Layer7 API Management

Expand all | Collapse all

Additional user attributes

Jump to Best Answer
  • 1.  Additional user attributes

    Posted 07-07-2018 10:40 PM

    Hi There,

    I'm using the grant_type password and authenticating against internal identity provider looking to have user first name and LastName in the response besides the outbox.Pls, advice how could I can accommodate it?

  • 2.  Re: Additional user attributes

    Posted 07-07-2018 11:31 PM

     In fact tried but getting following error. How to get around it?

  • 3.  Re: Additional user attributes

    Posted 07-08-2018 05:03 PM


    Currently you can only add details in the token API itself, /auth/oauth/v2/token. In the same branch that handles 'OTK grant_type=PASSWORD', the assertion 'OTK User Attribute Look Up' could be introduced, attributed extracted and added to the response message.

    The other option is to overwrite the default implementation for the grant_type. Use the policy for a custom grant_type and disable the original branch.

    I hope this helps!

  • 4.  Re: Additional user attributes

    Posted 07-08-2018 08:10 PM

    Hi Sascha Preibisch,
    Are you asking to use granttype to custom rather password to have custom attributes?
    Actually the requirment is to use the grant_type=password(Resourceownerpassword credentilaw). Pls advice could not get your second approch.Am using gateway 9.1 version
    since am using password



  • 5.  Re: Additional user attributes

    Posted 07-09-2018 12:30 AM


    I only meant that you could use the custom grant_type policy, but without introducing a custom grant_type! It may sounds confusing, I must admit.

    You would handle 'grant_type=password' but simply disable the default implementation for it. This means, the client does not need to change anything, you only modify the server.

    If this is still confusing I can provide an example.

    Best regards!


    P.S.: pls do not share client details in this forum unless they are purely for testing and not usable outside a test system!

  • 6.  Re: Additional user attributes

    Posted 07-09-2018 09:36 AM

    Thanks for response.Could you pls provide an example for it.Arent you asking to perform following,disable existing grant_type=password and change grant_type=custom to password?

  • 7.  Re: Additional user attributes
    Best Answer

    Posted 03-05-2019 03:12 PM
      |   view attached

    Good afternoon,


    To add to what Sascha added on how to implement this. You will need to do the following:

    1) Copy the OTK grant type=Password policy located under the OTK/Policy Fragments/grant_types folder to the OTK/Customizations/grant_types folder with a name like OTK grant type=Password Custom

    2) Clone the OTK grant_type=Password encapsulated assertion to the new name OTK grant type=Password Custom

    3) Update the auth/oauth/v2/token policy so that the OTK grant type=Password is comment out and you add in the new encapsulated assertion OTK grant type=Password Custom


    4) Update the OTK User Attribute Look Up Extension policy to send back all the information that you need as it will be pulled back through the OTK User Authentication assertion 

    as the variable ${current.user.attributes} in XML format

    5) Modify the OTK grant type=Password Custom policy to return back the token by modifying the context variable clientResponse with values pulled from the XML


    Sample Policy attached




    Stephen Hughes

    Broadcom Support