DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. Claims 1-20 are presented for the examination. 
                            Claim Rejections - 35 USC § 112

 	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


2.	Claims  5, 7, 12, 14, 15, 19 are  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
 
a. The following terms lack proper antecedent basis:
	 The transaction table entry  – claims 5, 12, 19;
         	The combined first and second parts- claims 7, 14.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


3.	Claims 1-6, 8-13, 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over STACHURA(US 20150134956 A1) in view of Fox(US 20180013565 A1) in view of Matsuda(US 20150193600 A1) and further in view of  Wu(US 20080144625 A1).

As to claim 1,  Stachura teaches  receiving, by one or more processors, a transaction identity, a second part of a token, and an API key identity attribute from a first server(transmitting the session secret to the remote server, para[0009]/ a session secret may include data that may identify the credentials, or provide a route to access the credentials, a session ID, API keys, transaction IDs, signed certificates indicating access is permitted, multiple tokens that the remote server (14) site uses to identify subsequent requests …The session secrets may be part of a URL on the response page, part of a redirect URL, within a cookie setting header, within elements of the response page, or in several areas and may need to be restricted from subsequent responses as well, para[0131], ln 1-20) , the transaction identity being  in the first server associated with generating the token including a first part and the second part( detection by the proxy server (16), of the session secrets may be done in a true/false or probabilistic manner, and may include one or a combination of the following detections: difference of the field name, value, or other attribute compared to other data; changes of the data from one session or request to another, para[0134]/ The proxy server (16) may examine various characteristics of the remote server (14) site's current pages, or historical pages. For example, the the transaction identity being associated with the second part of the token and the API key identity attribute(a session secret may include data that may identify the credentials, or provide a route to access the credentials, a session ID, API keys, transaction IDs, signed certificates indicating access is permitted, multiple tokens that the remote server (14) site uses to identify subsequent requests, para[0134], ln 1-15) .
Stachura does not teach the transaction identity being generated in the first server , receiving, by one or more processors, a request from a client with the transaction identity for the second part of the token; looking up, by one or more processors, a transaction table via the transaction identity as an index, the transaction identity being associated with the second part of the token and the API key identity attribute, retrieving, by one or more processors. However, Fox teaches the transaction identity being generated in the first server,  receiving, by one or more processors, a request from a client with the transaction identity for the second part of the token; looking up, by one or more processors, a transaction table via the transaction identity as an index,  retrieving, by one or more processors, a client identity attribute through a second server via an IP address of the client (authentication server 108 may generate and provide an access token to client server 110. The access token may be any form of information that may facilitate access communication with authentication server 108. For 414, para[0063]/client server 110 may receive the request from user device 106 and submit to authentication server 108 a request for an access token. The request may conform to an authentication standard such as OAuth, OAuth 2.0, and/or Open ID Connect, para[0056]/ client server 110 may also submit a transaction identification such as the transaction ID token received by client server 110 at step 622. Client server 110 may also submit a token or other indication of which forms of sensitive information are included in the hashed information. At step 630, authentication server 108 may identify sensitive information associated with the transaction. The sensitive information may be identified by matching a transaction ID token received with the hash information with a token saved in customer identity database 414 associating the transaction with user 101. Authentication server 108 may retrieve corresponding information from customer identity database 414 (or another database), para[0066] to para[0067).
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of Stachura with Fox to incorporate the feature of the transaction identity being generated in the first server,  receiving, by one or more processors, a request from a client with the transaction identity for the second part of the token; looking up, by one or more processors, a transaction table via the transaction identity as an index because this verifys an identity of a user attempting to remotely access a system or service.
Stachura and Fox do not teach retrieve a client identity attribute through a second server  , the second server registering the client; matching, by one or more processors, a policy via the retrieve a client identity attribute through a second server via an IP address of the client, the second server registering the client; matching, by one or more processors, a policy via the API key identity attribute and the client identity attribute; and sending, by one or more processors, the second part of the token to the client( Accordingly, the application 331 transmits an access token request (also referred to as an "authorization request") to the authorization API 304 by using the acquired client ID and secret described above (S908). The authorization API 304 verifies the presence of a client ID and secret that match the received client ID and secret in the client management table 610, and if the presence is verified, authenticates the client that transmitted the request (S909). The authorization API 304 searches the API invocation count management table 630 for the client ID with which the request was transmitted, and acquires the values set in Number of API Invocations 634 for the current month and Maximum Number of API invocations 633 (S910). The authorization API 304 determines whether the value set in Number of API Invocations 634 for the current month is less than the value set in Maximum Number of API invocations 633 (S911). If yes is determined in step S911, the authorization API 304 adds a record to the access token management table 620, and generates an access token (S912). The authorization API 304 sends, to the application 331, a response indicating the access token ID 621 and the expiration date and time 623 of the generated access token (S913), para[0066], ln 3-35/ The authorization API 304 adds the record to the client management table 610, assigns a unique ID as typified by UUID, stores the ID in Client ID 611, and stores the read tenant ID in Tenant ID 613. The authorization API 304 also stores an automatically generated secret having a sufficient character string length in Secret 612, and 
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of Stachura  and Fox with Matsuda to incorporate the feature of  retrieve a client identity attribute through a second server via an IP address of the client, the second server registering the client; matching, by one or more processors, a policy via the API key identity attribute and the client identity attribute; and sending, by one or more processors, the second part of the token to the client because this perform flexible setting of the upper limit of the number of accesses to the resource.
Stachura ,Fox and Matsuda do not teach retrieve a client identity attribute through a second server via an IP address of the client. However,  Wu teaches retrieve a client identity attribute through a second server via an IP address of the client(  On the first VPN node 20, the client names, a1.x.com and a2.x.com, can be obtained from their local IP addresses through a reverse DNS lookup by the first DVPN proxy server, para[0032], ln 33-40).
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of Stachura,  Fox  and Matsuda with Wu to incorporate the feature of retrieve a client identity attribute through a second server via an IP address of the client because this  allows the request to be tunneled to the second VPN node   without the data packet having to access or traverse a DNS (domain name server) or content router on the Internet  during transmission.   
As to claim 2, Fox teaches the first server receives an access request from the client with an API key, wherein the first server validates the API key, and wherein the first server sends the 604, client server 110 may receive the request from user device 106 and submit to authentication server 108 a request for an access token. The request may conform to an authentication standard such as OAuth, OAuth 2.0, and/or Open ID Connect, para[0056]/ At step 622, authentication server 108 may generate and provide an access token to client server 110. The access token may be any form of information that may facilitate access communication with authentication server 108. For example, the token may be a transaction ID token identifying the particular verification transaction taking place and may be created based on the unique ID stored in customer identity database 414, para[0063]).  
As to claim 3,  Fox teaches the client is an application that requests an access to a service from a third server via an API key being generated in the first server( in step 602, user device 106 may transmit to client server 110 a request to access a resource or service associated with client server 110, para[0055]/ Salt/pepper API 418 may provide cryptographic salt and/or pepper to client server 110 that may be used to secure information related to user 101 before providing the information to authentication server 108 via validation API 416. Any form or format of cryptographic salt and/or pepper may be used in various embodiments. Client server may call salt/pepper API 418 to request new salt. In some aspects, salt/pepper API 418 may in response create unique salt for client server 110 and provide the salt along with an identification number identifying the salt and an expiration date for the salt, para[0053]).  
As to claim 4,  Matsuda teaches the policy includes a subject section and a target section, the subject section including a client type attribute associated with the client identity attribute, the target section including the API key identity attribute that identifies an API key(  if yes is determined in step S1004, the authorization API 304 searches the API invocation count management table 630 for the client ID of the client to which the access token was issued, and 
As to claim 5,  Matsuda teaches matching the policy includes matching the client identity attribute in the subject section of the policy and matching the API key identity attribute of the transaction table entry in the target section of the policy( The authorization API 304 searches the client management table 610 for a record whose client ID 611 matches the client ID with which the request was transmitted, and identifies the tenant ID to which the client ID belongs,  para[0073], ln 17-25/  flow of processing for raising the upper limit by performing addition to the maximum number of API invocations if the number of API invocations reaches the upper limit will be described next with reference to FIGS. 11, 12A and 12B, para[0072], ln 1-7).
As to claim 6,  Stachura teaches  wherein the policy includes a whitelist ruleset and a blacklist ruleset( ( wherein access by the client device to the credential and the session secret is restricted , para[0010]/ In one embodiment, the method further comprises the step of encrypting the session secret, wherein access by the client device to the encrypted session secret is not restricted, and the step of storing the encrypted session secret, and decrypting the stored encrypted session secret to determine the session secret transmitted to the remote server, para[0011]).  
As to claims 8-13, 15-20, they are rejected for the same reasons as to claims 1-7 above.

4.	Claims 7, 14 are rejected under 35 U.S.C. 103 as being unpatentable over STACHURA(US 20150134956 A1) in view of Fox(US 20180013565 A1) in view of Matsuda(US 20150193600 A1)  in view of  Wu(US 20080144625 A1) and further in view of Kelly(US 20050138362 A1).

As to claim 7, Stachura ,Fox, Matsuda  and Wu do not teach  the client uses the combined first and second parts of the token to access the service in a third server. However, Kelly teaches the client uses the combined first and second parts of the token to access the service in a third server(  The outer token and authentication token together comprise a combined token, which is encrypted by the gatekeeper server 30 with the same encryption key used by the application server 32. The gatekeeper server 30 forwards the encrypted combined token and a response by the application server to the user 12 (step 104). If the user 12 wishes to access the application server 32 again, the user 12 presents the encrypted combined token to the gatekeeper 
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of Stachura,  Fox , Matsuda and  Wu with Kelly to incorporate the feature of the client uses the combined first and second parts of the token to access the service in a third server because this provides a more efficient, flexible and secure authentication system and method for receiving services from an application server in a networked computer system. 
As to claim 14, it is rejected for the same reason as to claim 7 above.   

                                                        Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LECHI TRUONG whose telephone number is ( 571) 272-3767.  The examiner can normally be reached on 10-8PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,  Chow, Dennis can be reached on ( 571) 272-7767   . The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR of Public PAIP. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIP system, contact the Electronic Business Center (EBC) at 866-217-9197(toll-free).