Sounds appropriate
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell
Sent: Monday, June 20, 2016 10:16 AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] closing an open issue about supplementary info in the Token
Exchange request
A good while back in an off list conversation about Token Exchange, Chuck
Mortimore mentioned that they "had a use-case for custom claims in where they
essentially wanted to carry along metadata about a client or device for
association to objects in our cloud." As a result of that conversation I added
the bullet item to the Open Issues section that says, "Provide a way to include
supplementary claims or information in the request that would/could potentially
be included in the issued token.", which has just been kinda sitting there ever
since with no action being taken on it.
I recently had the opportunity to see Chuck present about some work that they
are doing for IoT, which utilizes a number of items from this WG including
Token Exchange. It turns out that they were able to accommodate that use-case
of expressing metadata about a client or device by using the actor_token.
There's a paper about the work at
https://www.salesforceidentity.info/Using_Asset_Tokens.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.salesforceidentity.info%2fUsing_Asset_Tokens.pdf=01%7c01%7ctonynad%40microsoft.com%7c6b8d0a1f4249428a48e708d3992eb0ea%7c72f988bf86f141af91ab2d7cd011db47%7c1=1KZS1qmuOhSACGBqn0KTIYm1KYIrqDZIlYuIW1sS52o%3d>
if anyone is interested in more details.
Because the use-case behind that open issue is met by the existing constructs
of the document, I'm proposing that no new parameters or tokens be introduced
and that the open issue be removed and considered done in the next revision of
the Token Exchange draft. Please speak up soon, if you believe this is a
mistake.
Thanks,
Brian
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth