[OAUTH-WG] Is it allow to add custom attribute to access token response?
Donghwan Kim <flowersinthesand@gmail.com> Thu, 20 August 2015 14:15 UTC
Return-Path: <flowersinthesand@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A1551A026C for <oauth@ietfa.amsl.com>; Thu, 20 Aug 2015 07:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A896XwbZRo11 for <oauth@ietfa.amsl.com>; Thu, 20 Aug 2015 07:15:40 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C77511A0404 for <oauth@ietf.org>; Thu, 20 Aug 2015 07:15:40 -0700 (PDT)
Received: by iodv127 with SMTP id v127so47245012iod.3 for <oauth@ietf.org>; Thu, 20 Aug 2015 07:15:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Xuy7xFKDBjUpM5k/+PYsVa3/fFL0Vi8dy5Jx9nK+mNE=; b=Ynk+0GwJjxmXUi2tD3boyim0g1gq8Q1D7NJrTgd1UYsIWOqxrZyG+Pfqg8iWdkIBNI F5zyvDvDcwl9OY+dub2rceEBRqGiNqviTD/kZhqGpEnvRkr84JZ4PmhKm1cxgTsXrd3f AhNGwXWqSdyo8eUf44ybP5ZHmMrMig00E9A5GYtQxF7QXvyIzzwaGehzqhWZiFR7okE0 F9MznE0NeG2CARbh5BueTtxYgGWz5fpkS/QS/s8ftHbC6NhPK8U0/48j5ALZAUA1MImL dihMLNVrPNmtWH1QkJRj9GNEzWKT/ygurFUJTfXhTSWwGmtRharVFLeY4SClcP3QowZj c02Q==
MIME-Version: 1.0
X-Received: by 10.107.166.136 with SMTP id p130mr2762118ioe.163.1440080140279; Thu, 20 Aug 2015 07:15:40 -0700 (PDT)
Received: by 10.36.137.136 with HTTP; Thu, 20 Aug 2015 07:15:40 -0700 (PDT)
Date: Thu, 20 Aug 2015 23:15:40 +0900
Message-ID: <CAMbDefvKeEdxTfj7CkoTbUwhdOYxMN+bvH3w6Vk81tMuKYTWPQ@mail.gmail.com>
From: Donghwan Kim <flowersinthesand@gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="001a1141f39235a9c2051dbec99f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/cUQH2TSgFCK3bD35Wy9RmfxsWSk>
X-Mailman-Approved-At: Fri, 21 Aug 2015 08:36:06 -0700
Subject: [OAUTH-WG] Is it allow to add custom attribute to access token response?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2015 14:17:20 -0000
Hi, I would like to add a custom property representing the account who just authenticated to the access token response for the sake of convenience like login request's response. Then, an exchange of request and response will look like this: POST /tokens HTTP/1.1 Host: api.example.com Content-Type: application/json {"grant_type":"password","username":"${username}","password":"${password}"} HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token":"${JSON web token}", "token_type":"Bearer", "account": {"username":"donghwan", ...} } However http://tools.ietf.org/html/rfc6749#section-5.1 says that > The client MUST ignore unrecognized value names in the response. Does it mean that I shouldn't add such property, 'account'? Though, I saw Instagram API adds such custom property to access token response for the same purpose from https://instagram.com/developer/authentication/ (Please find 'snoopdogg' to see that token response.) If it's not allowed or desirable, how should I add such information to the access token response? BTW, I have some questions on usage of JSON web token with OAuth. Can I post them here? If not, where should I do that? Thanks, -- Donghawn
- [OAUTH-WG] Is it allow to add custom attribute to… Donghwan Kim
- Re: [OAUTH-WG] Is it allow to add custom attribut… Bill Mills
- Re: [OAUTH-WG] Is it allow to add custom attribut… William Denniss
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… Bill Mills
- Re: [OAUTH-WG] Is it allow to add custom attribut… William Denniss
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… Donghwan Kim
- Re: [OAUTH-WG] Is it allow to add custom attribut… Donghwan Kim