CLOUD-BASED IDENTITY PROVIDER INTERWORKING FOR NETWORK ACCESS AUTHENTICATION

§103 §112

DETAILED ACTION A response was received on 13 November 2025. By this response, Claims 1, 8, and 14 have been amended. No claims have been added or canceled. Claims 1-20 are currently pending in the present application. Response to Arguments Applicant’s arguments with respect to the rejection of Claims 1-20 under 35 U.S.C. 103 have been considered but are moot in view of the new grounds of rejection set forth below. Specification The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01(o). Correction of the following is required: Independent Claims 1, 8, and 14 have been amended to recite that a cloud-based identity provider “is external to and independent of a network operator of the network” or similar language. However, the terms “external” and “independent” do not appear in the specification. Therefore, there is not clear antecedent basis for the claimed subject matter. For further detail, see below with respect to the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement. Claim Rejections - 35 USC § 112 The rejection of Claims 8-13 under 35 U.S.C. 112(b) as indefinite is withdrawn in light of the amendments to the claims. The following is a quotation of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Independent Claims 1, 8, and 14 have been amended to recite that a cloud-based identity provider “is external to and independent of a network operator of the network” or similar language. Applicant has cited to paragraphs 0013-0015, 0023, 0028-0030, 0047, and 0061, and Figures 1-2B for support for the claims as amended (page 11 of the present response). However, none of these cited paragraphs appears to describe identity provider as external to or independent of a network operator. It is acknowledged that the cited figures at least appear to depict the authorization server as separate from or external to other networks. However, neither the cited figures nor paragraphs appear to provide any description of the identity provider as independent of a network operator, nor does there appear to be any mention elsewhere in the disclosure, either explicit or implicit, of the identity provider being independent of a network operator. Therefore, there is not clear written description of the subject matter of the claims as amended. Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 14-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 14 recites “the cloud-based identity provider that is external to and independent of a network operator of the network” in lines 12-13. However, although the claim previously recited a cloud-based identity provider, there is not clear antecedent basis for this more detailed limitation in the claim. It appears that this may be intended to be written as a “wherein” clause providing further limitation on the identity provider, or alternately, the further details of the identity provider could be recited when the element is first introduced. The above ambiguity renders the claim indefinite. Claims 15-20 are rejected due to their dependence on a rejected base claim. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Shah et al, US Patent 9009801, in view of Brinckman et al, US Patent 10944757, and Camenisch et al, US Patent 10171439. In reference to Claim 1, Shah discloses a method that includes a network node receiving a first request from a user device for access to a network (see Figure 13; column 36, lines 39-44); sending a second request to the user device to provide identity credentials indicating a user of the user device, receiving the identity credentials from the user device, and sending the identity credentials to an identity provider (Figure 13, steps 1302-1304; column 36, lines 44-54); receiving from the identity provider a first challenge to provide first authentication credentials for authenticating the identity of the user device and sending the first challenge to the user device (Figure 13, steps 1306-1307; column 36, lines 55-59); receiving first encrypted data including the authentication credentials from the user device and sending the first encrypted data to the identity provider (Figure 13, steps 1309-1310; column 36, line 59-column 37, line 1; see also column 5, lines 1-18); receiving, from the identity provider, a first token issued by the identity provider and storing an association between the first token and the user device (see Figure 13, steps 1311-1314; see also Figure 14, steps 1410-1411; column 37, lines 1-9; column 38, lines 29-41); and the network node accessing resources using the first token on behalf of the user device (see Figure 13, step 1315; see also Figure 14, steps 1412-1420; column 37, lines 6-9; column 38, lines 38-64). However, Shah does not explicitly disclose that the identity provider is cloud-based or external to and independent of a network operator. Brinckman discloses a method that includes sending identity credentials to a cloud-based identity provider and receiving an access token from the cloud-based identity provider in response to authentication (see column 5, line 36-column 6, line 24, cloud-based OAuth system and credentials; see also Figure 4, and column 9, line 33-column 10, line 39, providing credentials for authentication and receiving OAuth access token). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Shah to include the cloud-based identity provider of Brinckman, in order to avoid the need to provide a locally owned credential system (see Brinckman, column 3, lines 17-59). Further, Camenisch discloses that an authentication server, in the cloud, can be independent from a network operator of a network (see column 7, lines 22-30, authentication server in cloud; column 8, lines 18-24, and column 5, lines 47-61, authentication server accounts independent from network operator). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the method of Shah and Brinckman to make the identity provider independent of the network operator, in order to remove the need for the operator to create accounts (see Camenisch, column 8, lines 18-24). In reference to Claim 2, Shah, Brinckman, and Camenisch further disclose receiving from the identity provider a second challenge to provide first authorization credentials and sending the second challenge to the user device, receiving second encrypted data including the authorization credentials from the user device and sending the second encrypted data to the identity provider, and receiving an indication used to determine whether the identity provider authorized the user device for scope of access to the network (Shah, Figure 14, steps 1410-1420; column 38, lines 29-64; see also Brinckman, Figure 4, and column 9, line 33-column 10, line 39). In reference to Claim 3, Shah, Brinckman, and Camenisch further disclose receiving a second token indicating authorization of the user device and authorizing a service based on the second token (Shah, Figure 14, steps 1410-1420; column 38, lines 29-64; see also Brinckman, Figure 4, step 406, and column 10, lines 13-23). In reference to Claims 4 and 5, Shah, Brinckman, and Camenisch further disclose hashed credentials or an address or challenge being encrypted as the first challenge (see Shah, column 15, lines 9-28, hashing; column 5, lines 1-18, session key encryption). In reference to Claim 6, Shah, Brinckman, and Camenisch further disclose EAP and OAuth (Shah, column 36, lines 34-38, for example; see also Brinckman, column 5, line 55-column 6, line 24, for example). In reference to Claim 7, Shah, Brinckman, and Camenisch further disclose a public or private wireless or cellular network or an integrated private network (see Shah, column 38, lines 4-8, for example; see also Brinckman, column 4, lines 13-31, for example). In reference to Claim 8, Shah discloses a method that includes a user device sending a first request to a network node for access to a network (see Figure 13; column 36, lines 39-44); receiving a second request to provide identity credentials indicating a user of the user device, receiving first input of the identity credentials, and sending the identity credentials to the network node (Figure 13, steps 1302-1304; column 36, lines 44-54); receiving from the network node a first challenge to provide first authentication credentials for authenticating the identity of the user device, receiving second input of the authentication credentials, and encrypting and sending the authentication credentials to the network node (Figure 13, steps 1306-1307 and 1309-1310; column 36, lines 55-column 37, line 1; see also column 5, lines 1-18); receiving from the network node an indication of whether the identity provider authenticated the user, determining that the identity was authenticated, and accessing the network (see Figure 13, step 1315; see also Figure 14, steps 1412-1420; column 37, lines 6-9; column 38, lines 38-64). However, Shah does not explicitly disclose that the identity provider is cloud-based or external to and independent of a network operator. Brinckman discloses a method that includes sending identity credentials to a cloud-based identity provider and receiving an indication of whether the cloud-based identity provider authenticated the credentials (see column 5, line 36-column 6, line 24, cloud-based OAuth system and credentials; see also Figure 4, and column 9, line 33-column 10, line 39, providing credentials for authentication and receiving OAuth access token). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Shah to include the cloud-based identity provider of Brinckman, in order to avoid the need to provide a locally owned credential system (see Brinckman, column 3, lines 17-59). Further, Camenisch discloses that an authentication server, in the cloud, can be independent from a network operator of a network (see column 7, lines 22-30, authentication server in cloud; column 8, lines 18-24, and column 5, lines 47-61, authentication server accounts independent from network operator). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the method of Shah and Brinckman to make the identity provider independent of the network operator, in order to remove the need for the operator to create accounts (see Camenisch, column 8, lines 18-24). In reference to Claims 9 and 10, Shah, Brinckman, and Camenisch further disclose hashed credentials or an address or challenge being encrypted as the first challenge (see Shah, column 15, lines 9-28, hashing; column 5, lines 1-18, session key encryption). In reference to Claim 11, Shah, Brinckman, and Camenisch further disclose receiving from the network node a second challenge to provide first authorization credentials, receiving third input indicating authorization credentials, generating and encrypting hashed credentials as second encrypted data, and sending the second encrypted data to the network node (Shah, Figure 14, steps 1410-1420; column 38, lines 29-64; see also Brinckman, Figure 4, and column 9, line 33-column 10, line 39). In reference to Claim 12, Shah, Brinckman, and Camenisch further disclose EAP and OAuth (Shah, column 36, lines 34-38, for example; see also Brinckman, column 5, line 55-column 6, line 24, for example). In reference to Claim 13, Shah, Brinckman, and Camenisch further disclose a public or private wireless or cellular network or an integrated private network (see Shah, column 38, lines 4-8, for example; see also Brinckman, column 4, lines 13-31, for example). Claims 14-20 are directed to systems having functionality corresponding substantially to the methods of Claims 1-7, and are rejected by a similar rationale, mutatis mutandis. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ullah et al, US Patent 9204376, discloses a system in which an access controller independent of network operators can perform authentication. Kurylko et al, US Patent 11349829, discloses a system in which an independent identity network may be used for authentication. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:00am-5:30pm, Eastern Time. Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal D Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Zachary A. Davis/Primary Examiner, Art Unit 2492