DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  

Applicant(s) Response to Official Action
The response filed on August 12, 2022 has been entered and made of record.  

Claims 8, 15, and 20 have been amended.  Claims 1-20 remain pending in the application.  

Applicant’s arguments and/or amendments to the claim(s) has/have overcome each and every claim objection previously set forth in the Office Action mailed May 12, 2022.  Accordingly, the claim objection(s) articulated therein are withdrawn.  

Response to Arguments
The Examiner addresses Applicant’s Remarks filed August 12, 2022.  

On page 6 to page 7 of Applicant’s Remarks, Applicant argues that “Mardiks is silent about "encrypting, based on a nonce that is uniquely generated for the relying party, the user credential".  

Examiner respectfully disagrees.  In Mardiks, in the cited paragraphs of [0045]-[0046] (including Fig. 2A), there are two distinct elements of a “nonce”, and a “nonce hash”.  Mardiks at [0045].  Mardiks’ disclosed “nonce” is analogous to claim 1’s “user credential” (broadly, a unique session identifier), and the disclosed “nonce hash” is the encrypted “nonce”.  “Client 102 initiates a login request to an application on service provider 106.  Service provider 106 generates a unique session identifier value, e.g. a nonce value in this example, and hashes the nonce, e.g. encrypts the nonce using a public key”.  Id.  (emphasis added).  This is further evidenced in Figure 2A wherein the disclosed service provider returns both a nonce hash, and the nonce, at step 204.  Thereafter, the client in Mardiks retains (stores) the nonce, but sends the nonce hash to the identity provider (IdP): “Client 102 stores the nonce and sends an authentication request with the nonce hash, at 210, to IdP 104 for authentication…”.  Id. at [0046].  Thus, Mardiks is not silent as to “encrypting… the user credential”, as Mardiks does so when the nonce is hashed to create the nonce hash.  
Accordingly, Examiner maintains the rejection(s).  

On page 7 of Applicant’s Remarks, Applicant further argues that “Additionally, Mardiks also fails to disclose, "sending, to the relying party, a response to the request, the response comprising the access token, the encrypted user credential, and the nonce," as recited in claim 1.  

Examiner respectfully disagrees.  Having established herein, supra, that Mardiks does indeed encrypt the user credential (the “nonce hash”), Mardiks further discloses that the nonce hash is sent between all relying parties disclosed in the reference: from the service provider to the client device at step 204, from the client device to the IdP at step 210, from the IdP to the client device at step 212, and from the client device to the service provider at step 220.  Thus, under a broad yet reasonable interpretation, any response which includes the nonce hash may be reasonably construed as “the encrypted user credential” being sent to a “relying party”.  
Accordingly, Examiner maintains the rejection(s).  

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:  
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.  


Claims 1-3, 5, 6, 8-10, 12, 13, 15-17, and 19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Mardiks Rappaport, et al., U.S. Pub. No. 2020/0099675 (hereinafter referred to as Mardiks).  

With regard to claim 1, Mardiks discloses receiving, by an identity provider and from a user device, a user credential (Mardiks, [0046]; Fig. 2A Ref. 210); receiving, by the identity provider and from a relying party, a request for an access token (Mardiks, [0045]-[0046]; Fig. 2A Refs. 204 and 210); encrypting, based on a nonce that is uniquely generated for the relying party, the user credential (Mardiks, [0045]-[0046]; [0098]; Fig. 2A Ref. 212); and sending, to the relying party, a response to the request, the response comprising the access token, the encrypted user credential, and the nonce (Mardiks, [0046]; [0049]).  

With regard to claim 2, Mardiks further discloses wherein the encrypting the user credential is further based on a successful authentication, by the identity provider and using the user credential, of a user associated with the user device (Mardiks, [0002]; [0044]; [0046]).  

With regard to claim 3, Mardiks further discloses wherein the request comprises a client secret associated with the relying party, and wherein the encrypting the user credential comprises: generating, based on the client secret and the nonce, a key, wherein the client secret is associated with the relying party; and encrypting, based on the key, the user credential (Mardiks, [0002]; [0044]-[0045]; [0062] disclosed username and/or password is client secret associated with relying party/service provider; key used by service provider).  

With regard to claim 5, Mardiks further discloses generating, by the identity provider, the client secret that is unique to the relying party; and sending, to the relying party, the client secret (Mardiks, [0046]-[0047]; authentication token, nonce and nonce hash are forwarded to service provider).  

With regard to claim 6, Mardiks further discloses wherein the request comprises a token request that is in accordance with an OpenID connect authorization code flow (Mardiks, [0043]; [0060]).  

With regard to claim 8, Mardiks discloses one or more processors (Mardiks, [0040]; [0124]-[0128]); and memory storing instructions that, when executed by the one or more processors (Mardiks, [0102]; [0105]; [0124]), cause the identity provider to: receive, from a relying party, a request for an access token (Mardiks, [0046]; Fig. 2A Ref. 210); receive, from a user device, a user credential (Mardiks, [0045]-[0046]; Fig. 2A Refs. 204 and 210); encrypt, based on a nonce that is uniquely generated for the relying party, the user credential (Mardiks, [0045]-[0046]; [0098]; Fig. 2A Ref. 212); and send, to the relying party, a response to the request, the response comprising the access token, the encrypted user credential, and the nonce (Mardiks, [0046]; [0049]).  

With regard to claim 9, Mardiks further discloses the identity provider to encrypt the user credential further based on a successful authentication, by the identity provider and using the user credential, of a user associated with the user device (Mardiks, [0002]; [0044]; [0046]).  

With regard to claim 10, Mardiks further discloses a client secret associated with the relying party, and wherein the instructions, when executed by the one or more processors, cause the identity provider to encrypt the user credential by: generating, based on the client secret and the nonce, a key, wherein the client secret is associated with the relying party; and encrypting, based on the key, the user credential (Mardiks, [0002]; [0044]-[0045]; [0062] disclosed username and/or password is client secret associated with relying party/service provider; key used by service provider).  

With regard to claim 12, Mardiks further discloses generate the client secret that is unique to the relying party; and send, to the relying party, the client secret (Mardiks, [0046]-[0047]; authentication token, nonce and nonce hash are forwarded to service provider).  

With regard to claim 13, Mardiks further discloses wherein the request comprises a token request that is in accordance with an OpenID connect authorization code flow (Mardiks, [0043]; [0060]).  

With regard to claim 15, Mardiks discloses a non-transitory computer-readable medium storing instructions (Mardiks, [0102]; [0105]; [0124]), when executed by a computing device, cause the computing device (Mardiks, [0040]; [0124]-[0128]) to: receive, from a relying party, a request for an access token (Mardiks, [0045]-[0046]; Fig. 2A Refs. 204 and 210); receive, from a user device, a user credential (Mardiks, [0046]; Fig. 2A Ref. 210); encrypt, based on a nonce that is uniquely generated for the relying party, the user credential (Mardiks, [0045]-[0046]; [0098]; Fig. 2A Ref. 212); and send, to the relying party, a response to the request, the response comprising the access token, the encrypted user credential, and the nonce (Mardiks, [0046]; [0049]).  

With regard to claim 16, Mardiks further discloses to encrypt the user credential further based on a successful authentication, using the user credential, of a user associated with the user device (Mardiks, [0002]; [0044]; [0046]).  

With regard to claim 17, Mardiks further discloses wherein the request comprises a client secret associated with the relying party, and wherein the instructions, when executed by the computing device, cause the computing device to encrypt the user credential by: generating, based on the client secret and the nonce, a key, wherein the client secret is associated with the relying party; and encrypting, based on the key, the user credential (Mardiks, [0002]; [0044]-[0045]; [0062] disclosed username and/or password is client secret associated with relying party/service provider; key used by service provider).  

With regard to claim 19, Mardiks further discloses , wherein the request comprises a token request that is in accordance with an OpenID connect authorization code flow (Mardiks, [0043]; [0060]).  

Allowable Subject Matter
Claims 4, 7, 11, 14, 18, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims, and if Applicant should overcome any applicable claim objection(s) as set forth herein.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to J. Brant Murphy whose telephone number is (571)272-6433. The examiner can normally be reached Monday - Friday, 8am - 4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/J. BRANT MURPHY/Primary Examiner, Art Unit 2435                                                                                                                                                                                                        
October 18, 2022