DETAILED ACTION
This Office Action is sent in response to Applicant’s Communication received 9/28/2022 for application number 17/248,239. 
Claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim(s) 1, 4-5, 7, 10, 13-14, 16, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nelson et al. (US 8,793,509 B1) in view of McCoy, Generating friendly, unique identifiers (see attached NPL 6/8/2022).

In reference to claim 1, Nelson teaches a method of authorizing access to a protected resource (col. 1, lines 40-51), the method comprising:  … receiving, by the authorization service from an instance of the web application from a network, a request for access to the protected resource on behalf of a user of the web application (request to access user data is received by authorization agent from instance of web application, col. 4, line 63 – col. 5, line 21; col. 3, lines 36-55); in response to the request, generating, by the authorization service, a graphical user interface (GUI) display including a graphical representation of the [unique name] assigned to the web application at a client device associated with the user (GUI displayed with URL, or name, of application, fig. 10; col. 15, line 38 – col. 16, line 17; col. 5, lines 27-33); and thereafter, in response to user selection of a GUI element of the GUI display: obtaining, by the authorization service, an access token associated with the user and the protected resource; and transmitting, by the authorization service, the access token to the web application (authorization agent generates token, and token is sent to web application, col. 5, lines 27-53).
However, Nelson does not teach automatically assigning, by an authorization service, a unique alias to a web application (Nelson teaches displaying a unique identifier of the web application, i.e. the URL in fig. 10, but not an “alias”). 
McCoy teaches automatically assigning, by an authorization service, a unique autogenerated human-readable alias to a web application (a unique, human-readable identifier comprising words is generated, page 1), wherein the unique autogenerated human-readable alias is different from a name or other unique identifier defined for the web application (identifier is “unique” and “random,” so it would be unique and different from a regular name, page 1).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson and McCoy before the earliest effective filing date, to modify the interface as disclosed by Nelson to include the alias as taught by McCoy.
One of ordinary skill in the art would have been motivated to modify the interface of Nelson to include the alias of McCoy because a randomly generated phrase identifier can help users identify prompts that are illegitimate phishing attempts (See Emigh et al. US 8984640 B1, col. 30, lines 26-48; col. 37, line 37 – col. 38, line 3).
In reference to claim 4, McCoy teaches the method of claim 1, wherein automatically assigning the unique autogenerated human-readable alias comprises: randomly generating, by the authorization service, one or more terms, wherein the one or more terms comprise alphanumeric words or numbers; and assigning, by the authorization service, the one or more terms to the web application as the unique autogenerated human-readable alias for the web application (McCoy teaches a human-readable alias with two words, page 1).
In reference to claim 5, McCoy teaches the method of claim 1, wherein automatically assigning the unique autogenerated human-readable alias comprises: automatically selecting, by the authorization service, one or more terms from one or more groups of potential alias terms, wherein each group of the one or more groups of potential alias terms comprises a plurality of alphanumeric words or numbers; and assigning, by the authorization service, the one or more terms to the web application as the unique autogenerated human-readable alias for the web application (McCoy teaches selecting terms randomly from a word list, page 1).
In reference to claim 7, Nelson and McCoy teach the method of claim 1, wherein generating the GUI display comprises generating an authorization consent GUI display within a browser application at the client device, wherein the authorization consent GUI display includes a first graphical representation of a name associated with the web application (Nelson teaches a URL, or name, of the application, fig. 10; col. 15, line 38 – col. 16, line 17; col. 5, lines 27-33), a second graphical representation of the unique alias associated with the web application, and the GUI element to authorize the web application to access the protected resource (McCoy teaches a human-readable alias, page 1).

In reference to claim 10, Nelson teaches a non-transitory machine-readable storage medium that provides instructions that, if executed by a processor, are configurable to cause said processor to perform operations comprising (col. 16, lines 51-61):  … receiving a request for access to a third party computing system on behalf of a user of the web application from an instance of the web application (request to access user data is received by authorization agent from instance of web application, col. 4, line 63 – col. 5, line 21; col. 3, lines 36-55); in response to the request, generating an authorization consent graphical user interface (GUI) display including a graphical representation of the unique [name] automatically assigned to the web application at a client device associated with the user (GUI displayed with URL, or name, of application, fig. 10; col. 15, line 38 – col. 16, line 17; col. 5, lines 27-33); and thereafter, in response to user selection of a GUI element of the authorization consent GUI display: obtaining an access token associated with the third party computing system; and transmitting the access token to the web application (authorization agent generates token, and token is sent to web application, col. 5, lines 27-53).
However, Nelson does not teach automatically assigning a unique human-readable alias to a web application (Nelson teaches displaying a unique identifier of the web application, i.e. the URL in fig. 10, but not an “alias”). 
McCoy teaches automatically assigning, by an authorization service, a unique autogenerated human-readable alias to a web application (a unique, human-readable identifier comprising words is generated, page 1), wherein the unique autogenerated human-readable alias is different from a name or other unique identifier defined for the web application (identifier is “unique” and “random,” so it would be unique and different from a regular name, page 1).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson and McCoy before the earliest effective filing date, to modify the interface as disclosed by Nelson to include the alias as taught by McCoy.
One of ordinary skill in the art would have been motivated to modify the interface of Nelson to include the alias of McCoy because a randomly generated phrase identifier can help users identify prompts that are illegitimate phishing attempts (See Emigh et al. US 8984640 B1, col. 30, lines 26-48; col. 37, line 37 – col. 38, line 3).
In reference to claim 13, McCoy teaches the non-transitory machine-readable storage medium of claim 10, wherein the instructions configurable to cause said processor to randomly generate one or more terms and assign the one or more terms to the web application as the unique autogenerated human-readable alias for the web application, wherein the one or more terms comprise alphanumeric words or numbers (McCoy teaches a randomly-generated human-readable alias with two words, page 1).
In reference to claim 14, McCoy teaches the non-transitory machine-readable storage medium of claim 10, wherein the instructions configurable to cause said processor to automatically select one or more terms from one or more groups of potential alias terms and assign the automatically selected one or more terms to the web application as the unique autogenerated human-readable alias for the web application, wherein each group of the one or more groups of potential alias terms comprises a plurality of alphanumeric words or numbers (McCoy teaches selecting terms randomly from different word list groups, page 1).
In reference to claim 16, Nelson teaches a authorization system comprising: a non-transitory machine-readable storage medium that stores software; and a processor, coupled to the non-transitory machine-readable storage medium, to execute the software that implements an authorization service and that is configurable to (fig. 11): receive a request for access to a protected resource on behalf of a user of the web application from an instance of the web application over a network (request to access user data is received by authorization agent from instance of web application, col. 4, line 63 – col. 5, line 21; col. 3, lines 36-55); generate, in response to the request, a graphical user interface (GUI) display including a graphical representation of the unique [name] automatically assigned to the web application at a client device associated with the user (GUI displayed with URL, or name, of application, fig. 10; col. 15, line 38 – col. 16, line 17; col. 5, lines 27-33); and thereafter, in response to user selection of a GUI element of the GUI display: obtain an access token associated with the user and the protected resource; and transmit the access token to the web application (authorization agent generates token, and token is sent to web application, col. 5, lines 27-53).
However, Nelson does not teach automatically assign a unique alias to a web application (Nelson teaches displaying a unique identifier of the web application, i.e. the URL in fig. 10, but not an “alias”). 
McCoy teaches automatically assigning, by an authorization service, a unique autogenerated human-readable alias to a web application (a unique, human-readable identifier comprising words is generated, page 1), wherein the unique autogenerated human-readable alias is different from a name or other unique identifier defined for the web application (identifier is “unique” and “random,” so it would be unique and different from a regular name, page 1).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson and Emigh before the earliest effective filing date, to modify the interface as disclosed by Nelson to include the alias as taught by McCoy.
One of ordinary skill in the art would have been motivated to modify the interface of Nelson to include the alias of McCoy because a randomly generated phrase identifier can help users identify prompts that are illegitimate phishing attempts (See Emigh et al. US 8984640 B1, col. 30, lines 26-48; col. 37, line 37 – col. 38, line 3).
In reference to claim 19, McCoy teaches the authorization system of claim 17, wherein the software is configurable to automatically select the one or more terms from one or more groups of potential alias terms, wherein each group of the one or more groups of potential alias terms comprises a plurality of alphanumeric words or numbers (McCoy teaches a randomly-generated human-readable alias with two words from different word list groups, page 1).

Claim(s) 2-3, 11-12, and 17-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nelson et al. (US 8,793,509 B1) in view of McCoy, Generating friendly, unique identifiers (see attached NPL 6/8/2022) as applied to claim 1 above, and in further view of Emigh et al. (US 8,984,640 B1).

In reference to claim 2, McCoy teaches the method of claim 1, wherein automatically assigning the unique alias comprises: automatically generating, by the authorization service, a human-readable autogenerated human-readable alias comprising one or more terms … (McCoy teaches a human-readable alias with two words, page 1).
However, Nelson and McCoy do not explicitly teach and updating, by the authorization service, an alias database to include an entry maintaining an association between the human-readable alias and the web application (Nelson teaches a database, fig. 5, but not an alias).
Emigh teaches updating, by the authorization service, an alias database to include an entry maintaining an association between the human-readable alias and the web application (reference identifier – which is a random phrase associated with a service, col. 30, lines 26-48; col. 37, line 37 – col. 38, line 3 – has association stored in database, col. 33, lines 12-58).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson, McCoy, and Emigh before the earliest effective filing date, to modify the alias as disclosed by McCoy to include a database as taught by Emigh.
One of ordinary skill in the art would have been motivated to modify the alias of McCoy to include the database of Emigh because it would allow the alias to be stored and used later.
In reference to claim 3, McCoy teaches the method of claim 2, wherein automatically assigning the unique autogenerated human-readable alias comprises verifying, by the authorization service, that the human-readable alias is unique with respect to existing aliases maintained in the alias database in association with other web applications (McCoy teaches creating “unique identifiers” by randomly selecting words, page 1, so logically a check would have to be made to verify there is not a collision to ensure the identifier is unique).

In reference to claim 11, McCoy teaches the non-transitory machine-readable storage medium of claim 10, wherein the instructions configurable to cause said processor to automatically generate the unique human- readable alias… (McCoy teaches a human-readable alias with two words, page 1).
However, Nelson and McCoy do not explicitly teach and update an alias database to include an entry maintaining an association between the unique human-readable alias and the web application (Nelson teaches a database, fig. 5, but not an alias).
Emigh teaches update an alias database to include an entry maintaining an association between the unique human-readable alias and the web application (reference identifier – which is a random phrase associated with a service, col. 30, lines 26-48; col. 37, line 37 – col. 38, line 3 – has association stored in database, col. 33, lines 12-58).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson, McCoy, and Emigh before the earliest effective filing date, to modify the alias as disclosed by McCoy to include a database as taught by Emigh.
One of ordinary skill in the art would have been motivated to modify the alias of McCoy to include the database of Emigh because it would allow the alias to be stored and used later.
In reference to claim 12, McCoy teaches the non-transitory machine-readable storage medium of claim 11, wherein the instructions configurable to cause said processor to verify the unique human-readable alias as unique with respect to existing aliases maintained in the alias database in association with other web applications (McCoy teaches creating “unique identifiers” by randomly selecting words, page 1, so logically a check would have to be made to verify there is not a collision to ensure the identifier is actually unique).

In reference to claim 17, Nelson and McCoy the authorization system of claim 16, further comprising a database (Nelson, fig. 5), coupled to the processor, wherein the software is configurable to automatically generate a human-readable alias comprising one or more terms … (McCoy teaches a human-readable alias with two words, page 1).
However, Nelson and McCoy do not explicitly teach and update the database to include an entry maintaining an association between the human-readable alias and the web application (Nelson teaches a database, fig. 5, but not an alias).
Emigh teaches update the database to include an entry maintaining an association between the human-readable alias and the web application (reference identifier – which is a random phrase associated with a service, col. 30, lines 26-48; col. 37, line 37 – col. 38, line 3 – has association stored in database, col. 33, lines 12-58).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson, McCoy, and Emigh before the earliest effective filing date, to modify the alias as disclosed by McCoy to include a database as taught by Emigh.
One of ordinary skill in the art would have been motivated to modify the alias of McCoy to include the database of Emigh because it would allow the alias to be stored and used later.
In reference to claim 18, McCoy teaches the authorization system of claim 17, wherein the software is configurable to verify the human-readable alias is unique with respect to existing aliases maintained in the database in association with other web applications prior to updating the database to include the entry (McCoy teaches creating “unique identifiers” by randomly selecting words, page 1, so logically a check would have to be made to verify there is not a collision to ensure the identifier is actually unique).

Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nelson et al. (US 8,793,509 B1) in view of McCoy, Generating friendly, unique identifiers (see attached NPL 6/8/2022) as applied to claim 1 above, and in further view of Lavallee et al. (US 7,454,437 B1).

In reference to claim 6, McCoy teaches the method of claim 1, wherein automatically assigning the unique autogenerated human-readable alias comprises: automatically identifying, by the authorization service, a first term for the unique alias; automatically generating, by the authorization service, a second term for the unique alias; assigning, by the authorization service, a combination of the first term and the second term to the web application as the unique autogenerated human-readable alias for the web application (McCoy teaches a human-readable alias with two words, page 1).
However, Nelson and McCoy do not explicitly teach a first term for the unique alias in accordance with a naming policy associated with the protected resource.
Lavallee teaches a first term for the unique autogenerated human-readable alias in accordance with a naming policy associated with the protected resource (resources can be named in accordance with a naming policy, col. 13, lines).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson, McCoy, and Emigh before the earliest effective filing date, to modify the alias as disclosed by McCoy to include a database as taught by Emigh.
One of ordinary skill in the art would have been motivated to modify the alias of McCoy to include the database of Emigh because it would allow the alias to be stored and used later.

Claim(s) 8-9, 15, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nelson et al. (US 8,793,509 B1) in view of McCoy, Generating friendly, unique identifiers (see attached NPL 6/8/2022) as applied to claim 1 above, and in further view of Miyamoto et al. (US 2020/0211098 A1).

In reference to claim 8, Nelson teaches the method of claim 1, the protected resource comprising protected data associated with the user maintained in a record at a third party database system, (user data, col. 3, lines 47-55).
However, Nelson and McCoy do not teach wherein transmitting the access token to the web application comprises the authorization service automatically redirecting a browser application at the client device to a uniform resource locator (URL) address associated with the web application that includes the access token, wherein the web application utilizes the access token obtained from the URL address to retrieve the protected data from the third party database system.
Miyamoto teaches transmitting the access token to the web application comprises the authorization service automatically redirecting a browser application at the client device to a uniform resource locator (URL) address associated with the web application that includes the access token, wherein the web application utilizes the access token obtained from the URL address to retrieve the protected data from the third party database system (responsive to user agreeing to account access, URL with including account access token is used by web application to access the account, para. 0047-60).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson, McCoy, and Miyamoto before the earliest effective filing date, to modify the token as disclosed by Nelson to include the URL token as taught by Miyamoto.
One of ordinary skill in the art would have been motivated to modify the token of Nelson to include the URL token of Miyamoto because it helps the third party allow for more efficient access to an account (Miyamoto, para. 0057).
In reference to claim 9, Miyamoto further teaches the method of claim 8, wherein obtaining the access token comprises the authorization service dynamically generating the access token based on at least in part on an identity of at least one of the web application requesting access to the protected resource and the protected resource requested for access in response to user selection of the GUI element prior to appending the access token to the URL address associated with the web application (token is based on both the user selecting a GUI element to accept account access, para. 0047, and is based on the identity of the platform system, which is the web application, para. 0051-53 ).

In reference to claim 15, Nelson and McCoy do not teach the non-transitory machine-readable storage medium of claim 10, wherein the instructions configurable to cause said processor to transmit the access token to the web application by automatically redirecting a browser application at the client device to a uniform resource locator (URL) address associated with the web application that includes the access token for retrieving protected data associated with the user from the third party computing system.
Miyamoto teaches the non-transitory machine-readable storage medium of claim 10, wherein the instructions configurable to cause said processor to transmit the access token to the web application by automatically redirecting a browser application at the client device to a uniform resource locator (URL) address associated with the web application that includes the access token for retrieving protected data associated with the user from the third party computing system (responsive to user agreeing to account access, URL with including account access token is used by web application to access the account, para. 0047-60).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson, McCoy, and Miyamoto before the earliest effective filing date, to modify the token as disclosed by Nelson to include the URL token as taught by Miyamoto.
One of ordinary skill in the art would have been motivated to modify the token of Nelson to include the URL token of Miyamoto because it helps the third party allow for more efficient access to an account (Miyamoto, para. 0057).
In reference to claim 20, Nelson and McCoy do not teach the authorization system of claim 17, wherein the software is configurable to transmit the access token to the web application by automatically redirecting a browser application at the client device to a uniform resource locator (URL) address associated with the web application that includes the access token.
Miyamoto teaches the authorization system of claim 17, wherein the software is configurable to transmit the access token to the web application by automatically redirecting a browser application at the client device to a uniform resource locator (URL) address associated with the web application that includes the access token (responsive to user agreeing to account access, URL with including account access token is used by web application to access the account, para. 0047-60).
It would have been obvious to one of ordinary skill in art, having the teachings of Nelson, McCoy, and Miyamoto before the earliest effective filing date, to modify the token as disclosed by Nelson to include the URL token as taught by Miyamoto.
One of ordinary skill in the art would have been motivated to modify the token of Nelson to include the URL token of Miyamoto because it helps the third party allow for more efficient access to an account (Miyamoto, para. 0057).

Response to Arguments
Applicant's arguments filed 9/8/2022 have been fully considered but they are not persuasive. Applicant argues that Nelson does not teach a unique autogenerated human-readable alias for a web application, and thus could not stop a malicious actor from spoofing the name of a legitimate developer or application, and that McCoy does not teach the modification, and there is not rationale to combine. The Examiner disagrees. McCoy teaches displaying a unique, human readable ID for the application – the URL. The only difference between the claimed invention and McCoy is that the identifier is “autogenerated” and “different from a name or other unique identifier.” Nelson teaches unique, randomly generated ID that is human readable, like a random set of words. Finally, Emigh provides a rationale to combine: Emigh teaches that random phrases can help user identify phishing attempt prompts. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW T CHIUSANO whose telephone number is (571)272-5231. The examiner can normally be reached M-F, 10am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sherief Badawi can be reached on 571-272-9782. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANDREW T CHIUSANO/Examiner, Art Unit 2174