Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  

	
Response to Amendment
This communication is in response to the amendment filed on 12/08/2021. The Examiner acknowledges amended claims 1-20. No claims have been cancelled or added. Claims 1-20 are pending and claims 1-20 are rejected.  Claims 1, 8, and 16 is/are independent. 

Response to Arguments
Applicant's arguments filed 12/08/2021 have been fully considered.  Applicant argues (see Remarks, page 9) that the previous rejections fail to disclose the newly amended claim features.  This argument is persuasive. Therefore, the rejections are withdrawn. However, upon further consideration, a new ground of rejection is made in view of Radhakrishnan et al. PCT Publication WO2013025592 (hereinafter “Radhakrishnan”) in view of Johnson et al. U.S. Publication 20060259776 (hereinafter “Johnson”).
Radhakrishnan teaches that TBAC module 110 may receive resource token 115c indicating that a user 112 and/or device 114 have requested access to a resource 145 (figure 42, element 4210, 85:25-26). TBAC module 110 may determine whether a particular token 115 specified by the at least one session rule 4130 is present (86:14-22). If not, TBAC module 110 may request and receive the particular token (86:17-18). The TBAC module 110 may then generate a session token based on the 1st token received in the access request and the 2nd received token (particular token) subsequently received in response to the request (86:28-30, 87:7-10).

Accordingly, Applicant's argument is persuasive, the rejection is withdrawn, and new ground(s) of rejection are presented herein.
	
	
	
Claims Recite Eligible Subject Matter

Examiner notes that the claims recite eligible subject matter within the meaning of 35 U.S.C. § 101 because there is an improvement to the authentication process. The improvement is that the first authentication token (token to access a session) is modified based on a second authentication token, which provides an improved authentication token with the content (e.g., claims) generated from the individual tokens. Further, the improved composite identity token is provided to the server, thereby providing notification of the content (e.g., claims) available with the composite identity token to the server providing the session. This modified token permits a user to use services secured by different relying parties and identity providers and associated with different issued tokens while maintaining a single sign-on experience.  See Specification para 0003 and 0005.  

	

Claim Rejections - 35 USC § 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
	
	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-2, 8-9, 12, and 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Radhakrishnan et al. PCT Publication WO2013025592 (hereinafter “Radhakrishnan”) in view of Johnson et al. U.S. Publication 20060259776 (hereinafter “Johnson”).

A method comprising:
(See Radhakrishnan see figure 42 flowchart )

receiving a request to access a resource from a user device, the user device configured to access a session with a first authentication token, and the requested resource being accessible with another token other than the first authentication token and inaccessible with the first authentication token;
(See Radhakrishnan
figure 42, element 4210 access to a resource has been requested
Radhakrishnan 85:25-26 TBAC module 110 may receive resource token 115c indicating that a user 112 and/or device 114 have requested access to a resource 145.[ receiving a request to access a resource from a user device, the user device configured to access a session with a first authentication token]
[another token= token 115 that is received or another token= session token 115j]
Radhakrishnan 86:14-22 For example, TBAC module 110 may determine whether the particular token 115 specified by the at least one session rule 4130 is present. If the particular token 115 is not present, TBAC module 110 may deny access to resource 145. In particular
embodiments, TBAC module 110 may request the particular token 115 and receive a
token 115 in response to that request. TBAC module 110 may then determine if the
received token 115 is the particular token 115[accessible with another token]. If not, TBAC module 110 may deny access [inaccessible with the first authentication token ]to resource 145. If the particular token 115 is already present or if the received token 115 is the particular token 115, TBAC module 110 may grant access [accessible with another token ]to resource 145.
)

retrieving, based on information in the request, a second authentication token;
(See Radhakrishnan 86:17-18 TBAC module 110 may request the particular token 115 and receive a token 115[second authentication token= token 115 that is received] in response to that request.
)

modifying the first authentication token with use of the second authentication token to generate a composite identity token; and
(See Radhakrishnan 
86:28-30 For example, the at least one session rule 4130 may specify
that session token 115j [composite identity token = session token 115j ]should be generated by hashing resource token 115c and subject token 115k. 
Radhakrishnan 87:7-10
session token 115j, this disclosure contemplates TBAC module 110 performing any
appropriate operation on any number and combination of tokens 115 to generate
session token 115j. For example, TBAC module 110 may perform a logical union on
10 three or more tokens 115 [three or more tokens 115 includes the token 115 received ]to generate session token 115j. 
)

	However, Radhakrishnan does not expressly disclose 
transmitting the composite identity token to a server providing the session, wherein the composite identity token permits the user device access to the session and the requested resource.

Johnson discloses 
transmitting the composite identity token to a server providing the session, wherein the composite identity token permits the user device access to the session and the requested resource.
(See Johnson
[0002] The Identity Provider owns a user's identity and authentication. The consumer of the tokens is called the Resource Provider[server providing the session]. 
Johnson [0003] In WS-Federation, the Identity Provider typically deploys a server that hosts a Security Token Service (STS). An Identity Provider's STS is generally referred to as STS-IP. The STS-IP authenticates users based on legacy credentials (e.g. username and password) and issues a WS-Federation security token, which will be accepted by the Resource Provider.[When the resource provider receives this security token(composite identity token), the received security token indicates to the resource provider that the user has been authenticated]
Johnson Para. [0025]
STS-IP 115 is configured to provide security tokens to multiple resource providers. As shown in FIG. 1, a particular resource provider 141 may request a user to be authenticated by information from identity provider 111 before the user is granted access [composite identity token permits the user device access to the session and the requested resource.] to resources. STS-IP 115 is configured to provide security information about the user in the form of a security token to resource providers 141-142. STS-IP 115 is configured to receive the security 
Johnson [0031]
Resource providers 141-142 may require that the users be authenticated prior to providing access to the services. 
[The Johnson security token is a composite identity token because the claims stored in the generated token are received from various account stores and transformed to a canonical format, see para. 18 claims transformed from intermediate format to federated format and provided in a security token]
Johnson [0054]
claim may be incorporated in a security token for sending to a STS-RP.
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Radhakrishnan with the technique for transmitting a token with claims combined from multiple sources of Johnson to include 
transmitting the composite identity token to a server providing the session, wherein the composite identity token permits the user device access to the session and the requested resource.
One of ordinary skill in the art would have made this modification to improve the ability of the system to provide multiple claims (also known as assertions) originating from multiple sources (such as multiple tokens) in a single token to the resource provider, so that the resource provider can obtain the assertions data regarding the user and grant access to the user. The system (e.g., TBAC module 1100) of the primary reference can be modified to send the session token, which is constructed from multiple tokens, to the resource provider, as taught in the Johnson reference.

	

As per claim 2, the rejection of claim 1 is incorporated herein. 
Radhakrishnan discloses combining the current token with the new token, to create the session token, which discloses modifying the 1st token based on the 2nd token (86:27-28 “generated based on particular tokens 115”, 87:9 “perform a logical union”)
However, the Radhakrishnan does not expressly disclose wherein the modification of the first authentication token includes transformation of one or more claims of the first authentication token based on the second authentication token.

Johnson discloses combining claims from multiple sources to generate a token with multiple claims from different sources and transforming the claims to canonical form for placing in the security token
(See Johnson 
Para. [0025]
STS-IP 115 is configured to provide security information about the user in the form of a security token to resource providers 141-142. STS-IP 115 is configured to receive the security information in the form of claims from account stores 113. The claims from account stores 113 are typically in an intermediate format. 
Johnson [0018]  Security claims associated with the account are 
retrieved where the security claims are provided by an account store.  Each 
security claim is transformed from an intermediate format to a federated format 
recognized by the resource provider.  The transformed security claims are 
provided in a security token to the resource provider. 
Johnson [0026]
extensibility modules 123 extend the available account stores that STS-IP 115 may use. … to populate claims from an account store 

STS-IP 115 is configured to perform transformation to obtain claims in federated formats that are recognized by resource providers 141-142. …… transform security claims provided by account stores 113. ……. transform intermediate claims provided by account stores 113 to a federated format recognized by STS-RP 145. 
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Radhakrishnan with the technique for combining claims from multiple sources and transforming the claims to canonical form for placing in the security token of Johnson to include wherein the modification of the first authentication token includes transformation of one or more claims of the first authentication token based on the second authentication token.
One of ordinary skill in the art would have made this modification to improve the ability of the system to generate a token with claims from different sources, such as different tokens, which allows for using the token with the different claims indicating various privileges and assertions, and allowing for providing the token with integrated claims in canonical form to a resource provider. The system (e.g. TBAC module 110) of the primary reference can be modified to combine claims from different tokens, and transforming the claims from various sources into a canonical form and placing them in a token, as taught in the Johnson reference.

As per claim 8, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 1, and is/are rejected for the reasons detailed with respect to claim 1.  In addition, claim 8 recites
A computing device comprising: a memory; and processor coupled to the memory and configured to: 
A computing device comprising: a memory; and processor coupled to the memory and configured to: 
(See Radhakrishnan 
13:8-9 system 100 may include TBAC module 110. TBAC module 110 may include a processor 132 coupled to a memory
13:15-17 TBAC module 110 may include memory 134. Memory 134 may store, either permanently or temporarily, data, operational software, or other information for processor 132. 
14:1-6 TBAC module 110 may include processor 132. Processor 132 may control the operation and administration of TBAC module 110 by processing information received from network 120 and memory 134. Processor 132 may include any hardware and/or software that operates to control and process information.
)
As per claim 9, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 2, and is/are rejected for the reasons detailed with respect to claim 2.  


As per claim 12, the rejection of claim 8 is incorporated herein. 
However, Radhakrishnan does not expressly disclose wherein the composite identity token comprises: one or more transformed claims of the second authentication token; and one or more claims of the first authentication token
Johnson discloses retrieving claims from multiple sources, transforming some of the claims to canonical form, and placing the claims in a token
(See Johnson Para. 0025]
a security token to resource providers 141-142. STS-IP 115 is configured to receive the security information in the form of claims from account stores 113. The claims from account stores 113 are typically in an intermediate format. 
Johnson [0018] Security claims associated with the account are 
retrieved where the security claims are provided by an account store.  Each 
security claim is transformed from an intermediate format to a federated format 
recognized by the resource provider.  The transformed security claims are 
provided in a security token to the resource provider. 
Johnson [0026]
extensibility modules 123 extend the available account stores that STS-IP 115 may use. … to populate claims from an account store 
Johnson [0029]
STS-IP 115 is configured to perform transformation to obtain claims in federated formats that are recognized by resource providers 141-142. …. transform security claims provided by account stores 113. …….transform intermediate claims provided by account stores 113 to a federated format recognized by STS-RP 145. 
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Radhakrishnan with the technique for retrieving claims from multiple sources, transforming some of the claims to canonical form, and placing the claims in a token of Johnson to include 
wherein the composite identity token comprises: one or more transformed claims of the second authentication token; and one or more claims of the first authentication token. 
One of ordinary skill in the art would have made this modification to improve the ability of the system to generate a combined token that includes the claims of the individual tokens. By 

As per claim 16, the claim(s) is/are directed to a computing platform with limitations which correspond to limitations of claim 1, and is/are rejected for the reasons detailed with respect to claim 1.  In addition, claim 16 recites
A computing platform comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the computing platform to: 
Radhakrishnan discloses A computing platform comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the computing platform to: 
(See Radhakrishnan 
13:8-9 system 100 may include TBAC module 110. TBAC module 110 may include a processor 132 coupled to a memory
13:15-17 TBAC module 110 may include memory 134. Memory 134 may store, either permanently or temporarily, data, operational software, or other information for processor 132. 
14:1-6 TBAC module 110 may include processor 132. Processor 132 may control the operation and administration of TBAC module 110 by processing information received from network 120 and memory 134. Processor 132 may include any hardware and/or software that operates to control and process information.
)
retrieve, based on information in the request, a second authentication token for accessing the resource; 
(See Radhakrishnan 86:17-18 TBAC module 110 may request the particular token 115 and receive a token 115[second authentication token= token 115 that is received] in response to that request.
)
generate a composite identity token comprising one or more claims of the second authentication token and one or more claims of the first authentication token;
(See Radhakrishnan 
86:28-30 For example, the at least one session rule 4130 may specify
that session token 115j [composite identity token = session token 115j ]should be generated by hashing resource token 115c and subject token 115k. 
Radhakrishnan 87:7-10
session token 115j, this disclosure contemplates TBAC module 110 performing any
appropriate operation on any number and combination of tokens 115 to generate
session token 115j. For example, TBAC module 110 may perform a logical union on
10 three or more tokens 115 [three or more tokens 115 includes the token 115 received ]to generate session token 115j. 
)
	However, Radhakrishnan does not expressly disclose 
generate a composite identity token comprising one or more transformed claims of the second authentication token and one or more claims of the first authentication token;

Johnson discloses combining claims from multiple sources to generate a token with multiple claims from different sources and transforming the claims to canonical form for placing in the security token

Para. [0025]
STS-IP 115 is configured to provide security information about the user in the form of a security token to resource providers 141-142. STS-IP 115 is configured to receive the security information in the form of claims from account stores 113. The claims from account stores 113 are typically in an intermediate format. 
Johnson [0018]  Security claims associated with the account are 
retrieved where the security claims are provided by an account store.  Each 
security claim is transformed from an intermediate format to a federated format 
recognized by the resource provider.  The transformed security claims are 
provided in a security token to the resource provider. 
Johnson [0026]
extensibility modules 123 extend the available account stores that STS-IP 115 may use. … to populate claims from an account store 
Johnson [0029]
STS-IP 115 is configured to perform transformation to obtain claims in federated formats that are recognized by resource providers 141-142. …… transform security claims provided by account stores 113. ……. transform intermediate claims provided by account stores 113 to a federated format recognized by STS-RP 145. 
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Radhakrishnan with the technique for combining claims from multiple sources and transforming the claims to canonical form for placing in the security token of Johnson to include generate a composite identity token comprising one or more transformed claims of the second authentication token and one or more claims of the first authentication token;


As per claim 17, the claim(s) is/are directed to a computing platform with limitations which correspond to limitations of claim 2, and is/are rejected for the reasons detailed with respect to claim 2.  

Claims 3, 10, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Radhakrishnan in view of Johnson, further in view of Hubner et al. European patent application EP2323308 (hereinafter “Hubner”).
As per claim 3, the rejection of claim 1 is incorporated herein. 
Radhakrishnan discloses biometric authentication (12:11) and password authentication (23:5) but does not specifically describe claims indicative of biometric/access codes.
However, Radhakrishnan does not expressly disclose 
wherein the modification of the first authentication token includes addition of a claim indicative of authentication with one or more of a biometric measurement and an access code to the first authentication token.
Johnson discloses wherein the modification of the first authentication token includes addition of a claim indicative of an access code to the first authentication token.
(See Johnson Para. 0023]
user name, password, [access code]
[0024]
security information provided by account stores 113 is organized in the form of claims. 
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Radhakrishnan with the technique for adding claims that indicate username and password of Johnson to include 
wherein the modification of the first authentication token includes addition of a claim indicative of an access code to the first authentication token.
One of ordinary skill in the art would have made this modification to improve the ability of the system to store access data in the token, so that the token can be used to grant access to the user based on the access information stored in the token. The system (e.g. TBAC module 110) of the primary reference can be modified to add username and password data to claims in a token. 

	However, the combination of Radhakrishnan and Johnson does not expressly disclose 
wherein the modification of the first authentication token includes addition of a claim indicative of authentication with one or more of a biometric measurement and an access code to the first authentication token.
Hubner discloses storing biometric data in a security token and that a security token may include a cryptographic function such as authentication
(See Hubner Para. A 'security token' as understood herein encompasses any portable physical device that includes a cryptographic function, such as for the purposes of authentication, ……. Such physical devices include …., authentication tokens,

).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Radhakrishnan and Johnson with the technique for storing biometric data in a token of Hubner to include 
wherein the modification of the first authentication token includes addition of a claim indicative of authentication with one or more of a biometric measurement and an access code to the first authentication token.
One of ordinary skill in the art would have made this modification to improve the ability of the system to generate tokens that store biometric data for authentication. The system (e.g. TBAC module 110) of the primary reference can be modified to modify tokens, including new tokens, to include claims that include biometric measurements, in order to store biometric data in a token as taught in the Hubner reference.
As per claim 10, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 3, and is/are rejected for the reasons detailed with respect to claim 3.  
As per claim 18, the claim(s) is/are directed to a computing platform with limitations which correspond to limitations of claim 3, and is/are rejected for the reasons detailed with respect to claim 3.  In addition, claim 18 recites generate, instead of the word adding, however, the rejection remains analogous to the rejection of claim 3, since the token claims are generated for the token after retrieving the security information from the account stores, with the claims indicating username and password as taught in Johnson para. 23-24.

Claims 4 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Radhakrishnan in view of Johnson, further in view of Gao et al. U.S. Publication 20110030047 (hereinafter “Gao”).
As per claim 4, the rejection of claim 1 is incorporated herein. 
	However, the combination of Radhakrishnan and Johnson does not expressly disclose 
prior to the transmission of the composite identity token to the server providing the session: 
sending an authorization code to the user device; and 
receiving the authorization code from the server providing the session.

Gao discloses prior to the transmission of the composite identity token to the server providing the session: 
sending an authorization code to the user device; and 
receiving the authorization code from the server providing the session.
(See Gao Para.
[0021] generating a second token[authorization code= second token] in 
response to the user's confirmation of the first request; transmitting the 
second token to the user; associating the second token with the user; receiving 
a second request for accessing the user information from the application, the 
second request including the second token obtained from the user by the 
application[the server providing the session= third-party application]; and allowing the application to access the user information in response to receiving the second request.
)

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Radhakrishnan nd token to the user and receiving the 2nd token from the application of Gao to include 
prior to the transmission of the composite identity token to the server providing the session: 
sending an authorization code to the user device; and 
receiving the authorization code from the server providing the session.
One of ordinary skill in the art would have made this modification to improve the ability of the system to verify that the user is authenticating properly with the correct resource provider. The system (e.g. TBAC module 110) of the primary reference can be modified to send a 2nd token to the user device and receive the 2nd token from the service provider as taught in the Gao reference. Furthermore one of ordinary skill in the art would modify the Radhakrishnan system to send and receive the 2nd token prior to transmitting the session token to the resource provider because Gao teaches allowing the application to access the user information in response to receiving the second request. That is, until the 2nd token is received from the resource provider, it is not clear that the user has been fully authenticated with the proper resource provider, and the session token should not be sent until the user has been fully authenticated.
As per claim 11, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 4, and is/are rejected for the reasons detailed with respect to claim 4.  

Claims 5, 13, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Radhakrishnan in view of Johnson, further in view of Lee et al. U.S. Publication 20190073842 (hereinafter “Lee”).
As per claim 5, the rejection of claim 1 is incorporated herein. 
However, Radhakrishnan does not expressly disclose 
receiving a subsequent request from the server to update the composite identity token; updating one or more claims of the composite identity token; and transmitting the updated composite identity token to the server in response to the subsequent request.
Johnson discloses updating one or more claims of the composite identity token; 
 (See Johnson Para. [0018]
The transformed security claims are provided in a security token to the resource provider.
Johnson [0001] These XML tokens utilize formats, such as 
Security Assertion Markup Language (SAML) or Extensible Rights Markup Language 
(XrML), and contain rich authorization claims in addition to identity data.  
Johnson Para. 0025]
 STS-IP 115 is configured to provide security information about the user in the form of a security token to resource providers 141-142. STS-IP 115 is configured to receive the security information in the form of claims from account stores 113. 
Johnson [0026] extensibility modules 123 extend the available account stores that STS-IP 115 may use. … to populate claims from an account store 
[Johnson describes a generated token includes claims and claims are retrieved from multiple sources. it’s a composite token because claims are retrieved from different sources; as the claims are added to the token the claims are updated.
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Radhakrishnan with the technique for generating a token with claims and providing the generated token of Johnson to include 
updating one or more claims of the composite identity token; 
One of ordinary skill in the art would have made this modification to improve the ability of the system to update claims in a token, such as when the token expires and the token needs to 

However, the combination of Radhakrishnan and Johnson does not expressly disclose 
receiving a subsequent request from the server to update the composite identity token; and transmitting the updated composite identity token to the server in response to the subsequent request.
Lee discloses receiving request to update a token, updating the token, and transmitting the updated token to the requesting party
(See Lee Para.    [0229] 
……, the update 
token may be used to update the authentication token.  When or before the 
authentication token expires, the update token may be used to update the 
authentication token with a new authentication token.  …., a new authentication token may be issued 
[0260] terminal 2000 may transmit the update token to 
the authentication server 1000 to make a request to update the authentication 
token. [Discloses receiving request to update a token]
[0427] the authentication server 1000 may transmit the updated authentication token to which the timestamp is recorded to the user terminal 2000a. [Discloses transmitting the updated token to the requesting party]
[Because a new authentication token is generated in Lee during the process of updating the authentication token, the new authentication token can be generated and populated with claims as taught in the Johnson reference, which would involve updating the claims so that the newly generated token has updated claims  ]

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Radhakrishnan and Johnson with the technique for receiving a request to update a token, updating the token, and returning the updated token to the requesting party of Lee to include 
receiving a subsequent request from the server to update the composite identity token; and transmitting the updated composite identity token to the server in response to the subsequent request.
One of ordinary skill in the art would have made this modification to improve the ability of the system to respond to requests for updated tokens by generating replacement tokens. The system (e.g. TBAC module 110) of the primary reference can be modified to generate a replacement token in response to a request to update the token, and utilizing the technique of Johnson to add claims to the token thereby updating the claims of the token.	 
As per claim 13, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 5, and is/are rejected for the reasons detailed with respect to claim 5.
  As per claim 20, the claim(s) is/are directed to a computing platform with limitations which correspond to limitations of claim 5, and is/are rejected for the reasons detailed with respect to claim 5. 
Claims 6-7, 14-15, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Radhakrishnan in view of Johnson, further in view of Gupta et al. U.S. Publication 20130054968 (hereinafter “Gupta”).
As per claim 6, the rejection of claim 1 is incorporated herein. 
	However, the combination of Radhakrishnan and Johnson does not expressly disclose 
wherein the retrieving of the second authentication token comprises: redirecting, based on the information in the request, the user device to an identity provider associated with the resource; and receiving, from the identity provider, the second authentication token.
Gupta discloses 
wherein the retrieving of the second authentication token comprises: redirecting, based on the information in the request, the user device to an identity provider associated with the resource; and receiving, from the identity provider, the second authentication token.
 (See Gupta 
   [0038] FIG. 2B …… service 
provider (SP) receives an authentication request from the user system.  In step 
234, the SP sends an OAuth login page for a data source (identity provider) to 
the user system, redirecting the user to the identity provider.  In step 236, 
the SP receives a post OAuth access code and a user passcode from the user for 
obtaining a refresh token from the identity provider (which may be a data 
source) (identity provider).  In step 238, the SP sends the OAuth access code 
and user passcode to obtain the access token and refresh tokens from the 
identity provider.  In step 240, the SP receives the access and refresh tokens 
from the identity provider.  [receiving, from the identity provider, the second authentication token.]
)

wherein the retrieving of the second authentication token comprises: redirecting, based on the information in the request, the user device to an identity provider associated with the resource; and receiving, from the identity provider, the second authentication token.
One of ordinary skill in the art would have made this modification to improve the ability of the system to interact with an identity provider to obtain a token for the user from the identity server. The system (e.g. TBAC module 110) of the primary reference can be modified to redirect the mobile terminal to an identity provider and receive a token from the identity provider, as taught in the Gupta reference.

As per claim 7, the rejection of claim 6 is incorporated herein. 
	However, the combination of Radhakrishnan and Johnson does not expressly disclose 
prior to receipt of the second authentication token: receiving, from the user device, an authorization code; and transmitting, to the identity provider, the authorization code.
Gupta discloses prior to receipt of the second authentication token: receiving, from the user device, an authorization code; and transmitting, to the identity provider, the authorization code.
(See Gupta 
[0038] FIG. 2B …… service 
provider (SP) receives an authentication request from the user system.  In step 
234, the SP sends an OAuth login page for a data source (identity provider) to 
the user system, redirecting the user to the identity provider.  In step 236, 
receives a post OAuth access code [authorization code ]and a user passcode [authorization code ]from the user for 
obtaining a refresh token from the identity provider (which may be a data 
source) (identity provider).  In step 238, the SP sends the OAuth access code 
and user passcode[transmitting, to the identity provider, the authorization code] to obtain the access token and refresh tokens from the 
identity provider.  In step 240, the SP receives the access and refresh tokens 
from the identity provider.  
)
For the reasons discussed with respect to claim 6, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Radhakrishnan and Johnson with the technique for receiving access code and user passcode from user device and forwarding the codes to identity provider of Gupta to include prior to receipt of the second authentication token: receiving, from the user device, an authorization code; and transmitting, to the identity provider, the authorization code.
As per claim 14, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 6, and is/are rejected for the reasons detailed with respect to claim 6.  
As per claim 15, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 7, and is/are rejected for the reasons detailed with respect to claim 7.  
As per claim 19, the claim(s) is/are directed to a computing platform with limitations which correspond to limitations of claim 6, and is/are rejected for the reasons detailed with respect to claim 6.  


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HOWARD H LOUIE whose telephone number is (571)272-0036.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 






/HOWARD H. LOUIE/Examiner, Art Unit 2494                                                                                                                                                                                                        
/THEODORE C PARSONS/Primary Examiner, Art Unit 2494