Re: [OAUTH-WG] “amr” Values spec updated

2015-08-21 Thread Mike Jones
Done in -02. From: Nat Sakimura Sent: ‎8/‎18/‎2015 7:28 PM To: Phil Hunt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] “amr” Values spec updated +1 2015-08-15 4:20 GMT+09:00 Phil Hunt mai

[OAUTH-WG] “amr” values "rba" and "sc"

2015-08-21 Thread Mike Jones
Authentication Method Reference Values draft -02 changed the identifier for risk-based authentication from “risk” to “rba”, by popular acclaim, and added the identifier “sc” (smart card). The specification is available at: ·http://tools.ietf.org/html/draft-jones-oauth-amr-values-02 An

Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?

2015-08-21 Thread Bill Mills
And as John said, if you are doing user authentication use OpenID instead. On Friday, August 21, 2015 9:38 AM, John Bradley wrote: Yes going the unregistered route it is probably best to use a name in you namespace eg “com.example:username”. On Aug 21, 2015, at 1:34 PM, William De

Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?

2015-08-21 Thread John Bradley
Yes going the unregistered route it is probably best to use a name in you namespace eg “com.example:username”. > On Aug 21, 2015, at 1:34 PM, William Denniss wrote: > > You can add additional parameters. > > "The client MUST ignore unrecognized value names in the response" is there so > that

Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?

2015-08-21 Thread John Bradley
Requests to the token endpoint are URL form encoded not JSON in your example. The use of the password credentials grant was to allow migration from HTTP basic, but it not recommended for privacy and security reasons. OpenID Connect is a better way to authenticate users. However assuming you hav

Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?

2015-08-21 Thread William Denniss
You can add additional parameters. "The client MUST ignore unrecognized value names in the response" is there so that other clients who don't understand your parameters will ignore them. That line basically enables the behavior you wanted (if it said the client must *error* on unrecognized values,

Re: [OAUTH-WG] Is it allow to add custom attribute to access token response?

2015-08-21 Thread Bill Mills
You can do your own extension in your own app, just don't expect anyone else to use it.   Not understanding why you want this though, because you already had a username in the request so the client should know. Take a look at the Token Introspection stuff, it might solve this for you a different

[OAUTH-WG] Is it allow to add custom attribute to access token response?

2015-08-21 Thread Donghwan Kim
Hi, I would like to add a custom property representing the account who just authenticated to the access token response for the sake of convenience like login request's response. Then, an exchange of request and response will look like this: POST /tokens HTTP/1.1 Host: api.example.com Content-Type