DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted by applicant dated 02/02/2021 has been considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 10-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
As per claim 10, the claim recite(s) a system comprising components which may be interpreted simply as software, which does not fall under one of the four statutory categories.  The recitation of "server" does not limit the claim to hardware, since servers are not necessarily considered as hardware and may refer to software.  It is suggested to amend the claim to recite hardware elements.
Dependent claims 11-17 do not limit the independent claim 10 to statutory subject matter and therefore they are also rejected under 35 U.S.C. 101.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 16-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claim 16, the claim recites “wherein the access token includes an anonymous token and an identification token”. It is unclear to the examiner on how the access token includes both an anonymous token and an identification token.  The examiner notes paragraph [0079] of the instant specification recites “The second server 704 may then extract 720 the anonymous token or the id_token from the cookie depending upon the current state of the web browser 504”,  paragraph [0098], recites “Upon validation of the first access request, the first server 508 may request an id token (e.g., id_token 422 of FIG. 4) from the API server 510 and replace the validated anonymous token in the cookie with the requested id_token”, and paragraph [0099] recites “The anonymous token or the id token may be included in the request depending upon whether the web browser is currently in the anonymous session state or the authenticated session state”.  Therefore, the access token is either an anonymous token or an identification token.  For examination purposes in applying prior art, the examiner interprets the limitation as “wherein the access token includes an anonymous token or an identification token”.
Dependent claim 17 depends on claim 16 and does not further clarify the issues.  Claim 17 also refers to the access token as both an anonymous token and an identification token.  Therefore, claim 17 is also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 7-10, 12 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Flamini et al. US2015/0237041 hereinafter referred to as Flamini, in view of Mayo et al. US2005/0204148 hereinafter referred to as Mayo.
As per claim 1, Flamini teaches one or more computer-readable storage media collectively storing computer- executable instructions that upon execution cause one or more computers to collectively perform acts comprising: receiving, from a web browser, a first access request associated with a first domain, the first access request associated with an access token, the access token being associated with a map of key-value pairs with each key-value pair corresponding to a domain in a plurality of domains (Flamini paragraph [0037], [0080], [0084], [0086], [0095], user logs in and authenticates with an identity provider and access resources associated with a first domain using an issued security token.  Tokens are associated with name-value pairs corresponding to domains); 
receiving, from the web browser, a second access request associated with a second domain, the second access request associated with the access token (Flamini paragraph [0080], [0093], [0096], user request resources from a second domain using the security token); 
request, from the first domain, a registration of the second domain with the access token (Flamini paragraph [0092]-[0093], [0097], [0099]-[0100], first domain is the processing service provider that processes and modifies the security token.  Request first domain to process and modify the security token); 
adding a new key-value pair corresponding to the second domain to the map of key- value pairs such that the access token is updated for the first domain and the second domain (Flamini paragraph [0093], [0098]-[0101], append the attributes of the second domain to the security token); and 
granting the second access request based at least in part on the new key-value pair added in the access token (Flamini paragraph [0103], grant access to second domain resources based on modified security token).
Flamini does not explicitly disclose redirecting the second access request to cause the web browser to request, from the first domain.
Mayo teaches redirecting the second access request to cause the web browser to request, from the first domain (Mayo paragraph [0041], [0057], user access request to second domain is redirected to first domain).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Flamini with the teachings of Mayo to include redirecting the user to the first domain for authentication and token issuance because the results would have been predictable and resulted in the first domain processing and modifying the security token.  It would have also been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Flamini with the teachings of Mayo to include null tokens in order to provide anonymous sessions.

As per claim 3, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 1, wherein the map of key-value pairs include the domains that are authorized to use the access token (Flamini paragraph [0037], [0084], [0093], [0097]-[0100], token includes name value pairs of domain attributes).

As per claim 7, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 1, wherein the access token includes an anonymous token or an identification token (Flamini paragraph [0084], [0095], security token.).

As per claim 8, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 7, wherein the new key- value pair is added to a confirmation claim of the anonymous token (Flamini paragraph [0037], [0084], [0100], token appended with new name value pair; Mayo paragraph [0063], [0069], [0074]-[0075], set token as null for anonymous token).

As per claim 9, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 7, wherein the anonymous token or the identification token are returned in cookies to the web browser (Mayo paragraph [0041], [0056], token in cookie).

As per claims 10, 12 and 16-17, the claims claim a system essentially corresponding to the computer readable storage media claims 1, 3 and 7-8 above, and they are rejected, at least for the same reasons.

Claims 2, 4-6, 11, 13-15 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Flamini in view of Mayo, and further in view of Engan et al. US2019/0124070 hereinafter referred to as Engan.
As per claim 2, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 1.
Flamini in view of Mayo does not explicitly disclose wherein access token is a JSON Web Token (JWT) with a confirmation claim that includes map of key- value pairs.
Engan teaches wherein access token is a JSON Web Token (JWT) with a confirmation claim that includes map of key- value pairs (Engan paragraph [0041]-[0044], jwt authentication token including name value pairs).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute the token format of Flamini in view of Mayo with the jwt token format of Engan because the results would have been predictable and resulted in the security token being in JWT format.

As per claim 4, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 1.
Flamini in view of Mayo does not explicitly disclose wherein a nonce token is used to sign an access request.
Engan teaches wherein a nonce token is used to sign an access request (Engan paragraph [0015], [0055], [0076], POP token included in access request).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Flamini in view of Mayo with the teachings of Engan to include generating and using a POP token in an access request in order to prevent malicious entities from using a valid security token and to verify that a user using the security token is an authorized user.

 As per claim 5, Flamini in view of Mayo and Engan teaches the one or more computer-readable storage media of claim 4 further comprising: receiving the access token and the nonce token from the first access request; and using a public key from the access token to validate the nonce token (Engan paragraph [0056], [0080], verify authentication token and extract client public key.  Verify POP token with extracted public key).

As per claim 6, Flamini in view of Mayo and Engan teaches the one or more computer-readable storage media of claim 4, wherein the nonce token is signed using a private key from the web browser (Flamini paragraph [0080], [0093], [0095]-[0096]; Engan paragraph [0053], [0056], POP token signed with private key).

As per claims 11, 13-15 and 18-20, the claims claim a system and a method essentially corresponding to the computer readable storage media claims 1-6 above, and they are rejected, at least for the same reasons.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HENRY TSANG/             Primary Examiner, Art Unit 2495