Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?
John Bradley <ve7jtb@ve7jtb.com> Fri, 21 August 2015 16:38 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8B901AC42D for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:38:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ML9xL-tyP8Lw for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2015 09:38:37 -0700 (PDT)
Received: from mail-qk0-f180.google.com (mail-qk0-f180.google.com [209.85.220.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E7E31AC41B for <oauth@ietf.org>; Fri, 21 Aug 2015 09:38:37 -0700 (PDT)
Received: by qkfh127 with SMTP id h127so34517365qkf.1 for <oauth@ietf.org>; Fri, 21 Aug 2015 09:38:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=VvZXbcht9eHZbSkUdLUYOnCiqgY/L2HpZVI7p8I31No=; b=Suv6W++EsmbHvOwP898N0TsMxSIw1rxL1ERC8P7YI1IGsldnX+Q+7FbuF1AeLlLKJm dYAkm8UKEXFqBJtUf787PG7UMY0GAipPvnvgZQ8UpEA2nWsg1pEAj2zuZxsoObeFLZ7C rW7IqpRRcEE1fmjiu3T/Xtix7uVI0i6zCLoJyL0EYIC+7AhVdBpB7GdmgXPhpqEE7QvW v9M/VU5v8wwutYsKyXBHvRJPtxtxVa7VJj0Muhc403lu3an8SVrVCD4KBxdBWt9vi50q IO+HlsnqCxiYM77S2bx5RoGbtSx7tTe23G+yzmKNHPARZ7c+oRBGf2DLMnSfp442R8bU W7cQ==
X-Gm-Message-State: ALoCoQkKYKfOEnwN8R5ZEnDmA0c9IrjA16QBRvxL1szfuBv1JPTCDknMv9dV5/HOfdSCYFnaPv/e
X-Received: by 10.55.31.225 with SMTP id n94mr19593273qkh.17.1440175116631; Fri, 21 Aug 2015 09:38:36 -0700 (PDT)
Received: from [192.168.8.100] ([181.202.146.234]) by smtp.gmail.com with ESMTPSA id 42sm4672457qgf.42.2015.08.21.09.38.34 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Aug 2015 09:38:35 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_35EE3080-7EA3-4CDC-938B-C070A9182B65"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAAP42hAjN5Qe-AFJgorYuH5iKcdUhDX2BRDdQnweQ6xyxEgwkg@mail.gmail.com>
Date: Fri, 21 Aug 2015 13:38:33 -0300
Message-Id: <3AAE1F6E-1440-4086-8D31-911AFBC4310A@ve7jtb.com>
References: <CAMbDefvKeEdxTfj7CkoTbUwhdOYxMN+bvH3w6Vk81tMuKYTWPQ@mail.gmail.com> <CAAP42hAjN5Qe-AFJgorYuH5iKcdUhDX2BRDdQnweQ6xyxEgwkg@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/pk7XQDrrivBk4vPVnhvM0lkk3fk>
Cc: Donghwan Kim <flowersinthesand@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2015 16:38:40 -0000
Yes going the unregistered route it is probably best to use a name in you namespace eg “com.example:username”. > On Aug 21, 2015, at 1:34 PM, William Denniss <wdenniss@google.com> wrote: > > You can add additional parameters. > > "The client MUST ignore unrecognized value names in the response" is there so that other clients who don't understand your parameters will ignore them. That line basically enables the behavior you wanted (if it said the client must *error* on unrecognized values, that would be a problem). > > It would be best if you tried to name your params to be hardened against collision with any future extensions to OAuth/OpenID Connect (e.g., adding a vendor prefix) > > On Thu, Aug 20, 2015 at 7:15 AM, Donghwan Kim <flowersinthesand@gmail.com <mailto:flowersinthesand@gmail.com>> wrote: > Hi, > > I would like to add a custom property representing the account who just authenticated to the access token response for the sake of convenience like login request's response. Then, an exchange of request and response will look like this: > > POST /tokens HTTP/1.1 > Host: api.example.com <http://api.example.com/> > Content-Type: application/json > > {"grant_type":"password","username":"${username}","password":"${password}"} > > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } > > However http://tools.ietf.org/html/rfc6749#section-5.1 <http://tools.ietf.org/html/rfc6749#section-5.1> says that > > > The client MUST ignore unrecognized value names in the response. > > Does it mean that I shouldn't add such property, 'account'? Though, I saw Instagram API adds such custom property to access token response for the same purpose from https://instagram.com/developer/authentication/ <https://instagram.com/developer/authentication/> (Please find 'snoopdogg' to see that token response.) If it's not allowed or desirable, how should I add such information to the access token response? > > BTW, I have some questions on usage of JSON web token with OAuth. Can I post them here? If not, where should I do that? > > Thanks, > > -- Donghawn > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Is it allow to add custom attribute to… Donghwan Kim
- Re: [OAUTH-WG] Is it allow to add custom attribut… Bill Mills
- Re: [OAUTH-WG] Is it allow to add custom attribut… William Denniss
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… Bill Mills
- Re: [OAUTH-WG] Is it allow to add custom attribut… William Denniss
- Re: [OAUTH-WG] Is it allow to add custom attribut… John Bradley
- Re: [OAUTH-WG] Is it allow to add custom attribut… Donghwan Kim
- Re: [OAUTH-WG] Is it allow to add custom attribut… Donghwan Kim