DETAILED ACTION
1.	Notice of Pre-AIA  or AIA  Status:  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


2.	Claims 1-18 are presented for allowance. 

3.	This allowance of application 16/697780 is in response to Applicant’s claims filed on November 27, 2019.


Claim Interpretation

4.	Claim 1 recites “oAuth access token.”  

	Instant specification [0042] states “the encrypted attribute string is the oAuth-access-token, also known as an ‘oAuth access token.’ “  

	Since the instant specification does not explain “oAuth-access-token,” a brief search reveals Kondarev, Varonis, and Wikipedia.  



Examiner’s Amendment
5.	An examiner’s Amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR § 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the Issue Fee.

6.	Authorization for this examiner’s amendment was given by Robert A. King via an email interview sent to USPTO on September 8, 2021.

7.	The claims have been amended as follows:

1.	(Currently Amended) A method comprising: 
 securely calling APIs that are on an API gateway from computer applications that need a first party authentication by:

receiving, at the API gateway comprising at least one computer processor and from a protected service, an authentication system token or an authentication system cookie identifier from an authentication system, a first plurality of user first request to create an oAuth access token, the first request originating with a first party computer application;
creating, by the API gateway, an attribute string comprising at least one of the first plurality of user identifying attributes and the authentication system token or the authentication system cookie identifier;
encrypting, by the API gateway, the attribute string with a private key, resulting in the oAuth access token;
sending, by the API gateway, the oAuth access token to the first party computer application;
receiving, by the API gateway and from the first party computer application, a second request to access a backend service, a second plurality of user identifying attributes, and the oAuth access token;
decrypting, by the API gateway, the oAuth access token with the private key;
validating, by the API gateway, the decrypted oAuth access token;
inserting, by the API gateway, the authentication system token or the authentication system cookie identifier into the second request to access; and
communicating, by the API gateway, the second request to access and the authentication system token or the 

2.	(Original) The method of claim 1, wherein the first plurality of user identifying attributes comprise at least one of a device mac id, a device manufacturer, a device geo-location, a device operating system, a device operating system version, a device IP address, a user profile id, and a user id. 

3.	(Currently Amended) The method of claim 1, further comprising:
setting, by the API gateway, an expiration for the oAuth access token.

4.	(Original) The method of claim 3, wherein the step of validating the decrypted oAuth access token comprises verifying that the oAuth access token has not expired.

5.	(Original) The method of claim 1, wherein the backend service comprises a micro service, a SOA service, a REST service, a SOAP service, monolith service, a standard routine, a standard function, a lambda function, or a procedure.

6.	(Original) The method of claim 1, wherein a plurality of the user identifying attributes are concatenated in the attribute string in a random order.



8.	(Currently Amended) The method of claim 1, wherein the step of validating the decrypted oAuth access token comprises comparing  extracted values from the oAuth token to the second plurality of user identifying attributes.

9.	(Currently Amended) The method of claim 1, wherein the backend service calls the authentication system to check if the authentication system token or the authentication system cookie identifier is valid, and further comprising:
receiving, by the API gateway, an error  in response to the authentication system token or the authentication system cookie identifier being invalid; and
sending, by the API gateway, an access grant denied error to the first party computer application.

10.	(Currently Amended) A system comprising: 
, comprising:
a first party computer application;
an authentication system;
a protected service;
comprising APIs that need a first party authentication; and
a backend service;
wherein:
the authentication system authenticates a user logging in to the first party computer application;
the authentication system creates a session and returns session details to the first party computer application;
the protected service receives a first request involving the backend service from the first party computer application and a first plurality of user identifying attributes;
the protected service calls the API gateway to create an oAuth access token and the first plurality of user identifying attributes;
the API gateway creates an attribute string comprising at least one of the first plurality of user identifying attributes and  an authentication system token or  an authentication system cookie identifier;
the API gateway encrypts the attribute string with a private key, resulting in the oAuth access token;
the API gateway sends the oAuth access token to the first party computer application; 
second request to access the backend service, a second plurality of user identifying attributes, and the oAuth access token;
the API gateway decrypts the oAuth access token with the private key;
the API gateway validates the decrypted oAuth access token; 
the API gateway inserts the authentication system token or the authentication system cookie identifier into the second request to access; and 
the API gateway communicates the second request to access and the authentication system token or the authentication system cookie identifier to the backend service.

11.	(Original) The system of claim 10, wherein the first plurality of user identifying attributes comprise at least one of a device mac id, a device manufacturer, a device geo-location, a device operating system, a device operating system version, a device IP address, a user profile id, and a user id.

12.	(Original) The system of claim 10, wherein the API gateway sets an expiration for the oAuth access token.




14.	(Original) The system of claim 12, wherein the backend service comprises a micro service, a SOA service, a REST service, a SOAP service, monolith service, a standard routine, a standard function, a lambda function, or a procedure.

15.	(Original) The system of claim 10, wherein a plurality of the user identifying attributes are concatenated in the attribute string in a random order.

16.	(Original) The system of claim 10, wherein a plurality of the user identifying attributes are concatenated in the attribute string in a rotating order.

17.	(Currently Amended) The system of claim 10, wherein the API gateway validates the decrypted oAuth access token by comparing  extracted values from the oAuth token to the second plurality of user identifying attributes.

18.	(Original) The system of claim 10, wherein:
the backend service calls the authentication system to check if the authentication system token or the authentication system cookie identifier is valid;

the API gateway sends an access grant denied error to the first party computer application.

Reason for Allowance

8.	Claims 1 and 10 of the present invention are directed towards securely calling APIs, which are on an API gateway, from computer applications that need a first party authentication.  Independent claims 1 and 10 each identify the following uniquely distinct combination of features:
securely calling APIs that are on an API gateway from computer applications that need a first party authentication
receiving, at the API gateway comprising at least one computer processor and from a protected service, an authentication system token or an authentication system cookie identifier from an authentication system, a first plurality of user identifying attributes, and a first request to create an oAuth access token, the first request originating with a first party computer application
creating, by the API gateway, an attribute string comprising at least one of the first plurality of user identifying attributes and the authentication system token or the authentication system cookie identifier
encrypting, by the API gateway, the attribute string with a private key, resulting in the oAuth access token
sending, by the API gateway, the oAuth access token to the first party computer application
receiving, by the API gateway and from the first party computer application, a second request to access a backend service, a second plurality of user identifying attributes, and the oAuth access token;
decrypting, by the API gateway, the oAuth access token with the private key
validating, by the API gateway, the decrypted oAuth access token;
inserting, by the API gateway, the authentication system token or the authentication system cookie identifier into the second request to access
communicating, by the API gateway, the second request to access and the authentication system token or the authentication system cookie identifier to the backend service.

9.	Regarding allowed claims 1 and 10 presented above, the following is an examiner’s statement of reasons for allowance.  The following are the closest prior art/references:

Liu (US Pub 20140033291) [0039] [0051] [0067].

Pitchaimani (US Pub 20190132307) [0011] [0041] [0044].

Poschel et al. (US Pub 20180219846) [0006] [0032] [0057] [0088].

Lininger (US Pub 20120331061) [0037].

Weimer et al. (US Pub 20170366348) [0056].

de Boer  (US Pub 20200076794) [0028] [0030].

Maria et al. (US Pub 2019037962) [0008] [0026].

Choyi et al., “Identity management with local functions”, (JP 2015-511348 A, 2015) pages 4, 7 and 17.

Kondarev (US Pub 2020021573) [0013] states “the access token(s) are arrange according to a version of the Open Authorization (OAuth) standard.  Implementations support the use of other authorization standards.  An access token can include at least one credential that is associated with a particular user, and the access token can be issued to authorize that user to access a particular service. The first access token (e.g., with long or unlimited lifetime) can be requested by an authorization client (e.g., OAuth client) that is part of the proxy service, and the second access token (e.g., with limited lifetime) can be requested by an authorization client (e.g., 

According to Varonis (“What is OAuth?  Definition and How it Works”), “OAuth is an open-standard authorization protocol or framework that provides applications the ability for ‘secure designated access.’  For example, you can tell Facebook that it’s OK for ESPN.com to access your profile or post updates to your timeline without having to give ESPN your Facebook password.”  “OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers.  OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away 

According to Wikipedia, “OAuth (Open Authorization[1][2]) is an open standard for access delegation, commonly used as a way for Internet users to grant websites or application access to their information on other websites but without giving them the passwords.[3][4]  This mechanism is used by companies such as Amazon,[5] Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third-party application or websites.”  “Generally, OAuth provides clients a ‘secure delegated access’ to server resources on behalf of a resource owner.  It specifies a process for resource owners to authorize third-party access to their server resources without providing credentials.  Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner.  The third party then uses the access token to access the protected resources hosted by the resource server.[2] ”   Refer to Wikipedia online for the respective references [1][2][3][4][5].



According to Microsoft Computer Dictionary, “gateway” is defined as “a device that connects networks using different communications protocols so that information can be passed from one to the other.  A gateway both transfers information and converts it to a form compatible with the protocols used by the receiving network.”


10.	In summary, nowhere do the prior art disclose the unique combination of steps/elements listed above.  The unique combination of steps/elements listed above are a novel combination.  The definitions, presented above, provide explanation/clarification to some critical features (e.g., oAuth, oAuth access token, backend, gateway).  The prior art, either singularly or in combination fails to anticipate or render obvious the present invention.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”



If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the Public PAIR system, see http://portal.uspto.gov/pair/PublicPair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





	September 27, 2021