DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Amendments
This communication is in response to the amendments filed on 30 September 2021:
	Claims 1-20 are pending. 


Response to Arguments
In response to Applicant’s remarks filed on 30 September 2021:
a.	Applicant’s arguments that Wang does not teach that the “content server” comprises a plurality of other servers has been fully considered but is deemed moot due to the fact that Wang was not utilized to teach this limitation. Applicant’s attention is directed to Garmark, Paragraph [0084], see “the method 700 further includes authenticating the first token, including sending the first token to a third server (706)…authenticating the first token includes sending the first token from the local utility to a third server (707), and receiving, at the local utility, an authentication message from the third server (708)…the authentication message indicates that the first token was issued by the second server”, where the third server is the server that receives the first token and where the first token is sent by the client computer to the server to verify the clients identity”, which clearly indicates that there is a plurality of other servers. 
b.	Applicant’s arguments that Wang and Kobayashi do not teach or suggest “obtain (or obtaining) a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers” has been fully considered but is deemed moot due to the fact that neither Wang nor Kobayashi were utilized to teach this limitation. Applicant’s attention is directed to Garmark, Paragraph [0085], see “The method 700 further includes, in response to authenticating the first 



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1-3, 6-10, 13-17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kobayashi (U.S. PGPub. 2015/0350179), in view of GARMARK et al. (U.S. PGPub. 2014/0337959), hereinafter Garmark.

	Regarding claim 1, Kobayashi teaches A computing system that includes one or more processors configured to execute computer executable code, wherein the one or more processors are further configured to (Kobayashi, Paragraph [0177], see “The computer may comprise one or more of a central processing unit (CPU)…or separate computer processors. The computer executable instructions may be provided to the computer, for example, from a network or the storage medium”):
	obtain, from a server, a redirected request for service from the server, wherein the redirected request for service is an initial request for service made by a client to the server for one or more services of the server (Kobayashi, Paragraph [0054], see “the user issues a request to start an authorization cooperation service that requires access to a protected resource”) (Kobayashi, Paragraph [0056], see “the resource server 400 issues a redirection request expressed as the HTTP/1.1 status code 302 to the browser on the client PC 200 so that the browser on the client PC 200 requests an OAuth authorization”, where “resource server 400” is being read as a server, which issues a redirected request for service from the server, wherein the redirected request for service is an initial request for service made by a client);
	obtain at least authentication credentials of the client, wherein the authentication credentials of the client are needed to verify the identity of the client (Kobayashi, Paragraph [0060], see “upon receiving the redirection request, the client PC 200 requests the authorization server 500 to authenticate the user and grant an authorization according to the redirection request…upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “user ID and a password” is being read as authentication credentials of the client);
	generate a first token based at least on the authentication credentials of the client, wherein the first token includes authentication information associated with the client that indicates that the identity of the client has been verified (Kobayashi, Paragraph [0066], see “If the authorization confirmation has succeeded, in step S5.6, the authorization server module 510 performs access token issue processing for generating the access token that allows access to the resource server 400”, where a first token is generated based at least on the authentication credentials (i.e., If the authorization confirmation has succeeded using the authentication credentials of the user)) (Kobayashi, Paragraph [0067], see “The authorization server module 510 registers the generated access token into the Table 3…the authorization server module 510 stores scope information and the user ID contained in a record of an authentication token already registered in the token table into the scope and the user ID”, where the token includes authentication information associated with the client that indicates that the identity of the client has been verified); 
	provide the generated first token to the client, thereby allowing the client to send the first token to the server to indicate that the identity of the client has been verified at least partly based on the authentication information (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client) (Kobayashi, Paragraph [0073], see “the web-hosted client module 310 of the web-hosted client 300 returns a response containing the script that allows the web browser 230 on the client PC 200 to acquire the access token…the client script 220 running on the web server 201, which has received the script for acquiring the access token, acquires the access token by executing the script. As a result, in step S4.15, the client script 220 can access the resource server 400”, where the client sends the token to the server to indicate that the identity of the client has been verified (e.g., thereby allowing access to the resource server 400); 
	
	Kobayashi does not teach the following limitation(s) as taught by Garmark: obtain a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers, after the client has sent the first token to the server to indicate that the identity of the client has been verified, and wherein the one or more other servers are different than the server that has received the first token.

Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, by implementing techniques for controlling a local application through a web page, comprising of obtaining a second token, wherein the second token requests access to one or more services of one or more other servers, after the client has sent the first token to the server to indicate that the identity of the client has been verified, as disclosed of Garmark.   
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising of obtaining a second token, wherein the second token requests access to one or more services of one or more other servers, after the client has sent the first token to the server to indicate that the identity of the client has been verified. This allows for a more secure computing environment in cases where a first token gets compromised by an unauthorized third-party. The main benefit of generating new tokens on each request is that the tokens become short term and even if an unauthorized entity steals the token, it will expire very fast (Garmark, Paragraphs [0084 – 0085]). 

The computing system of claim 1, wherein the one or more processors are further configured to:
	verify the identity of the client based on the obtained authentication credentials of the client (Kobayashi, Paragraph [0050], see “The authorization server 500 has a function of verifying a pair of user ID information and password information, i.e., authentication information, and generating information indicating that a user or a client is authenticated if the combination is a valid combination, thereby authenticating each user or each client”).

	Regarding claim 3, Kobayashi does not teach the following limitation(s) as taught by Garmark: The computing system of claim 1, wherein the one or more processors are further configured to:
	generate a third access token, wherein the third access token includes authorization information allowing the server to access one or more other services of one or more other servers, thereby allowing the server to send the token to the one or more other servers to indicate that is has been authorized to access the one or more other services from one or more other servers.
	(Garmark, Paragraph [0087], see “the method includes verifying that the third token matches the second token (716). If the second and third tokens match, one or more actions based on the content of the second request are taken (718)…By verifying that the third token matches the second token (i.e., is the same token), the local utility verifies that the second request was issued by the same module that was previously authenticated using the first token”, where a third access token is generated, wherein the third access token includes authorization information which allows the server to access one or more other services of one or more other servers). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, by implementing techniques for controlling a local application through a web page, comprising generating a third access token, wherein the third access token includes authorization information allowing the server to access one or more other services of one or more other servers, disclosed of Garmark.    
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising generating a third access token, wherein the third access token includes authorization information allowing the server to access one or more other services of one or more other servers. This allows for a more secure computing environment in cases where a first token gets compromised by an unauthorized third-party. The main benefit of generating new tokens on each request is that the tokens become short term and even if an unauthorized entity steals the token, it will expire very fast (Garmark, Paragraph [0087]). 

 	Regarding claim 6, Kobayashi as modified by Garmark teaches The computing system of claim 1, wherein the one or more processors are further configured to:
	request the authentication credentials from the client (Kobayashi, Paragraph [0060], see upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “the authorization server 500 returns a login screen 2000 to the browser on the client PC 200 to authenticate the user” is being read as requesting the authentication credentials from the client), and
	send the first token to the client (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client).

	Regarding claim 7, Kobayashi as modified by Garmark teaches The computing system of claim 1, wherein the server is a database server configured to provide access to one database services of a database (Kobayashi, Paragraph [0047], see “The resource server 400 includes a resource server module 410. The resource server module 410 includes a token authority confirmation unit 420, and a resource request processing unit 430”, where “resource server 400” is being read as a database server) (Kobayashi, Paragraph [0102], see “Upon receiving the access token information…the resource server 400 determines whether to permit or reject the access to the resource for which the request is received based on the acquired information”, where the database server (resource server 400) is configured to provide access to one database services of a database).

	Regarding claim 8, Kobayashi teaches A computer-implemented method for providing security in a computing environment that includes at least one client and at least one server configured to provide one or more services (Kobayashi, FIG. 4, see “1000” which is being read as at least one client and see “RESOURCE SERVER 400” which is being read as at least one server configured to provide one or more services), wherein the computer-implemented method is implemented at least partially by one or more physical processors configured to process executable computer code, and wherein the computer-implemented method comprises (Kobayashi, Paragraph [0177], see “The computer may comprise one or more of a central processing unit (CPU)…or separate computer processors. The computer executable instructions may be provided to the computer, for example, from a network or the storage medium”):
	obtaining, from the server, a redirected request for service, wherein the redirected request for service is an initial request for service made by the client to the server for one or more services of the server (Kobayashi, Paragraph [0054], see “the user issues a request to start an authorization cooperation service that requires access to a protected resource”) (Kobayashi, Paragraph [0056], see “the resource server 400 issues a redirection request expressed as the HTTP/1.1 status code 302 to the browser on the client PC 200 so that the browser on the client PC 200 requests an OAuth authorization”, where “resource server 400” is being read as a server, which issues a redirected request for service from the server, wherein the redirected request for service is an initial request for service made by a client);
	obtaining at least authentication credentials of the client, wherein the authentication credentials of the client are needed to verify the identity of the client (Kobayashi, Paragraph [0060], see “upon receiving the redirection request, the client PC 200 requests the authorization server 500 to authenticate the user and grant an authorization according to the redirection request…upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “user ID and a password” is being read as authentication credentials of the client);
	generate a first token based at least on the authentication credentials of the client, wherein the first token includes authentication information associated with the client and indicates that the identity of the client has been verified (Kobayashi, Paragraph [0066], see “If the authorization confirmation has succeeded, in step S5.6, the authorization server module 510 performs access token issue processing for generating the access token that allows access to the resource server 400”, where a first token is generated based at least on the authentication credentials (i.e., If the authorization confirmation has succeeded using the authentication credentials of the user)) (Kobayashi, Paragraph [0067], see “The authorization server module 510 registers the generated access token into the Table 3…the authorization server module 510 stores scope information and the user ID contained in a record of an authentication token already registered in the token table into the scope and the user ID”, where the token includes authentication information associated with the client that indicates that the identity of the client has been verified); 
	providing the first token to the client, thereby allowing the client to send the first token to the server to indicate that the identity of the client has been verified (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client) (Kobayashi, Paragraph [0073], see “the web-hosted client module 310 of the web-hosted client 300 returns a response containing the script that allows the web browser 230 on the client PC 200 to acquire the access token…the client script 220 running on the web server 201, which has received the script for acquiring the access token, acquires the access token by executing the script. As a result, in step S4.15, the client script 220 can access the resource server 400”, where the client sends the token to the server to indicate that the identity of the client has been verified (e.g., thereby allowing access to the resource server 400); 
	
	Kobayashi does not teach the following limitation(s) as taught by Garmark: obtain a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers.
	(Garmark, Paragraph [0084], see “the method 700 further includes authenticating the first token, including sending the first token to a third server (706)…authenticating the first token includes sending the first token from the local utility to a third server (707), and receiving, at the local utility, an authentication message from the third server (708)…the authentication message indicates that the first token was issued by the second server”, where the third server is the server that receives the first token and where the first token is sent by the client computer to the server to verify the clients identity) (Garmark, Paragraph [0085], see “The method 700 further includes, in response to authenticating the first token, generating a second token at the local utility (710). The second token is sent to the application for inclusion in subsequent requests from the application (712)…the second token is sent to the application by a local web server of the local utility”, where the second token is obtained and provided by the server and requests access to one or more services of one or more other servers, which happens after the client computer has sent the first token to the server to indicate that the identity of the client has been verified, and wherein the one or more other servers are different than the server (third server) that has received the first token, as depicted in Figure 5). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, by implementing techniques for controlling a local application through a web page, comprising of obtaining a second token, wherein the second token requests access to one or more services of one or more other servers, after the client has sent the first token to the server to indicate that the identity of the client has been verified, as disclosed of Garmark.   
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising of obtaining a second token, wherein the second token requests access to one or more services of one or more other servers, after the client has sent the first token to the server to indicate that the identity of the client has been verified. This allows for a more secure computing environment in cases where a first token gets compromised by an unauthorized third-party. The main benefit of generating new tokens on each request is that the tokens become short term and even if an unauthorized entity steals the token, it will expire very fast (Garmark, Paragraphs [0084 – 0085]). 

	Regarding claim 9, Kobayashi as modified by Garmark teaches The computer-implemented method of claim 8, wherein the computer-implemented method further comprises:
	verifying the identity of the client based on the obtained authentication credentials of the client (Kobayashi, Paragraph [0050], see “The authorization server 500 has a function of verifying a pair of user ID information and password information, i.e., authentication information, and generating information indicating that a user or a client is authenticated if the combination is a valid combination, thereby authenticating each user or each client”).

	Regarding claim 10, Kobayashi does not teach the following limitation(s) as taught by Garmark: The computer-implemented method of claim 8, wherein the computer-implemented method further comprises:
	generating a third token, wherein the third token includes authorization information allowing the server to access one or more other services of the one or more other servers, thereby allowing the server to send the third token to the one or more other servers to indicate that it has been authorized to access the one or more other services from one or more other servers. 
	(Garmark, Paragraph [0087], see “the method includes verifying that the third token matches the second token (716). If the second and third tokens match, one or more actions based on the content of the second request are taken (718)…By verifying that the third token matches the second token (i.e., is the same token), the local utility verifies that the second request was issued by the same module that was previously authenticated using the first token”, where a third access token is generated, wherein the third access token includes authorization information which allows the server to access one or more other services of one or more other servers). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, by implementing techniques for controlling a local application through a web page, comprising generating a third access token, wherein the third access token includes authorization information allowing the server to access one or more other services of one or more other servers, disclosed of Garmark.    
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising generating a third access token, wherein the third access token includes authorization information allowing the server to access one or more other services of one or more other servers. This allows for a more secure computing environment in cases where a first token gets compromised by an unauthorized third-party. The main benefit of generating new tokens on each request is that the tokens become short term and even if an unauthorized entity steals the token, it will expire very fast (Garmark, Paragraph [0087]). 

	Regarding claim 13, Kobayashi as modified by Garmark teaches The computer-implemented method of claim 8, wherein the computer-implemented method further comprises:
	requesting the authentication credentials from the client (Kobayashi, Paragraph [0060], see upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “the authorization server 500 returns a login screen 2000 to the browser on the client PC 200 to authenticate the user” is being read as requesting the authentication credentials from the client), and
	sending the first token to the client (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client).

	Regarding claim 14, Kobayashi as modified by Garmark teaches The computer-implemented method of claim 8, wherein the server is a database server configured to provide access to one database services of a database (Kobayashi, Paragraph [0047], see “The resource server 400 includes a resource server module 410. The resource server module 410 includes a token authority confirmation unit 420, and a resource request processing unit 430”, where “resource server 400” is being read as a database server) (Kobayashi, Paragraph [0102], see “Upon receiving the access token information…the resource server 400 determines whether to permit or reject the access to the resource for which the request is received based on the acquired information”, where the database server (resource server 400) is configured to provide access to one database services of a database).

	Regarding claim 15, Kobayashi teaches A non-transitory computer readable storage medium storing at least executable code that when executed provides security in a computing environment that includes at least one client and at least one server configured to provide one or more services, and wherein the executable code when executed further (Kobayashi, FIG. 4, see “1000” which is being read as at least one client and see “RESOURCE SERVER 400” which is being read as at least one server configured to provide one or more services) (Kobayashi, Paragraph [0177], see “The computer may comprise one or more of a central processing unit (CPU)…or separate computer processors. The computer executable instructions may be provided to the computer, for example, from a network or the storage medium”):
	obtains, from the server, a redirected request, wherein the redirected request for service is an initial request for service made by the client to the server for one or more services of the server (Kobayashi, Paragraph [0054], see “the user issues a request to start an authorization cooperation service that requires access to a protected resource”) (Kobayashi, Paragraph [0056], see “the resource server 400 issues a redirection request expressed as the HTTP/1.1 status code 302 to the browser on the client PC 200 so that the browser on the client PC 200 requests an OAuth authorization”, where “resource server 400” is being read as a server, which issues a redirected request for service from the server, wherein the redirected request for service is an initial request for service made by a client);
	obtains at least authentication credentials of the client, wherein the authentication credentials of the client are needed to verify the identity of the client (Kobayashi, Paragraph [0060], see “upon receiving the redirection request, the client PC 200 requests the authorization server 500 to authenticate the user and grant an authorization according to the redirection request…upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “user ID and a password” is being read as authentication credentials of the client);
	generates a first token based at least on the authentication credentials of the client, wherein the first token includes authentication information associated with the client and indicates that the identity of the client has been verified (Kobayashi, Paragraph [0066], see “If the authorization confirmation has succeeded, in step S5.6, the authorization server module 510 performs access token issue processing for generating the access token that allows access to the resource server 400”, where a first token is generated based at least on the authentication credentials (i.e., If the authorization confirmation has succeeded using the authentication credentials of the user)) (Kobayashi, Paragraph [0067], see “The authorization server module 510 registers the generated access token into the Table 3…the authorization server module 510 stores scope information and the user ID contained in a record of an authentication token already registered in the token table into the scope and the user ID”, where the token includes authentication information associated with the client that indicates that the identity of the client has been verified); 
	provides the first token to the client, thereby allowing the client to send the first token to the server to indicate that the identity of the client has been verified (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client) (Kobayashi, Paragraph [0073], see “the web-hosted client module 310 of the web-hosted client 300 returns a response containing the script that allows the web browser 230 on the client PC 200 to acquire the access token…the client script 220 running on the web server 201, which has received the script for acquiring the access token, acquires the access token by executing the script. As a result, in step S4.15, the client script 220 can access the resource server 400”, where the client sends the token to the server to indicate that the identity of the client has been verified (e.g., thereby allowing access to the resource server 400); 
	
	Kobayashi does not teach the following limitation(s) as taught by Garmark: obtain a second token, wherein the second token has been provided by the server and requests access to one or more services of one or more other servers.
	(Garmark, Paragraph [0084], see “the method 700 further includes authenticating the first token, including sending the first token to a third server (706)…authenticating the first token includes sending the first token from the local utility to a third server (707), and receiving, at the local utility, an authentication message from the third server (708)…the authentication message indicates that the first token was issued by the second server”, where the third server is the server that receives the first token and where the first token is sent by the client computer to the server to verify the clients identity) (Garmark, Paragraph [0085], see “The method 700 further includes, in response to authenticating the first token, generating a second token at the local utility (710). The second token is sent to the application for inclusion in subsequent requests from the application (712)…the second token is sent to the application by a local web server of the local utility”, where the second token is obtained and provided by the server and requests access to one or more services of one or more other servers, which happens after the client computer has sent the first token to the server to indicate that the identity of the client has been verified, and wherein the one or more other servers are different than the server (third server) that has received the first token, as depicted in Figure 5). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, by implementing techniques for controlling a local application through a web page, comprising of obtaining a second token, wherein the second token requests access to one or more services of one or more other servers, after the client has sent the first token to the server to indicate that the identity of the client has been verified, as disclosed of Garmark.   
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising of obtaining a second token, wherein the second token requests access to one or more services of one or more other servers, after the client has sent the first token to the server to indicate that the identity of the client has been verified. This allows for a more secure computing environment in cases where a first token gets compromised by an unauthorized third-party. The main benefit of generating new tokens on each request is that the tokens become short term and even if an unauthorized entity steals the token, it will expire very fast (Garmark, Paragraphs [0084 – 0085]). 

	Regarding claim 16, Kobayashi as modified by Garmark teaches The non-transitory computer readable storage medium of claim 15, wherein the executable code when executed further:
	verifies the identity of the client based on the obtained authentication credentials of the client (Kobayashi, Paragraph [0050], see “The authorization server 500 has a function of verifying a pair of user ID information and password information, i.e., authentication information, and generating information indicating that a user or a client is authenticated if the combination is a valid combination, thereby authenticating each user or each client”).

	Regarding claim 17, Kobayashi does not teach the following limitation(s) as taught by Garmark: The non-transitory computer readable storage medium of claim 15, wherein the executable code when executed further:
	generates a third access token, wherein the third token includes authorization information allowing the server to access one or more other services one or more other servers, thereby allowing the server to send the token to the one or more other servers to indicate that it has been authorized to access the one or more other services from one or more other servers.
	(Garmark, Paragraph [0087], see “the method includes verifying that the third token matches the second token (716). If the second and third tokens match, one or more actions based on the content of the second request are taken (718)…By verifying that the third token matches the second token (i.e., is the same token), the local utility verifies that the second request was issued by the same module that was previously authenticated using the first token”, where a third access token is generated, wherein the third access token includes authorization information which allows the server to access one or more other services of one or more other servers). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, by implementing techniques for controlling a local application through a web page, comprising generating a third access token, wherein the third access token includes authorization information allowing the server to access one or more other services of one or more other servers, disclosed of Garmark.    
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising generating a third access token, wherein the third access token includes authorization information allowing the server to access one or more other services of one or more other servers. This allows for a more secure computing environment in cases where a first token gets compromised by an unauthorized third-party. The main benefit of generating new tokens on each request is that the tokens become short term and even if an unauthorized entity steals the token, it will expire very fast (Garmark, Paragraph [0087]). 

	Regarding claim 20, Kobayashi as modified by Garmark teaches The non-transitory computer readable storage medium of claim 17, wherein the executable code when executed further:
	requests the authentication credentials from the client (Kobayashi, Paragraph [0060], see upon receiving the authorization request, the authorization server 500 returns a login screen 2000 illustrated in FIG. 6A to the browser on the client PC 200 to authenticate the user…the user as the resource owner 1000 inputs a user ID and a password onto the login screen 2000 displayed on the browser on the client PC 200”, where “the authorization server 500 returns a login screen 2000 to the browser on the client PC 200 to authenticate the user” is being read as requesting the authentication credentials from the client), and
	sends the first token to the client (Kobayashi, Paragraph [0068], see “The access token response transmitted from the authorization server module 510 to the client PC 200 at this time (step S4.11) is configured according to the specification of OAuth 2.0…”, where the access token is provided to the client).


Claims 4-5, 11-12 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Kobayashi, in view of Garmark, in further view of FAN (U.S. PGPub. 2018/0375863), hereinafter Fan.

	Regarding claim 4, Kobayashi as modified by Garmark do not teach the following limitation(s) as taught by Fan: The computing system of claim 3, wherein the second token includes the first token and identifies the server.
	(Fan, Paragraph [0008], see “where the password-free login request includes a third token, the third token includes a second token, and the second token is an access token indicating that the second website grants password-free login permission after user login succeeds”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) includes the second token (being read as the first token) (Fan, Paragraph [0046], see “Token can include three types of information: a website identifier signed by payment website A by using a private key of the website, a current time signed by using the private key of the website, and the user name in the login information”, where “website” is analogous to a server and wherein the tokens contain a website identifier).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Garmark, by implementing techniques for a website login method, comprising of a second token including a first token and identifies the server, disclosed of Fan. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising of a second token including a first token and identifies the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. By including the first token (already authenticated credentials) within the second token, the computing system can avoid re-authenticating the user’s credentials (Fan, Paragraph [0008]). 

	Regarding claim 5, Kobayashi as modified by Garmark do not teach the following limitation(s) as taught by Fan: The computing system of claim 3, wherein the second token is the first token that is signed by the server.
	(Fan, Paragraph [0148], see “the third token may include a signed version of the second token, such as where the second token is signed by the first website…”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) is a signed version of the second token (being read as the first token)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Garmark, by implementing techniques for a website login method, comprising of a second token being the first token that is signed by the server, disclosed of Fan. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising of a second token being the first token that is signed by the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. Having the second token be the first token that is signed by the server allows for the computing system to grant access to the user based on the signature of the server whilst avoiding the need to re-authenticate the user’s credentials (Fan, Paragraph [0148]).  

	Regarding claim 11, Kobayashi as modified by Garmark do not teach the following limitation(s) as taught by Fan: The computer-implemented method of claim 10, wherein the second token includes the first token and identifies the server.
	(Fan, Paragraph [0008], see “where the password-free login request includes a third token, the third token includes a second token, and the second token is an access token indicating that the second website grants password-free login permission after user login succeeds”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) includes the second token (being read as the first token) (Fan, Paragraph [0046], see “Token can include three types of information: a website identifier signed by payment website A by using a private key of the website, a current time signed by using the private key of the website, and the user name in the login information”, where “website” is analogous to a server and wherein the tokens contain a website identifier).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Garmark, by implementing techniques for a website login method, comprising of a second token including a first token and identifies the server, disclosed of Fan. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising of a second token including a first token and identifies the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. By including the first token (already authenticated credentials) within the second token, the computing system can avoid re-authenticating the user’s credentials (Fan, Paragraph [0008]). 

	Regarding claim 12, Kobayashi as modified by Garmark do not teach the following limitation(s) as taught by Fan: The computer-implemented method of claim 10, wherein the second token is the first token that is signed by the server.
	(Fan, Paragraph [0148], see “the third token may include a signed version of the second token, such as where the second token is signed by the first website…”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) is a signed version of the second token (being read as the first token)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Garmark, by implementing techniques for a website login method, comprising of a second token being the first token that is signed by the server, disclosed of Fan. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising of a second token being the first token that is signed by the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. Having the second token be the first token that is signed by the server allows for the computing system to grant access to the user based on the signature of the server whilst avoiding the need to re-authenticate the user’s credentials (Fan, Paragraph [0148]).  

	Regarding claim 18, Kobayashi as modified by Garmark do not teach the following limitation(s) as taught by Fan: The non-transitory computer readable storage medium of claim 17, wherein the second token includes the first token and identifies the server.
	(Fan, Paragraph [0008], see “where the password-free login request includes a third token, the third token includes a second token, and the second token is an access token indicating that the second website grants password-free login permission after user login succeeds”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) includes the second token (being read as the first token) (Fan, Paragraph [0046], see “Token can include three types of information: a website identifier signed by payment website A by using a private key of the website, a current time signed by using the private key of the website, and the user name in the login information”, where “website” is analogous to a server and wherein the tokens contain a website identifier).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Garmark, by implementing techniques for a website login method, comprising of a second token including a first token and identifies the server, disclosed of Fan. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising of a second token including a first token and identifies the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. By including the first token (already authenticated credentials) within the second token, the computing system can avoid re-authenticating the user’s credentials (Fan, Paragraph [0008]). 

	Regarding claim 19, Kobayashi as modified by Garmark do not teach the following limitation(s) as taught by Fan: The non-transitory computer readable storage medium of claim 17, wherein the second token is the first token that is signed by the server.
	(Fan, Paragraph [0148], see “the third token may include a signed version of the second token, such as where the second token is signed by the first website…”, where “third token” is analogous to the second token, where “second token” is analogous to the first token and where the third token (being read as the second token) is a signed version of the second token (being read as the first token)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for an authority transfer system, disclosed of Kobayashi, and techniques disclosed of Garmark, by implementing techniques for a website login method, comprising of a second token being the first token that is signed by the server, disclosed of Fan. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for a secure diverse computing environment, comprising of a second token being the first token that is signed by the server. This allows for maintaining a secure computing environment, whilst avoiding the need to re-authenticate the user’s credentials, which ultimately saves time and reduces processing power. Having the second token be the first token that is signed by the server allows for the computing system to grant access to the user based on the signature of the server whilst avoiding the need to re-authenticate the user’s credentials (Fan, Paragraph [0148]).  




Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
	A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2433                                                                                                                                                                                                        
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433