DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Applicant's amendments filed on 06/04/2021 has been received and entered.  Currently Claims 1-20 are pending.

	Response to Arguments
Applicant argues on pages 8-9 of applicant’s remarks that Cameron in view of Bjones and Krstulich do not disclose, teach, or suggest "receive a login request to perform a transaction between a user and a requesting site".
The examiner respectfully disagrees.  Cameron teaches a user requesting access to web page at a relying party and the user is redirected to a login page ([0061]).  Cameron further teaches the user performing login procedures and requesting an identity token from an identity provider for accessing the relying party ([0062]-[0063]).  Therefore, Cameron teaches the identity provider receiving a login request (e.g. login procedures/request for identity token).  In addition, since the request is for accessing resources of a relying party, the request is for performing a transaction between the user and a requesting site.

Applicant argues on pages 9-10 of applicant’s remarks that Cameron in view of Bjones and Krstulich do not disclose, teach, or suggest "based on a two-way verification of a trusted site determination and the identity verification of the user, transmit the generated token to the requesting site" as recited in the amended claims.
The examiner respectfully disagrees.  Krstulich teaches authenticating a user via user login ([0024]).  Krstulich further teaches generating a token, determining a trusted path to send the token, and transmitting the token to a site via the trusted path ([0018], [0012]-[0023]).  It is obvious to one of ordinary skill in the art that if a trusted path exists the site is trusted and if a trusted path does not exist the site is not trusted.  Therefore, Krstulich teaches transmitting a token based on a two-way verification of a trusted site determination and an identity verification of a user.

Applicant argues on page 10 of applicant’s remarks that Cameron in view of Bjones and Krstulich do not disclose, teach, or suggest "display a logon button that includes a login request to perform a transaction between a user and a requesting site" as recited in the amended claims.
Applicant’s arguments are moot in view of the new ground(s) of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Cameron et al. US2008/0289020 hereinafter referred to as Cameron, in view of Bjones et al. US2013/0276087 hereinafter referred to as Bjones, Krstulich et al. US2009/0119182 hereinafter referred to as Krstulich, and DeSoto et al. US2016/0162875 hereinafter referred to as DeSoto.
As per claim 1, Cameron teaches an apparatus, comprising: a processor; a memory unit storing computer-executable instructions, which when executed by the processor, cause the apparatus to: receive a login request to perform a transaction between a user and a requesting site, the login request comprising a token request (Cameron paragraph [0048], [0061]-[0063], request an identity token); 
generate a token based on the received login request (Cameron paragraph [0064]-[0065], generate identity token).
Cameron does not explicitly disclose verify identity of user of transaction; 
based on identity verification of the user, transmit generated token to requesting site.  

based on identity verification of the user, transmit generated token to requesting site (Bjones paragraph [0099]-[0100], [0113]-[0114], [0119], [0121], [0137], authenticate user, generate token and transmit token to relying party).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Cameron with the teachings of Bjones to include authenticating the requesting user before issuing and transmitting a token in order to issue and release tokens for authorized users.
Cameron in view of Bjones does not explicitly disclose determine if requesting site is a trusted site; and 
based on a two-way verification of  a trusted site determination and identity verification of user, transmit generated token to the requesting site.  
Krstulich teaches determine if requesting site is a trusted site (Krstulich paragraph [0018], [0022]-[0023], determine trusted path to send token)(It is obvious to one of ordinary skill in the art that if a trusted path exists the site is trusted and if a trusted path does not exist the site is not trusted); and 
based on a two-way verification of  a trusted site determination and identity verification of user, transmit generated token to the requesting site (Krstulich paragraph [0018], [0021]-[0024], [0028], authenticate user and transmit token over trusted path).  
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Cameron in view of Bjones with the teachings of Krstulich to include determining and sending a token via a trusted path in order to prevent illegitimate sites from receiving the token.
Cameron in view of Bjones and Krstulich does not explicitly disclose display a logon button that includes a login request to perform a transaction between a user and a requesting site.
DeSoto teaches display a logon button that includes a login request to perform a transaction between a user and a requesting site (DeSoto paragraph [0027], user clicks on safe login button to establish session).


As per claims 9 and 17, the claims claim a method and a non-transitory computer readable media essentially corresponding to the apparatus claim 1 above, and they are rejected, at least for the same reasons.

Allowable Subject Matter
Claims 2-8, 10-16 and 18-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959.  The examiner can normally be reached on M-F 8am - 5pm EST.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HENRY TSANG/Primary Examiner, Art Unit 2495