Additional metadata in authorization details

Issue #393 resolved

Kosuke Koiwai created an issue 2021-03-17

In PR249, we discussed that clients may want to know how and when the user granted it.

It would be useful to have

amr/acr
auth_time

any other suggestions?

‌

Comments (8)

Torsten Lodderstedt
I think time of approval seems reasonable.

Why should we expose authentication data to the client? If the client is a OpenID Connect RP, this might make sense. In all other cases, this information is relevant to the RS only as the RS wants to make sure the RO was authenticated sufficiently when approving the grant.
- 2021-04-06T12:58:14+00:00
Dave Tonge
- changed status to open
- 2021-04-28T14:54:42+00:00
Nat Sakimura
Talked about it in Apr 28 call that we should just add auth_time.
- 2021-04-28T14:56:03+00:00
Torsten Lodderstedt
Brian pointed out, we will need such a time for every authorization request adding privileges to a grant.
- 2021-04-28T16:33:56+00:00
Dima Postnikov
Discussed it on the call with Torsten and Stuart: auth_time can be added as a claim or into authorization_details structure if required. There is no need to have it in Grant Management specification.

Is that Ok @Kosuke Koiwai ?
- 2021-06-08T10:29:16+00:00
Stuart Low
For clarity “claim” above is a reference to this part of the existing spec (Query Status of Grant):

* `claims`: JSON array containing the names of all OpenID Connect claims (see [@!OpenID]) as requested and consented in one or more authorization requests associated with the respective grant.

‌
- 2021-06-08T10:30:07+00:00
Kosuke Koiwai
So if an RP wants to get auth_time , it should get userinfo or id_token.

Not straightforward but it should serve the purpose. Thanks!

‌
- 2021-06-09T03:15:35+00:00
Dima Postnikov
- changed status to resolved
answered
- 2021-06-09T14:23:42+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: minor

Status: resolved

Component: Grant Management

Milestone: –

Votes: 0

Watchers: 1