Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 3/4/26 has been entered.
Response to Arguments/Amendments
In light of Amendment and applicant’s arguments the claim objections are withdrawn.
In regard to art rejection, applicant's arguments have been carefully.
Argument I
The claim requires the (first and second) tokens generated exchanging the ID token without communicating with the identity provider, without requiring the client to login again with the identity provider.
In contrast in Bray’s, when a cookie expires a user is once again authenticated by the identity provider.
This is different from the claimed invention where the same ID token provided by the identity provider is used in multiple successive sessions related to different tokens provided by the server computing system.
Response I
Bray aims to provides a single sign-on service, where the communication between client and the identity provider result in the service provider enable access to resources.
Bray contemplates the identity token received from the identity provider not to expire, while suggests time stamp on the first token (see para 17 and 20), clearly articulating the exchanged token’s time validity (cookie can include a timestamp (to ensure validity of data) … the control information (e.g., timestamp), para 25 and 28, for example).
(In light of the above: in Bray the first token is valid for a predetermined amount of time and the ID token remains valid after the first token expires.)
Clearly, Bray would not contemplate limiting the communication between the client device and the service provider (or, using the claim language, the server computing system) to a single exchange, which would put significant restrictions on usability of the invention.
Now, let’s review the facts:
the identity token, which does not expire, received by the client (from the identity server) enables access to the server provider
based on the receipt of the identity token, the server provider issues time sensitive connection token
clearly the second time the server provider would provide the client with the second token enabling the access.
In view of the above, that although not expressly cited in Bray reference, the examiner asserts that the solution of configuring the client with providing the previously received and still unexpired ID token to receive another token (exchange the ID (provider) token for the second (new, unexpired, service provider) token, if not implicit, it is likely the product not of innovation but of ordinary skill and common sense. That is, the concept of caching/storing valid (unexpired) data for the subsequent use to obtain the same results, would have been old and well known in the art of computing and using a particular known technique recognized as part of the ordinary capabilities of one skilled in the art would have been obvious given the benefit of efficiency.
Argument II
The first and second token in the cited prior art does not user access information that specifies the scope of access for the client computing system based on a policy of the server.
Response II
Bray teaches the service computer system (server provider) adding user’s attributes to the (first and second) tokens (F-SSSO cookies, see para 17 and 21, for example).
However, these user information in Bray’s cookies do not include the access information that specifies the scope of access for the client computing system, as required by the newly added limitations. However, such solution would have been obvious to one of ordinary skill in the art at the time the application was filed as illustrated by Ahmed (including authentication information that defines permissions to the service provider provided to the client device, para 71) offering the predictable benefit of security.
(By the virtue of the server computing system providing the token with the user access information, the information meets the limitation of the information based on a policy of the server computing system.)
Additionally, note that given the particular context of the claims the specific attributes/elements in the tokens amount merely to descriptive material not distinguishing the claimed invention from the prior art in the terms of patentability. Thus, having in any particular information, e.g., information that specifies the scope of access for the client computing system, in addition to user access information such as user identification number, would have been obvious variant offering the predictable benefit of customization.
Claims 1, 3-5, 7-10 and 12-16 are pending.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claim Rejections - 35 USC § 103
Claim(s) 1, 7-10, 12 and 14-15 is/are rejected under 35 U.S.C. 103 unpatentable over Bray (USPUB 20100043065) in view of Ahmed (USPUB 20220217132) and further in view of Levin (USPUB 20210409403).
As per claims 1 and 8-9, in Fig. 1 and associated text (e.g., para 16-17) Bray teaches receiving, at a client computing system, an identification (ID) token from an external identity provider (the identity provider 102 provides a security token to the user application 104), the ID token authenticating an identity of a user of the client computing system (the identity provider provides security token based on authenticated user’s credentials (the username & password)); providing a first request (including the ID token such that the ID token is exchanged) to a server computing system (the user application presents the security token to the server provider 106) for a first token that is configured to allow the client computing system to establish a first .
Bray aims to provides a single sign-on service, where the communication between client and the identity provider result in the service provider enable access to resources.
Bray contemplates the identity token received from the identity provider not to expire, while suggests time stamp on the first token (see para 17 and 20), clearly articulating the exchanged token’s time validity (cookie can include a timestamp (to ensure validity of data) … the control information (e.g., timestamp), para 25 and 28, for example).
(In light of the above: in Bray the first token is valid for a predetermined amount of time and the ID token remains valid after the first token expires.)
Clearly, Bray would not contemplate limiting the communication between the client device and the service provider (or, using the claim language, the server computing system) to a single exchange, which would put significant restrictions on usability of the invention.
Now, let’s review the facts:
the identity token, which does not expire, received by the client (from the identity server) enables access to the server provider
based on the receipt of the identity token, the server provider issues time sensitive connection token
clearly the second time the server provider would provide the client with the second token enabling the access.
In view of the above, that although not expressly cited in Bray reference, the examiner asserts that the solution of configuring the client with providing the previously received and still unexpired ID token to receive another token (exchange the ID (provider) token for the second (new, unexpired, service provider) token, if not implicit, it is likely the product not of innovation but of ordinary skill and common sense. That is, the concept of caching/storing valid (unexpired) data for the subsequent use to obtain the same results, would have been old and well known in the art of computing and using a particular known technique recognized as part of the ordinary capabilities of one skilled in the art would have been obvious given the benefit of efficiency.
Furthermore, Bray teaches the service computer system (server provider) adding user’s attributes to the (first and second) tokens (F-SSSO cookies, see para 17 and 21, for example). However, these user information in Bray’s cookies do not include the access information that specifies the scope of access for the client computing system, as required by the newly added limitations. However, such solution would have been obvious to one of ordinary skill in the art at the time the application was filed as illustrated by Ahmed (including authentication information that defines permissions to the service provider provided to the client device, para 71) offering the predictable benefit of security.
(By the virtue of the server computing system providing the token with the user access information, the information meets the limitation of the information based on a policy of the server computing system.)
Additionally, note that given the particular context of the claims the specific attributes/elements in the tokens amount merely to descriptive material not distinguishing the claimed invention from the prior art in the terms of patentability. Thus, having in any particular information, e.g., information that specifies the scope of access for the client computing system, in addition to user access information such as user identification number, would have been obvious variant offering the predictable benefit of customization.
Bray as modified does not teach the session being SSH session. However, a skilled in the art would readily appreciate that extending Bray’s teaching to any particular session (including SSH session, especially given the fact that such communication would have been old and well known in the art of computing at the time the application was filled as illustrated by Lewin’s Fig. 2 with the associated text), for example) would have been obvious variant at the time the application was filed merely amounting to a design choice while offering the predictable benefit of customization.
Claim 10 is substantially similar to claim 1 and, as a result, they are similarly rejected.
As per claims 7 and 14-15, the examiner asserts that selection of any particular amount of time e.g., on hour or less, would not affect the patentability of the invention and, at most, would have been obvious variant amounting a design choice, while offering the predictable benefit of customization.
Lastly, a skilled in the art would readily appreciate that computing devices utilize setting/configuration (that could be reasonably equated to policies) to accomplish their actions. Given the fact that ID token is verified before the first token (granting access to restricted/private data) is return, applying these settings/policies would meet the limitations of claim 12.
Claim(s) 3-4 is/are rejected under 35 U.S.C. 103 unpatentable over Bray (USPUB 20100043065) in view of Ahmed (USPUB 20220217132) and Levin (USPUB 20210409403), and further in view of Hirota (JP 2003-345752).
Bray as modified teaches the exchange of (providing) the ID token (to the server computer system) allowing authentication of the client that, in response receive the [session] token from the server computing system as discussed above.
The difference between Bray as modified and applicant’s invention is that the cited prior art does not disclose using the same token to access different computing systems. That is, Bray as modified does not teach the token being exchanged (provided to) another (a second) service computer system, different from the first service computer system.
However, Hirota teaches using the token to establish session with a second service computer system different from the server computing system (the same token provided to plurality of service providers, see para 2-3). It would have been obvious to one of ordinary skill in the art at the time the application was filed to include known solutions as illustrated by Hirota’s into Bray’s as modified invention given the benefit of customization and scalability. Similarly, it would have been obvious to one of ordinary skill in the art at the time the application was filed to include Bray as modified teaching into Hirota’s discussed tokens given the benefit of increased security and use of Identity Provider authentication.
Claim(s) 5 and 13 is/are rejected under 35 U.S.C. 103 unpatentable over Bray (USPUB 20100043065) in view of Ahmed (USPUB 20220217132) and Levin (USPUB 20210409403), and further in view of Gruper (USPUB 20060190990).
Bray as modified teaches the first token, as discussed above.
Bray does not teach the token including user access information that specifies a level of access that is to be given to the user of the client computing system. However, such solution would have been obvious variant in the art the time the application was filed, as illustrated by Gruper (token specifying the user’s access permission to the requested service, see para 41) offering the predictable benefit of security and customized access.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peter Poltorak whose telephone number is (571) 272-3840. The examiner can normally be reached Monday through Thursday from 9:00 a.m. to 5:00 p.m.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/PIOTR POLTORAK/ Primary Examiner, Art Unit 2433
Prosecution Insights