DETAILED ACTION

Response to Arguments
Applicant's arguments (“REMARKS”) filed December 28, 2020 have been fully considered but they are moot in view of a new ground of rejection.
Claims 1-20 are currently pending. Claims 1, 7, 8, 10, 12, 14, 15, and 17 were amended.

Re: OBJECTION TO THE SPECIFICATION
The objection to [0022] of the originally filed specifications for containing typographic errors has been withdrawn in view of the amendments.

Re: REJECTION OF CLAIMS UNDER 35 U.S.C. §101
The rejection of claims 12-16 under 35 U.S.C. § 101 for being directed to nonstatutory subject matter has been withdrawn in view of the amendments to claim 12. 

Re: REJECTION OF CLAIMS UNDER 35 U.S.C. § 103
Applicant argues on pp. 9-10 of the REMARKS that the cited prior arts in the 103 rejection fail to teach or suggest “a client token generated by the first client”, as currently presented in independent claims 1, 12, and 17. However, this argument is now moot in view of a new ground of rejection. See Claim Rejections - 35 USC § 103 below for details.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 9-12, 14, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Paddon et al. (hereinafter, “Paddon”), US 2013/0086656 in view of McGarvey et al. (hereinafter, “McGarvey”), US 2003/0028773.
As per claim 1: Paddon discloses: A method for providing identity services (a method including an authentication server 210 [Paddon, ¶17; Fig. 1]), the method comprising: receiving credentials for a first client (receiving user credentials 112 from a user browser client 220 [Paddon, ¶17; Fig. 1]); issuing a code to the first client in response to verifying the credentials (sending an authentication cookie 102 to the user browser client [Paddon, ¶17; Fig. 1]); receiving a request for a temporary token from the first client, the request including the code (receiving an access request 114 that includes the authentication cookie from the user browser client [Paddon, ¶17; Fig. 1]); generating the temporary token in response to validating (authentication by checking user credentials  in the received authentication cookie [Paddon, ¶17]); and providing the temporary token to the first client (the authentication server responds to the access request with a limited-use cookie 132 to the user browser client [Paddon, ¶17]).
Paddon does not disclose including “a client token generated by the first client” in the access request 114. Only the authentication cookie 102 (e.g. a “code”) is included in the request. However, this token may be viewed simply as a signed data in convention public key infrastructure (PKI) authentication. For example, in the background disclosure of [McGarvey, ¶4], a nonce is provided to a client from a server in a PKI authentication process. The client signs the nonce (the nonce may also be the “code” in an alternative rejection) with its digital signature and returns the signed nonce (e.g. “client token generated by the first client”) to the server, wherein the server verifies the signed nonce with the client’s public key (e.g. “…validating the client token…”).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to further include PKI authentication with the access request in Paddon. This would have added another layer of verification to the client by requiring possession of the corresponding private key used to sign a nonce, or any data, sent from the server. 

As per claim 2:  Paddon in view of McGarvey disclose all limitations of claim 1. Furthermore, Paddon in view of McGarvey disclose: wherein the temporary token comprises a one-time use token (the limited-use cookie may be a one-time use cookie [Paddon, ¶18]).  

As per claim 3: Paddon in view of McGarvey disclose all limitations of claim 1. Furthermore, Paddon in view of McGarvey disclose: further comprising: receiving, from a service provider, a request to validate the temporary token (a content server sends a request 134 to validate the limited-use cookie at the authentication server [Paddon, ¶17]); in response to verifying that the temporary token is valid, providing a response to the service provider indicating the temporary token is valid (the authentication server validates the session ID from the limited-use cookie and provides a valid session message 182 to the content server [Paddon, ¶17]); and invalidating the temporary token (the limited-use cookie is invalidated by the authentication server [Paddon, ¶17]).  

As per claim 9: Paddon in view of McGarvey disclose all limitations of claim 1. Furthermore, Paddon in view of McGarvey disclose: further comprising configuring the temporary token to have an expiration time of less than five minutes (the limited-use cookie may have a short expiration time, such as about one minute [Paddon, ¶18]; the expiration time of one minute in Paddon is not abslute, thus a person having ordinary skill may set the time to whatever is required in the design of the system, as long as the time is short – e.g. 5 minutes is reasonable considered as a short amount of time).  

As per claim 10: Paddon in view of McGarvey disclose all limitations of claim 1. Furthermore, Paddon in view of McGarvey disclose: wherein the temporary token is provided by the first client in a request to a service provider (the content sever receives the limited-use cookie from the user browser client [Paddon, ¶17; Fig. 1]).  

As per claim 11: Paddon in view of McGarvey disclose all limitations of claim 1.Furthermore, Paddon in view of McGarvey disclose: wherein generating the temporary token comprises storing data associated with the first client in the temporary token (a session identifier associated with the user browser client is include in the limited-use cookie [Paddon, ¶¶17-18]).  

As per claim 12: Claim 12 is different in overall scope from claims 1 and 3 but recites substantially similar subject matter as claims 1 and 3. Claim 12 is directed to an apparatus corresponding to the method of claims 1 and 3. Thus, the response provided above for claims 1 and 3 are equally applicable to claim 12.

	
As per claim 14: Paddon in view of McGarvey disclose all limitations of claim 12. Furthermore, Paddon in view of McGarvey disclose: wherein the instructions executable by the processor circuit further cause the apparatus to verify a signature associated with the request using a public key of the client (evaluating the signed nonce with a public key of the client [McGarvey, ¶4]).  

As per claim 16: Paddon in view of McGarvey disclose all limitations of claim 12. Furthermore, Paddon in view of McGarvey disclose: wherein the temporary token is configured with an expiration time of less than five minutes (the limited-use cookie may have a short expiration time, such as about one minute [Paddon, ¶18]; the expiration time of one minute in Paddon is not set in stone, thus a person having ordinary skill may set the time to whatever is required in the design of the system, as long as the time is short – e.g. 5 minutes is reasonable considered as a short amount of time).  

As per claim 17: Claim 17 is different in overall scope from claims 1 and 3 but recites substantially similar subject matter as claims 1 and 3. Claim 17 is directed to one or more non-transitory machine-readable media comprising machine executable instructions corresponding to the method of claims 1 and 3. Thus, the response provided above for claims 1 and 3 are equally applicable to claim 17.

As per claim 18: Paddon in view of McGarvey disclose all limitations of claim 17. Furthermore, Paddon in view of McGarvey disclose: wherein the temporary token comprises a one-time use token (the limited-use cookie may be a one-time use cookie [Paddon, ¶18]).  

Claims 7 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Paddon in view of McGarvey and in further view of Fletcher et al. (hereinafter, “Fletcher”), US 2019/0394187.
As per claim 7: Paddon in view of McGarvey disclose all limitations of claim 1. Paddon and McGarvey do not disclose the features of claim 7. However, Fletcher is directed to analogous art of providing mechanisms for token exchange. Fletcher discloses a mechanism for further comprising: receiving, from a second client (in view of Fletcher: a shared security mechanism, such as in the form of a keychain, keystore, or the like, is provided for multiple applications (e.g. “a second client”) on a device to allow the use of the same credentials – such as the authentication cookie in Paddon – to obtain the limited-use cookie as discussed in claim 1 or in the following limitations), a request for a second temporary token, the request including the code and the client token generated by the first client (receiving an access request 114 that includes the authentication cookie from the user browser client [Paddon, ¶17; Fig. 1]); and in response to verifying that the code and the client token are valid, providing the second temporary token to the second client (the authentication server responds to the access request with a limited-use cookie 132 to the user browser client [Paddon, ¶17]). 
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to provide a sharing security mechanism, as disclosed in Fletcher, to provide services to multiple application clients on a user device. This would have reduced the amount of logins required in Paddon when the same user wishes to authenticate on a different user browser client.

As per claim 8: Paddon in view of McGarvey and Fletcher disclose all limitations of claim 7. Furthermore, Paddon in view of McGarvey and Fletcher disclose: wherein the client token and the code are received by the second client from the first client (a first mobile application stores tokens with the connector code in the shared security mechanism, wherein a second . 

Claims 13, 15, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Paddon in view of McGarvey and in further view of Teppler (hereinafter, “Teppler”), US 6,985,507.
As per claim 13: Paddon in view of McGarvey disclose all limitations of claim 12. Paddon and McGarvey do not disclose the features of claim 13. However, Teppler provides background information to conventional symmetric and asymmetric cryptography [Teppler, col. 7, line 6 – col. 8, line 6]. Hence, Paddon in view of McGarvey and Teppler disclose: wherein the code and the client token are encrypted with one of a public or private key of a public/private key pair (in asymmetric cryptography, a private/public key pair can be used to encrypt or sign data [Teppler, col. 7, lines 50-61]). 
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to provide some form of encryption to the authentication cookie and signed nonce dataset in the modified system of Paddon in view of McGarvey. Encryption of the dataset would have added more security to the communications between the user browser client and authentication server of Paddon. Asymmetric cryptography, as discussed in [Teppler, col. 7, lines 51-66], is more secure and scalable form of communications over symmetric cryptography.

As per claim 15: Paddon in view of McGarvey disclose all limitations of claim 12. Paddon and McGarvey do not disclose the features of claim 13. However, Teppler provides background information to conventional symmetric and asymmetric cryptography [Teppler, col. 7, line 6 – col. 8, line 6]. Hence, Paddon in view of McGarvey and Teppler disclose: wherein the instructions executable by the processor circuit further cause the apparatus to: decrypt the client token using a private key (a shared key between a sender (e.g. the user browser client in Paddon) and a receiver (e.g. the authentication server in Paddon) is used to encrypt and decrypt transmitted data [Teppler, col. 7, lines 6-17]); and verify that the code is associated with the client using information from the client token (the server verifies the signed nonce with the client’s public key [McGarvey, ¶4]; a public key proves a user’s identity via a third party server that the user was in possession of the corresponding private key, hence this proof would have been used in conjunction of verifying the “code” (authentication cookie containing user credentials in Paddon) is associated with the user as well). 
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to provide some form of encryption to the authentication cookie and signed nonce dataset in the modified system of Paddon in view of McGarvey. Encryption of the dataset would have added more security to the communications between the user browser client and authentication server of Paddon.

As per claim 19: Claim 19 incorporates all limitations of claim 17 and is one or more non-transitory machine-readable media comprising machine executable instructions corresponding 

As per claim 20: Paddon in view of McGarvey and Teppler disclose all limitations of claim 19. Furthermore, Paddon in view of McGarvey and Teppler disclose: wherein the machine executable instructions to validate the code and the client token comprise instructions to: verify a signature associated with the request using a public key of the client (digital signatures are commonly signed with a private key in a public/private key pair and verified using said corresponding public key [Teppler, col. 8, lines 23-65]); and decrypt the client token using a private key (a shared key between a sender (e.g. the user browser client in Paddon) and a receiver (e.g. the authentication server in Paddon) is used to encrypt and decrypt transmitted data [Teppler, col. 7, lines 6-17]).

Allowable Subject Matter
Claims 4-6 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The arguments presented in the REMARKS to parent claim 1 has been fully considered and are persuasive in regards to claim 4. Claim 4 is directed to generating an identity provider token comprising specific properties and features for validating a client token generated by the first client. It is further noted that the term “token” is interpreted in the same consistency as the filed specifications use of “tokens” (e.g. see [0022] of the filed specifications). The claim, as 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2004/0111621: A server cookie with limited use is provided to a user after successfully validating the user’s credentials, wherein the server cookie is further used to request access to services and to obtain a directory cookie.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Communications

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        3-30-2021