DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Applicant's amendments filed on 10/31/2022 has been received and entered.  Currently Claims 1-20 are pending.

Response to Arguments
Applicant argues on pages 8-9 of applicant’s remarks that Flamini fails to disclose or suggest “receiving, from a web browser, a first access request associated with a first domain, the first access request associated with an access token, the access token being associated with a map of key-value pairs with each key-value pair corresponding to a domain in a plurality of domains” as recited in the claims.  Flamini discloses the "name-value pair' that corresponds to a user with certain attributes and not "corresponding to a domain in a plurality of domains". Accordingly, Flamini fails to disclose or suggest the "key-value pair' and the "map of key- value pairs with each key-value pair corresponding to a domain in a plurality of domains".
The examiner respectfully disagrees.  Flamini teaches an attribute statement asserts that a subject (user) is associated with certain attributes. An attribute is a name-value pair. Relying parties, such as service providers, use attributes to make access-control decisions ([0037]).  Flamini teaches the identity provider 605 issues a security token. A security token may be any means by which a user may be authenticated or authorized to access resources. A security token states that the information contained within the token is true ([0084]). Flamini further teaches once the user has been authorized, through attribute-based access control, and authenticated, the user may access resources provided by the service provider 610… that the user is known, by referring to the user by the user's federated identity, that the user has authenticated, and that the user has certain identity attributes (e.g., has a gold membership). ([0086]).  Flamini teaches security tokens comprising attributes (e.g. name-value pairs) ([0098]-[0100]).
It is obvious to one of ordinary skill in the art that since access to resources of domains are dependent on the attributes (e.g. name-value pairs) included in security tokens, the name-value pairs in a security token correspond to the domains that require the particular attributes for granting access to its resource.  Therefore, Flamini teaches limitations of the claims.

Applicant argues on pages 9-10 of applicant’s remarks that Flamini fails to disclose or suggest “adding a new key-value pair corresponding to the second domain to the map of key- value pairs such that the access token is updated for the first domain and the second domain” as recited in the claims. Flamini discloses transforming of the access control attributes "into a format that is compatible with the attribute data contained within the security token" rather than adding a new "key-value pair corresponding to the second domain". Applicant submits that the act of "transforming" as disclosed by Flamini is different from the act of "adding".
The examiner respectfully disagrees.  Flamini teaches each service provider 610, 615 include a modified processing module 800 for processing a security token 825… in an alternative embodiment, a single service provider in a security domain 600 may be designated as a processing service provider and all service providers may route the security token 825 to the processing service provider for further processing and modification ([0093]).  Flamini teaches a user logs onto a website in a first security domain 600 and an identity provider issues a security token 825 ([0095]).  Flamini teaches receiving attributes and transforming the access control attributes received from the identity provider into a format that is compatible with the attribute data contained within the security token ([0098]-[0099]).  Flamini further teaches because the security token has been re-signed, the service provider 905 becomes the asserting party. The service provider 905 asserts that it has only added information to the original security token provided by the identify provider 605a ([0100]).  Flamini teaches the modifier component 810 only inserts the transformed attributes and does not overwrite or remove any other information written in the now modified security token 835 ([0101]).
Therefore, Flamini teaches modifying an existing token by adding additional attributes, that correspond to a second domain, into the token.  Therefore, Flamini teaches limitations of the claims.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 7-10, 12 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Flamini et al. US2015/0237041 hereinafter referred to as Flamini, in view of Mayo et al. US2005/0204148 hereinafter referred to as Mayo.
As per claim 1, Flamini teaches one or more computer-readable storage media collectively storing computer- executable instructions that upon execution cause one or more computers to collectively perform acts comprising: receiving, from a web browser, a first access request associated with a first domain, the first access request associated with an access token, the access token being associated with a map of key-value pairs with each key-value pair corresponding to a domain in a plurality of domains (Flamini paragraph [0037], [0080], [0084], [0086], [0095], user logs in and authenticates with an identity provider and access resources associated with a first domain using an issued security token.  Tokens are associated with name-value pairs corresponding to domains); 
receiving, from the web browser, a second access request associated with a second domain, the second access request associated with the access token (Flamini paragraph [0080], [0093], [0096], user request resources from a second domain using the security token); 
request, from the first domain, a registration of the second domain with the access token (Flamini paragraph [0092]-[0093], [0097], [0099]-[0100], first domain is the processing service provider that processes and modifies the security token.  Request first domain to process and modify the security token); 
adding a new key-value pair corresponding to the second domain to the map of key- value pairs such that the access token is updated for the first domain and the second domain (Flamini paragraph [0093], [0098]-[0101], append the attributes of the second domain to the security token); and 
granting the second access request based at least in part on the new key-value pair added in the access token (Flamini paragraph [0103], grant access to second domain resources based on modified security token).
Flamini does not explicitly disclose redirecting the second access request to cause the web browser to request, from the first domain.
Mayo teaches redirecting the second access request to cause the web browser to request, from the first domain (Mayo paragraph [0041], [0057], user access request to second domain is redirected to first domain).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Flamini with the teachings of Mayo to include redirecting the user to the first domain for authentication and token issuance because the results would have been predictable and resulted in the first domain processing and modifying the security token.  It would have also been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Flamini with the teachings of Mayo to include null tokens in order to provide anonymous sessions.

As per claim 3, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 1, wherein the map of key-value pairs include the domains that are authorized to use the access token (Flamini paragraph [0037], [0084], [0093], [0097]-[0100], token includes name value pairs of domain attributes).

As per claim 7, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 1, wherein the access token includes an anonymous token or an identification token (Flamini paragraph [0084], [0095], security token.).

As per claim 8, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 7, wherein the new key- value pair is added to a confirmation claim of the anonymous token (Flamini paragraph [0037], [0084], [0100], token appended with new name value pair; Mayo paragraph [0063], [0069], [0074]-[0075], set token as null for anonymous token).

As per claim 9, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 7, wherein the anonymous token or the identification token are returned in cookies to the web browser (Mayo paragraph [0041], [0056], token in cookie).

As per claims 10, 12 and 16-17, the claims claim a system essentially corresponding to the computer readable storage media claims 1, 3 and 7-8 above, and they are rejected, at least for the same reasons.

Claims 2, 4-6, 11, 13-15 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Flamini in view of Mayo, and further in view of Engan et al. US2019/0124070 hereinafter referred to as Engan.
As per claim 2, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 1.
Flamini in view of Mayo does not explicitly disclose wherein access token is a JSON Web Token (JWT) with a confirmation claim that includes map of key- value pairs.
Engan teaches wherein access token is a JSON Web Token (JWT) with a confirmation claim that includes map of key- value pairs (Engan paragraph [0041]-[0044], jwt authentication token including name value pairs).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute the token format of Flamini in view of Mayo with the jwt token format of Engan because the results would have been predictable and resulted in the security token being in JWT format.

As per claim 4, Flamini in view of Mayo teaches the one or more computer-readable storage media of claim 1.
Flamini in view of Mayo does not explicitly disclose wherein a nonce token is used to sign an access request.
Engan teaches wherein a nonce token is used to sign an access request (Engan paragraph [0015], [0055], [0076], POP token included in access request).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Flamini in view of Mayo with the teachings of Engan to include generating and using a POP token in an access request in order to prevent malicious entities from using a valid security token and to verify that a user using the security token is an authorized user.

 As per claim 5, Flamini in view of Mayo and Engan teaches the one or more computer-readable storage media of claim 4 further comprising: receiving the access token and the nonce token from the first access request; and using a public key from the access token to validate the nonce token (Engan paragraph [0056], [0080], verify authentication token and extract client public key.  Verify POP token with extracted public key).

As per claim 6, Flamini in view of Mayo and Engan teaches the one or more computer-readable storage media of claim 4, wherein the nonce token is signed using a private key from the web browser (Flamini paragraph [0080], [0093], [0095]-[0096]; Engan paragraph [0053], [0056], POP token signed with private key).

As per claims 11, 13-15 and 18-20, the claims claim a system and a method essentially corresponding to the computer readable storage media claims 1-6 above, and they are rejected, at least for the same reasons.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HENRY TSANG/             Primary Examiner, Art Unit 2495