[mitreid-connect] Custom claims

Justin Richer jricher at mit.edu
Fri Oct 23 14:21:53 EDT 2015


    
Thanks, I did see the note. The draft in question is now an RFC but we don't have any concrete plans for implementation right now. We'd be happy to take a pull request, especially something that makes the assertion processing pluggable since that will be different for every domain.
Is this something your group is interested in implementing? 
-- Justin
/ Sent from my phone /

-------- Original message --------
From: Luiz Omori <luiz.omori at duke.edu> 
Date: 10/23/2015  1:42 PM  (GMT-05:00) 
To: Justin Richer <jricher at mit.edu>, mitreid-connect at mit.edu 
Subject: Re: [mitreid-connect] Custom claims 



Thanks. Talking about standard ways, what if JWT Bearer flow is used and the incoming JWT contains custom claims, would those be added to the MitreId access_token claims (once this flow is implemented, that is) and returned by the Introspection endpoint?
 The draft that I found (https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-04)  mentions custom claims but it wasn’t clear to me if they have to be copied to the access_token (assuming
 JWT like in MitreId case) or returned by Introspection. 



By the way, I’ve added a comment to the Git request to have the JWT Bearer implemented. I believe it would be very beneficial to us too, independently of the comments above. Is it still in draft state?



Regards,
Luiz









From: Justin Richer

Date: Friday, October 23, 2015 at 10:16 AM

To: Luiz Omori, "mitreid-connect at mit.edu"

Subject: RE: [mitreid-connect] Custom claims







Oh, and there is no standard for extra parameters like that, introspection provides a place to put them though. 











-- Justin



/ Sent from my phone /







-------- Original message --------

From: Luiz Omori <luiz.omori at duke.edu> 

Date: 10/23/2015 10:05 AM (GMT-05:00) 

To: mitreid-connect at mit.edu 

Subject: [mitreid-connect] Custom claims 



Hi,



Is there a way to add a parameter to the Authorization Code Flow request and have it returned back via introspection? Even better if a standard way of doing that, i.e. defined in the OAuth standard. It would be great if state
 was returned but I’m not getting that.



Request:

http://localhost:8080/ldap-openid-connect-server/authorize?response_type=code&client_id=growth_chart&scope=openid&redirect_uri=http://localhost:4000/index.html&state=07465f66-e4fd-4466-bcc4-5826ee7080a6&client_data=blabla&nonce=bd55e445-8d7f-4491-b48e-3458efcb829c


Introspection Info
{ 

  "active": true, 

  "scope": "openid", 

  "expires_at": "2015-10-23T09:55:50-0400", 

  "exp": 1445608550, 

  "sub": "lro4", 

  "user_id": "lro4", 

  "client_id": "growth_chart", 

  "token_type": "Bearer", 

  "client_data": "blabla" 

}



Regards,
Luiz






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20151023/b436adc0/attachment-0001.html


More information about the mitreid-connect mailing list