IETF Logo Mail Archive

Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?

Bill Mills <wmills_92105@yahoo.com> Fri, 21 August 2015 16:25 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BD0A1AC3F0 for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:25:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.109
X-Spam-Level:
X-Spam-Status: No, score=-0.109 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBcT3zjHULfa for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:25:10 -0700 (PDT)
Received: from nm29-vm1.bullet.mail.bf1.yahoo.com (nm29-vm1.bullet.mail.bf1.yahoo.com [98.139.213.144]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B387E1AC3EF for <oauth@ietf.org>; Fri, 21 Aug 2015 09:25:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1440174308; bh=/pL+yWGBNmnDItEcVbq2kGkLgm95hA8qeQ7fAbM6Lcs=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=tGgcJ6OovfRW2HreuIciJPA9DZk5x0Z/eoDA7ZSXFEdd2IbuiPbyFHy6Ofnk39pZlpWKNtN21WUWgAoR3a2vyvJaijZZb+pa9zhcF6S1dD5VGahC7ash9G513wLCi456neGpDa9LEujr+ua1u441HicoQRxdF/bJvUyw10mKxebC8iFHJemG1SUvSfTyFI2hFbub8p1lgNrYsojvU7MnqspPg/hKnJNX0Mm+hI0Rw+AamV/uGCZA8MAgtFIyiHuPep9mWEQ46EIoaLKmJ/z/ZDKC14PHGGoaoJ9MiiMmXTjrV/iqIPhMrTSALBQPIopD2F8Wo1b9X3p3tOgXEbpbhQ==
Received: from [66.196.81.170] by nm29.bullet.mail.bf1.yahoo.com with NNFMP; 21 Aug 2015 16:25:08 -0000
Received: from [98.139.212.195] by tm16.bullet.mail.bf1.yahoo.com with NNFMP; 21 Aug 2015 16:25:08 -0000
Received: from [127.0.0.1] by omp1004.mail.bf1.yahoo.com with NNFMP; 21 Aug 2015 16:25:08 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 786757.88743.bm@omp1004.mail.bf1.yahoo.com
X-YMail-OSG: yPjpyjgVM1lZF.sywhdmNNj.cARqy4HY8EEh0tj5GpL_AxGFYgEZw1mtsDOv5qV cD_vhKQSjjJoqqs0ZNW.Mv7dULVtBnC4eLc6phALhte7IyX..oPxkH0ZJoUeZp9Frlw_p3fzVYYc aj4HXv_VnsvcuH9YNkFJrBXF0UZ6.nQ4lSVbq2Ii43xKomLvIGtGjTAPufTtXJa06XZ4s3gPNU92 cA29TMN8M2glDBP0urtJkEhVAwRHiUze2890FS8dSoC0kJqL_gOixzfjPYPDXpeeOxFvXpFyaOGH 3qEyL15VqDmfzmDVzsrzsozGXp2Vy48qXOg46WIQOqVvp5wD0jvgtc7jZjCLRACsoHSbyPGOt2DQ _eUXQ7lb4je27SesTAp38sPwgtj8saOvH5BoYc3A6frdaqzRcUIEE5mLxe_WyRXHI9dQfsHgABT7 nfPNWTKGNPql2v63jm_gdNL1MqU26XHEMMVViLKZhM4cNSOlFYa5CCiTmwKuKYxFqpYvxc8pWruH SoBzNXLmGYw--
Received: by 66.196.80.121; Fri, 21 Aug 2015 16:25:08 +0000
Date: Fri, 21 Aug 2015 16:25:07 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: Donghwan Kim <flowersinthesand@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <1321929189.8689226.1440174307997.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <CAMbDefvKeEdxTfj7CkoTbUwhdOYxMN+bvH3w6Vk81tMuKYTWPQ@mail.gmail.com>
References: <CAMbDefvKeEdxTfj7CkoTbUwhdOYxMN+bvH3w6Vk81tMuKYTWPQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_8689225_819424988.1440174307991"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/KgS2kIvU3EMNsUfgBAMFRIek--4>
Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2015 16:25:11 -0000

You can do your own extension in your own app, just don't expect anyone else to use it.   Not understanding why you want this though, because you already had a username in the request so the client should know.
Take a look at the Token Introspection stuff, it might solve this for you a different way if I am guessing right on what you're trying to do. 


     On Friday, August 21, 2015 8:43 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:
   

 Hi,

I would like to add a custom property representing the account who just authenticated to the access token response for the sake of convenience like login request's response. Then, an exchange of request and response will look like this:

POST /tokens HTTP/1.1Host: api.example.comContent-Type: application/json
{"grant_type":"password","username":"${username}","password":"${password}"}


HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{  "access_token":"${JSON web token}",  "token_type":"Bearer",  "account": {"username":"donghwan", ...}}

However http://tools.ietf.org/html/rfc6749#section-5.1 says that
> The client MUST ignore unrecognized value names in the response.
Does it mean that I shouldn't add such property, 'account'? Though, I saw Instagram API adds such custom property to access token response for the same purpose from https://instagram.com/developer/authentication/ (Please find 'snoopdogg' to see that token response.) If it's not allowed or desirable, how should I add such information to the access token response?
BTW, I have some questions on usage of JSON web token with OAuth. Can I post them here? If not, where should I do that?
Thanks,

-- Donghawn
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email