Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?
John Bradley <ve7jtb@ve7jtb.com> Fri, 21 August 2015 16:35 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 706BB1AC409 for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:35:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7V5KUEhrtVh for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:35:53 -0700 (PDT)
Received: from mail-qk0-f180.google.com (mail-qk0-f180.google.com [209.85.220.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C77CB1AC405 for <oauth@ietf.org>; Fri, 21 Aug 2015 09:35:52 -0700 (PDT)
Received: by qkch123 with SMTP id h123so28652889qkc.0 for <oauth@ietf.org>; Fri, 21 Aug 2015 09:35:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=zRkAYtJsvdrE/9FrZciraQuigc9uVQHHuTfTBhx89i4=; b=YF08SM8usmLJBCfeJmfQNL93MgO6ZTMAa5VjKcuhZo346kDpmdobP23BFIBnCmOmJv 6YJdFHhkHNCfRqs41xFIDUQ/+SzPXLVWFf6Ic6L2Kmfd0KSGr8ohsOy8Z7kVVOD7Ye57 ZoxuZ7GlbtEq9CE/nLkrR+RQDy6c49l/jEQ6vctvV37AkRYLljq5h+6pTa5zH3ACHLy0 De8fA+NRnRtFJQsWBaZLEYM8EmHDR+Kko8gjcX/bC5eesuHyv+d4Hi/s5lZBJmjOiUoa o5A6tA63+o2Fr+sorxATfH4wlFmnPvkTYhLNjLU6dJCAFHctWRffoH4w8rCWvWkzTPyt KOBw==
X-Gm-Message-State: ALoCoQlDj0Q68gV/t6DM5CcmQTWW9nRfLV5inkqqVhX5b2Ns/u+iamAdKLqL+mbICTsz1ciyGB1h
X-Received: by 10.55.49.67 with SMTP id x64mr19257177qkx.24.1440174951917; Fri, 21 Aug 2015 09:35:51 -0700 (PDT)
Received: from [192.168.8.100] ([181.202.146.234]) by smtp.gmail.com with ESMTPSA id n67sm2880494qge.35.2015.08.21.09.35.50 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Aug 2015 09:35:51 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_8B02DE96-6F6B-49EB-A77A-229430E72280"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAMbDefvKeEdxTfj7CkoTbUwhdOYxMN+bvH3w6Vk81tMuKYTWPQ@mail.gmail.com>
Date: Fri, 21 Aug 2015 13:35:48 -0300
Message-Id: <0EF80C0D-55C2-4F1F-B741-87EDE63D3FD5@ve7jtb.com>
References: <CAMbDefvKeEdxTfj7CkoTbUwhdOYxMN+bvH3w6Vk81tMuKYTWPQ@mail.gmail.com>
To: Donghwan Kim <flowersinthesand@gmail.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/RydCjnhAXMQYDPfErZOKlEA1Pu8>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2015 16:35:57 -0000
Requests to the token endpoint are URL form encoded not JSON in your example.
The use of the password credentials grant was to allow migration from HTTP basic, but it not recommended for privacy and security reasons.
OpenID Connect is a better way to authenticate users.
However assuming you have a closed system and don’t care about interoperability between clients and the Token endpoint, you could just add that parameter to your AS and the world will not end.
If you want to have interoperable clients then you should register the new element in the IANA registry Sec 11.2 of the spec.
Parameter name:
The name requested (e.g., “username").
Parameter usage location:
token response.
Change controller:
For Standards Track RFCs, state "IETF". For others, give the name
of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included.
You need to have a specification to do that.
I don’t see this as a good idea, but that is how you would do it.
Regards
John B.
> On Aug 20, 2015, at 11:15 AM, Donghwan Kim <flowersinthesand@gmail.com> wrote:
>
> Hi,
>
> I would like to add a custom property representing the account who just authenticated to the access token response for the sake of convenience like login request's response. Then, an exchange of request and response will look like this:
>
> POST /tokens HTTP/1.1
> Host: api.example.com <http://api.example.com/>
> Content-Type: application/json
>
> {"grant_type":"password","username":"${username}","password":"${password}"}
>
> HTTP/1.1 200 OK
> Content-Type: application/json
> Cache-Control: no-store
> Pragma: no-cache
>
> {
> "access_token":"${JSON web token}",
> "token_type":"Bearer",
> "account": {"username":"donghwan", ...}
> }
>
> However http://tools.ietf.org/html/rfc6749#section-5.1 <http://tools.ietf.org/html/rfc6749#section-5.1> says that
>
> > The client MUST ignore unrecognized value names in the response.
>
> Does it mean that I shouldn't add such property, 'account'? Though, I saw Instagram API adds such custom property to access token response for the same purpose from https://instagram.com/developer/authentication/ <https://instagram.com/developer/authentication/> (Please find 'snoopdogg' to see that token response.) If it's not allowed or desirable, how should I add such information to the access token response?
>
> BTW, I have some questions on usage of JSON web token with OAuth. Can I post them here? If not, where should I do that?
>
> Thanks,
>
> -- Donghawn
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Is it allow to add custom attribute to… Donghwan Kim
- Re: [OAUTH-WG] Is it allow to add custom attribut… Bill Mills
- Re: [OAUTH-WG] Is it allow to add custom attribut… William Denniss
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… Bill Mills
- Re: [OAUTH-WG] Is it allow to add custom attribut… William Denniss
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… Donghwan Kim
- Re: [OAUTH-WG] Is it allow to add custom attribut… Donghwan Kim