Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?
William Denniss <wdenniss@google.com> Fri, 21 August 2015 16:42 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 589411AC41F for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lI21PkVCz0N4 for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:42:30 -0700 (PDT)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 705B41AC418 for <oauth@ietf.org>; Fri, 21 Aug 2015 09:42:30 -0700 (PDT)
Received: by ykbi184 with SMTP id i184so75870723ykb.2 for <oauth@ietf.org>; Fri, 21 Aug 2015 09:42:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=EJcx5ec6RbNiTsXnBYKdTjVhP6JHwm1ZR92n+7RcHdI=; b=RKSLKdHKS+nE2KuyeUGe16t8iG7Hj/Jypx4Ow0sLNtI/rv3aqKjYKepU82OKMrmbVh xfs1so17EO0yCzDXIdZIUu2yUKBqahSDa3FPBtmFQV+RDgcKEV+JdivBGCy/y+vXAYmn kMzh+kI4aLy7gCuxCAzlhi+SXzVMmgToWUxoVbz0zsmhB90R7tLvflYNPOyMS0skF/7/ M4t5OjuHS28EunoS45k6wSA0t8SSt0S4Wt9AYtO8JTP6LXh41iceYJ43daI/1qh5D+4m FdYHOu7/spw9Uj/OlkXJAg4uyCvi0Cp/RXyaL7VJjdqLJFPKfqVvgHy+bAWUp4rgbKj2 +qyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=EJcx5ec6RbNiTsXnBYKdTjVhP6JHwm1ZR92n+7RcHdI=; b=m/+YJ00l0Z53X/0Wic0RlEVnrSQAR1yjpOuzcvBjvuQdpaNPTB6U6fk3LZAmmzVyHI EHhpHldaIL/NHFD4PboMRezryflfdOCQGvhVzgmwR/pbkwnOqyriEQp17EBZfvtpsxyL FoidDqzb37n1ZXAHQaoe1Z3tI3Z2gJ2BwDZkj6Qm0aiR83zuAod82Lxc0H4veGQYAmAm ++A6rn7sE0PfCyf+F1MgFNwW1ETbUGDAu3PJ+jW/SSi0ckgGD4NmXY8mUEd+pYdrKxsy CUP9E3XXSwlaX0+NgKzYJbGcsmwpP865iAoEj/BIPjBm21KvD+Gf8wgfa0swVaMqTCOn IDXQ==
X-Gm-Message-State: ALoCoQlYyBlHevTjiHiAlO5Koep4EVSgpfG24a4EaNlrJEOWA2Y9Gw5R3Spxjuk5tclMc9Z4BELA
X-Received: by 10.13.198.71 with SMTP id i68mr12274248ywd.149.1440175349554; Fri, 21 Aug 2015 09:42:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.39.196 with HTTP; Fri, 21 Aug 2015 09:42:10 -0700 (PDT)
In-Reply-To: <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com>
References: <CAMbDefvKeEdxTfj7CkoTbUwhdOYxMN+bvH3w6Vk81tMuKYTWPQ@mail.gmail.com> <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 21 Aug 2015 09:42:10 -0700
Message-ID: <CAAP42hBa71xpCX9Zwm6bdfMYSur4JxGvLtd3q-9xLtQfLWO09A@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a114e53da206dc9051dd4f448"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/-EYDSkfn5qqQFNidKWBi9mWngV4>
Cc: Donghwan Kim <flowersinthesand@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2015 16:42:32 -0000
As for your specific use-case though, as John said it's better to use OpenID Connect which provides a solution for what you are trying to do already. That way you get an interoperable solution, and one that has been vetted by security experts. There is even a free test suite <http://openid.net/certification/testing/> for you to test your implementation. On Fri, Aug 21, 2015 at 9:35 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > Requests to the token endpoint are URL form encoded not JSON in your > example. > > The use of the password credentials grant was to allow migration from HTTP > basic, but it not recommended for privacy and security reasons. > > OpenID Connect is a better way to authenticate users. > > However assuming you have a closed system and don’t care about > interoperability between clients and the Token endpoint, you could just add > that parameter to your AS and the world will not end. > > If you want to have interoperable clients then you should register the new > element in the IANA registry Sec 11.2 of the spec. > > Parameter name: > The name requested (e.g., “username"). > > Parameter usage location: > token response. > > Change controller: > For Standards Track RFCs, state "IETF". For others, give the name > of the responsible party. Other details (e.g., postal address, > email address, home page URI) may also be included. > > You need to have a specification to do that. > > I don’t see this as a good idea, but that is how you would do it. > > Regards > John B. > > > On Aug 20, 2015, at 11:15 AM, Donghwan Kim <flowersinthesand@gmail.com> > wrote: > > Hi, > > I would like to add a custom property representing the account who just > authenticated to the access token response for the sake of convenience like > login request's response. Then, an exchange of request and response will > look like this: > > POST /tokens HTTP/1.1 > Host: api.example.com > Content-Type: application/json > > {"grant_type":"password","username":"${username}","password":"${password}"} > > > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } > > > However http://tools.ietf.org/html/rfc6749#section-5.1 says that > > > The client MUST ignore unrecognized value names in the response. > > Does it mean that I shouldn't add such property, 'account'? Though, I saw > Instagram API adds such custom property to access token response for the > same purpose from https://instagram.com/developer/authentication/ (Please > find 'snoopdogg' to see that token response.) If it's not allowed or > desirable, how should I add such information to the access token response? > > BTW, I have some questions on usage of JSON web token with OAuth. Can I > post them here? If not, where should I do that? > > Thanks, > > -- Donghawn > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Is it allow to add custom attribute to… Donghwan Kim
- Re: [OAUTH-WG] Is it allow to add custom attribut… Bill Mills
- Re: [OAUTH-WG] Is it allow to add custom attribut… William Denniss
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… Bill Mills
- Re: [OAUTH-WG] Is it allow to add custom attribut… William Denniss
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… Donghwan Kim
- Re: [OAUTH-WG] Is it allow to add custom attribut… Donghwan Kim