Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
The instant application having Application No. 17/142,498 is presented for examination by the examiner.

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.


Claim Objections
Claims 11 and 17 are objected to because of the following informalities:  
The two words “includes” and “cause” in succession does not make sense.  It appears the word cause should be ‘causing’ and will be interpreted as such.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3-5, 7-11, 13-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over USP Application Publication 2019/0124070 to Engan et al., hereinafter Engan in view of USP Application Publication 2010/0299738 to Wahl.

As per claims 1, 9, and 15, Engan teaches authenticating, by communication between a client device and an identity provider (IDP) via a communication network, a user account for use by a client application of the client device based upon user credentials associated with the user account (0039);
 sending, from the client application to the IDP, a token request message including an indication of authentication of the user account (0040); 
receiving, at the client application from the IDP, an access token having a payload including a user identifier (0040 and 0044); 
sending, from the client application to a resource server via the communication network, a resource request including the access token (0055 and 0077); and 
receiving, at the client application from the resource server, a resource request response based upon the access token (0081 and Fig. 5, “Access”).
Engan is silent in explicitly teaching the access token is encrypted.  Wahl teaches an authentication process between a client and an IDP that issues an encrypted access token to the client (0051 and 0052).  Engan also receives the access token from an IDP and Wahl explicitly teaches tokens can be encrypted or not.  Thus, one of ordinary skill in the art could choose encryption or not depending on the circumstance.  For example, if more security is required the obvious choice is to use encrypted access token.  The claim is obvious because one of ordinary skill in art can combine methods known before the effective filing date which do not produce unpredictable results.  
As per claim 3 and 10, the combined system of Engan and Wahl teaches the client lacks a key to decrypt the payload of the encrypted access token because it is decrypted by resource provider [Wahl: 0052].  It would not make sense for the client to decrypt the encrypted token because he/she could alter it, thwarting the increased security. 

As per claims 4 and 16, Engan teaches storing, in a memory of the client device, the encrypted access token (0047), wherein sending the encrypted access token to the resource server includes accessing the encrypted access token from the memory (0055 and 0077).
As per claims 5, 11, and 17, Engan teaches generating, by the client application, a proof-of-possession (PoP) token (0049) which PoP token is signed by a private key of the client application (0053), wherein sending the resource request includes sending the PoP token to the resource server (0079).  Engan is silent in explicitly teaching the POP includes an indication of a resource associated with the resource server.  Engan explicitly teaches the POP can contain various other information related to the client device/user thereof (0040).  Wahl teaches that a token can contain the user’s access rights to server to which the token is sent (0052).  The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which do not produce unpredictable results.  The server needs a way of knowing the scope of access by the user which present the token and an obvious way is to include those rights in the access token that is to be verified.  Engan explicitly teaches validating both tokens by the resource provider.

As per claims 7, 13, and 19, Engan teaches the encrypted access token is a JavaScript Object Notation (JSON) Web Encryption (JWE) token generated by the IDP (0040).
As per claims 8, 14, and 20, the combined system of Engan and Wahl teaches the encrypted access token is bound to a user session of the user account in the client application (Engan: 0040).

Claim(s) 2 is rejected under 35 U.S.C. 103 as being unpatentable over Engan and Wahl as applied to claim 1 above, and further in view of USP Application Publication  2020/0286607 to Abuzeni.

As per claim 2, Engan and Wahl are silent in explicitly teaching the user identifier included in the encrypted access token comprises a phone number associated with the user account.  On the other hand, Abuzeni lists many parameters that can be included about a user including his/her phone number (0040).  Abuzeni generates an encrypted machine-readable code key which is signed by a signing authority and presented as a token when the user which to receive a service (i.e. prescription).  Engen already teaches token can include client identifiers (0039).  Phone number can be used to identify users in certain contexts.  Including the phone number in the token of Engan would not produce an unpredictable result.  The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which do not produce unpredictable results.  


Claim(s) 6, 12, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Engan and Wahl as applied to claim 1 above, and further in view of USP Application Publication 2016/0360403 to Jordi et al., hereinafter Jordi.
As per claims 6, 12, and 18 Engan teaches authenticating the user account comprises: sending, from a user agent running on the client device, the user credentials to the IDP (0039).  Engan and Wahl do not explicitly teach receiving, at the user agent, an authorization code from the IDP; and providing, by the user agent, the authorization code to the client application.  On the other hand, during the registration process Jordi teaches this limitation as the server sends the client device a SMS code which must be entered into the mobile application and returned to the server in order to complete the registration (0067).  This ties the phone number of the user to the registration.  It is well known that a phone number can be included in registrations.  Sending an SMS code to the mobile device number achieves this process and improves the security of the account.  Engan already teaching sending user information to the registration server (0039).  The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which do not produce unpredictable results.  
Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
	US 20120167185: Uses encrypted tokens in combination with POP token for access control.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431