I haven’t touched the draft for a while because the basics have fit most of our use cases and there hasn’t been a clamor from the working group to standardize it. I’d be happy to pick it back up if the working group wanted to make it an official document.
Having run this in production for a little while, there are a handful of things that would make sense to include in the standard response set. Things like returning the grant type, response type, as it’s all a part of the request that made the token. We’ve also had questions recently about returning both the ‘sub’ of a user as defined by OpenID Connect in addition to a more traditional user_id/username field (our deployment does both, and they’re different — the former is stable but the latter is used to cross-index into other systems). — Justin On Jun 12, 2014, at 4:50 PM, Todd W Lainhart <[email protected]> wrote: > One problem we've discovered when returning the client_id value as "sub" is > client impersonation. That is, in a system where a user can self-register, > it's possible that the user could register an id/sub value that is the same > as the client_id value, and thus be granted the same privileges as the > application principal based on the introspection response. > > We're leaning towards returning the grant_type in the introspection response > to disambiguate this case. i.e. if grant_type == "client_credentials" then > you know that the bearer represents the app principal. > > http://tools.ietf.org/html/draft-richer-oauth-introspection-04 expired last > Nov. Were you thinking of picking it up? I'm recalling that Nat Sakimura > expressed an interest a while back. > > > > > Todd Lainhart > Rational software > IBM Corporation > 550 King Street, Littleton, MA 01460-1250 > 1-978-899-4705 > 2-276-4705 (T/L) > [email protected] > > > > > > From: Justin Richer <[email protected]> > To: Todd W Lainhart/Lexington/IBM@IBMUS, IETF oauth WG > <[email protected]>, > Date: 05/22/2014 10:45 AM > Subject: Re: [OAUTH-WG] For a client credentials grant, what are you > returning as the value of the "sub" element in an introspection response? > > > > We return the client_id of the client that the token was issued to. > > -- Justin > > On 5/22/2014 10:08 AM, Todd W Lainhart wrote: > For folks who have implemented the client credentials grant and > introspection, I'm interested to know what you're returning for the value of > "sub" in the token introspection response > (http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2.2). > The "client_id" value requesting the grant, or some other client > registration metadata value? > > > > Todd Lainhart > Rational software > IBM Corporation > 550 King Street, Littleton, MA 01460-1250 > 1-978-899-4705 > 2-276-4705 (T/L) > [email protected] > > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
