Chanda teaches, the method of claim 1, outlined above. Zhang teaches wherein the application is created by the user with a first platform ([Page 14, lines 15-26] “Referring to FIG. 5A , in the above operation S401 , obtaining resource access information and an encryption algorithm includes the following operations: S501 , S502 and S503. In operation S501, confirmation information about successful payment of a specific service resource is received, where the specific service resource is a service resource to be enjoyed by the above-mentioned user when developing or using an application. For example, the operator of an application (an example of a user) can purchase specific service resources corresponding to an API interface for a developing application or a published application through the open platform on the terminal device, then in the development process of the application Or during use, have access rights to the above-mentioned specific service resources (here is an example of satisfying access authorization conditions”), page 14 discloses the application is created by first user or developer (user 1) with the first platform of application, the application is interpreted as specific service resources corresponding to an interface, first platform is interpreted as the open platform or the infrastructure that enables software to execute and interact with hardware and other software programs;
and the usage request is an invocation of an interface for the application, the interface being provided based on a configuration operation of the user in the first platform ([page 14, lines 38-46] “Referring to FIG. 6 , the data processing method provided by the embodiment of the present disclosure includes the following operations: S601, S602, and S603. Operations S601 to S603 are performed by the server, and the server performs permission management for the demander to access the API service resource corresponding to the API interface. In operation S601, an access request sent by a demand side is received, and the information carried in the access request includes: user account, token information related to the invocation timing, address information of the target service resource requested to be invoked, and the target service resource to be executed by the above-mentioned target service resource. instruction”, usage request includes invocating the API interface for the application in the first platform or open platform; [page 16, lines 20-21] “FIG. 7 schematically shows a detailed implementation flowchart of operation S602 according to an embodiment of the present disclosure”; [page 16, lines 43-45] “In sub-operation S7011, preconfigured target resource access information is queried from a database according to the user account, where the target resource access information includes: a target access key used by the user account to access the authorized service resource”, page 16 discloses the configuration of the first user and the first platform.
Regarding the non-transitory storage medium, comprising claims 19, the claim recite similar limitations as the method claim 9, therefore, rejected based on the same rational as claim 9.
Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (CN 114528571 A) in view of Chanda (US 20230254352 A1) and in further view of Galloway (US 20190229922).
Regarding Claim 10, Zhang in view of Chanda discloses all features of claim 1 as
outlined above. Although Zhang in view of Chanda discloses a method for obtaining a token creation request based on input information received in the token creation interface, the combination of Zhang in view of Chanda does not explicitly teach does not explicitly teach the token information included in the header.
However, Galloway further teaches the token information included in the header ([0037] “At 230, the user 201 may re-submit the original action request and the token received from the authentication service 203. For example, the token may be included in the header of the request 203. The token and/or the request may be serialized as previously disclosed or, more generally, it may be included in the request in any suitable format”).
Zhang, Chanda, and Galloway are analogous in a token system used to manage user access. Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to have modified Zhang in view of Chanda to incorporate the teachings of Galloway to determine the information in the header. Doing so would allow the platform to categorize the token (Galloway [0037] “At 230, the user 201 may re-submit the original action request and the token received from the authentication service 203. For example, the token may be included in the header of the request 203”).
Conclusion
The prior art made of record and not relied upon is considered pertinent to the applicant’s disclosure:
Garrapalli (US 20250260573 A1) discloses a system for receiving a token service, a first external request from a remote token service for a first dynamically generated token. ([0003] “Systems and methods are described herein for novel uses and/or improvements to access token generation. More specifically, systems and methods are described for improving security in network environments by dynamically generating access credentials off-line that are resilient to impersonation attempt. For example, one technical problem or vulnerability in access tokens is token leakage”).
Priebatsch (US-8838501-B1) discloses a system of facilitation token authorizing a manager based on a resource received from the request manager ([Col 2, lines 46-50] “The request manager may receive authorization tokens from either or both of the requester and resource; the tokens may include information regarding the identity, location, and/or payment information of the requester and conditions for granting requests from the resource”).
Applicant's amendment necessitated the new ground(s) of rejection presented in
this Office action. Accordingly, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIVIAN D. HO whose telephone number is (571)272-9957. The examiner can normally be reached M- TH 9:00 - 6:00; F 9:00-1:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/VIVIAN D HO/Examiner, Art Unit 2497 /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497