IETF Logo Mail Archive

Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?

William Denniss <wdenniss@google.com> Fri, 21 August 2015 16:34 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB1DF1AC3FE for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:34:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dR2hqyDCkad for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:34:33 -0700 (PDT)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 152A01AC3FD for <oauth@ietf.org>; Fri, 21 Aug 2015 09:34:33 -0700 (PDT)
Received: by ykll84 with SMTP id l84so75658069ykl.0 for <oauth@ietf.org>; Fri, 21 Aug 2015 09:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=UfxkOxcEhwTXv9IxS1Snd24EVkbXA1LDx9OXcM1XIPI=; b=jsQPU3It0ZKr7momYqDS/RDiurK2V+gbGENdfbbhWjl0RURNG9kxemgmWXxw5sXiFm eFgYLDJxX0Ok1xKikhVMoX3tzbMz68r0nw+CcomXyLtklYiashd0kBk7DIAPhP6OhiEH 63EnRJqcaJtmCNxub2QKQ5hx++7X4itRIHLpK/lIssSvjqaREiwIBk6Ax2JhhYRTNVEe EZliihCEe2lfL6T4NkdUxCXGJK3Ec5XVnBa2TurFRoD2hE1Oru7imN7GWySzkcTTL2WH JKgl4t/M+ED6flENXmnWCWw9IomZX1tVigFbJicgsacHEovJ/s0jLdN8CFbm7tc1H4f6 pl5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=UfxkOxcEhwTXv9IxS1Snd24EVkbXA1LDx9OXcM1XIPI=; b=IaWTdp+JdzbOoocpZq8Fhi4YsYOOYjSReHB0Zx+J3Z1jgoigtRGVSSlA0RAtJOQFTi 0VKYadkK6bdnn4HqHT2AYDqYZ5gy+rwxvkPBLwZopNhHRzbQT22NSU6hgskPrGd8IFO0 SjkXRmk4KrQJJH+k8nH6LNgacECwfDM5ck1VmvCZkRXY2Ex807VOk0BdWQM0gQnrJ0lN xWvFkXMVkniWQ8AI5nPcnYGllI59rv0PtwkIbpHOu/QlBhTEKmvIpAbIodNH+RvC22v0 q6iJcMwa7hJ+3ziTYNDuHqj4NUn6JFac8eGr1QjtnU5aQVd2r6l/V/be9PUra/8sAGcj PYww==
X-Gm-Message-State: ALoCoQlGQN3ehWP2ybwDKY10ZHlrjE2WndNwcLm9MGOsvWfX11T2koh0NHL4jOkUm7N21EEYfCSh
X-Received: by 10.13.192.1 with SMTP id b1mr13229123ywd.152.1440174872307; Fri, 21 Aug 2015 09:34:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.39.196 with HTTP; Fri, 21 Aug 2015 09:34:12 -0700 (PDT)
In-Reply-To: <CAMbDefvKeEdxTfj7CkoTbUwhdOYxMN+bvH3w6Vk81tMuKYTWPQ@mail.gmail.com>
References: <CAMbDefvKeEdxTfj7CkoTbUwhdOYxMN+bvH3w6Vk81tMuKYTWPQ@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 21 Aug 2015 09:34:12 -0700
Message-ID: <CAAP42hAjN5Qe-AFJgorYuH5iKcdUhDX2BRDdQnweQ6xyxEgwkg@mail.gmail.com>
To: Donghwan Kim <flowersinthesand@gmail.com>
Content-Type: multipart/alternative; boundary="001a114edee6adfade051dd4d73b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/27xrS0vYeW1zK9c91TDIcz9sE3g>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2015 16:34:35 -0000

You can add additional parameters.

"The client MUST ignore unrecognized value names in the response" is there
so that other clients who don't understand your parameters will ignore
them. That line basically enables the behavior you wanted (if it said the
client must *error* on unrecognized values, that would be a problem).

It would be best if you tried to name your params to be hardened against
collision with any future extensions to OAuth/OpenID Connect (e.g., adding
a vendor prefix)

On Thu, Aug 20, 2015 at 7:15 AM, Donghwan Kim <flowersinthesand@gmail.com>
wrote:

> Hi,
>
> I would like to add a custom property representing the account who just
> authenticated to the access token response for the sake of convenience like
> login request's response. Then, an exchange of request and response will
> look like this:
>
> POST /tokens HTTP/1.1
> Host: api.example.com
> Content-Type: application/json
>
> {"grant_type":"password","username":"${username}","password":"${password}"}
>
>
> HTTP/1.1 200 OK
> Content-Type: application/json
> Cache-Control: no-store
> Pragma: no-cache
>
> {
>   "access_token":"${JSON web token}",
>   "token_type":"Bearer",
>   "account": {"username":"donghwan", ...}
> }
>
>
> However http://tools.ietf.org/html/rfc6749#section-5.1 says that
>
> > The client MUST ignore unrecognized value names in the response.
>
> Does it mean that I shouldn't add such property, 'account'? Though, I saw
> Instagram API adds such custom property to access token response for the
> same purpose from https://instagram.com/developer/authentication/ (Please
> find 'snoopdogg' to see that token response.) If it's not allowed or
> desirable, how should I add such information to the access token response?
>
> BTW, I have some questions on usage of JSON web token with OAuth. Can I
> post them here? If not, where should I do that?
>
> Thanks,
>
> -- Donghawn
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email