A good while back in an off list conversation about Token Exchange, Chuck Mortimore mentioned that they "had a use-case for custom claims in where they essentially wanted to carry along metadata about a client or device for association to objects in our cloud." As a result of that conversation I added the bullet item to the Open Issues section that says, "Provide a way to include supplementary claims or information in the request that would/could potentially be included in the issued token.", which has just been kinda sitting there ever since with no action being taken on it.
I recently had the opportunity to see Chuck present about some work that they are doing for IoT, which utilizes a number of items from this WG including Token Exchange. It turns out that they were able to accommodate that use-case of expressing metadata about a client or device by using the actor_token. There's a paper about the work at https://www.salesforceidentity.info/Using_Asset_Tokens.pdf if anyone is interested in more details. Because the use-case behind that open issue is met by the existing constructs of the document, I'm proposing that no new parameters or tokens be introduced and that the open issue be removed and considered done in the next revision of the Token Exchange draft. Please speak up soon, if you believe this is a mistake. Thanks, Brian
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
