Hi Sakit, You can use custom header for it as described here. https://support.gluu.org/customization/3731/unable-to-pass-custom-parameter-in-openid-connect-authorization-endpoint-request/ Thanks, Yuriy

Hi Yuriy, I could not open the link

Ok, inlined answer directly here: This can be passed via custom_response_headers parameter which is returned back as header introduced in Gluu Server 3.0. https://github.com/GluuFederation/oxAuth/issues/234 https://github.com/GluuFederation/oxAuth/commit/82789475b40c07a348c5516492bcd30bfe7297d4

Thanks Yuri, I will try to test

Hi Yuriy, Is `getAuthorizationHeaders` called in `3.0.2`? I wrote below basic script but it seems that this method was not caled. This the my code ``` # oxAuth is available under the MIT License (2008). See http://opensource.org/licenses/MIT for full text. # Copyright (c) 2016, Gluu # # Author: Yuriy Movchan # from org.jboss.seam.security import Identity from org.xdi.model.custom.script.type.auth import PersonAuthenticationType from org.xdi.oxauth.service import UserService from org.xdi.util import StringHelper from java.util import HashMap import java class PersonAuthentication(PersonAuthenticationType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis def init(self, configurationAttributes): print "Basic. Initialization" print "Basic. Initialized successfully" return True def destroy(self, configurationAttributes): print "Basic. Destroy" print "Basic. Destroyed successfully" return True def getApiVersion(self): return 1 def isValidAuthenticationMethod(self, usageType, configurationAttributes): return True def getAlternativeAuthenticationMethod(self, usageType, configurationAttributes): return None def authenticate(self, configurationAttributes, requestParameters, step): print("Basic Test") if (step == 1): print "Basic. Authenticate for step 1" credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True else: return False def prepareForStep(self, configurationAttributes, requestParameters, step): if (step == 1): print "Basic. Prepare for Step 1" return True else: return False def getExtraParametersForStep(self, configurationAttributes, step): return None def getCountAuthenticationSteps(self, configurationAttributes): return 1 def getPageForStep(self, configurationAttributes, step): return "" def logout(self, configurationAttributes, requestParameters): return True def getAuthenticationMethodClaims(self): print("Get extra param") params = HashMap() params.put("username","test") params.put("phone", "xxxxxxxxx") print("custom_header: %s") %params return params ```

I also try `custom_response_headers` but it does not return me extra params. I mean system returns me only `code`,`state`,`session_state`

Yes, it should work in 3.0.2. Let me assign it to appropriate developer.

I tested it but this method was not caled. I also share my code. my `auth_url` ``` https://cyber.gluu.info/oxauth/seam/resource/restv1/oxauth/authorize?scope=openid+uma_protection+uma_authorization+user_name&client_id=@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA!0008!7BBF.7AFA.A678.7FB3&response_type=code&acr_values=basic_test&redirect_uri=https%3A%2F%2Fmail.ru&response_mode=form_post&display=popup&custom_response_headers=%5B%7B%22phone%22%3A%22%22%7D%2C%7B%22user%22%3A%22%22%7D%5D ``` and this is the my `oxauth.log` ``` 2017-06-05 15:43:21,088 INFO [qtp242131142-17] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:323) - Authentication success for User: 'admin' 2017-06-05 15:51:13,367 INFO [qtp242131142-15] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:519) - Attempting to redirect user: SessionUser: SessionState, dn='oxAuthSessionId=3ec4153f-3d90-4b1c-8e11-aa4bc328aa4f,ou=session,o=@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA,o=gluu', id='3ec4153f-3d90-4b1c-8e11-aa4bc328aa4f', isJwt=false, lastUsedAt=Mon Jun 05 15:51:13 UTC 2017, userDn='inum=@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA!0000!A8F2.DE1E.D7FB,ou=people,o=@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA,o=gluu', authenticationTime=Mon Jun 05 15:51:13 UTC 2017, state=authenticated, permissionGranted=null, permissionGrantedMap=org.xdi.oxauth.model.common.SessionIdAccessMap@412779b7, sessionAttributes={auth_step=1, acr=basic_test, remote_ip=10.153.10.197, scope=openid uma_protection uma_authorization user_name, display=popup, acr_values=basic_test, response_type=code, redirect_uri=https://mail.ru, client_id=@!54B8.E44B.A17C.A9E8!0001!5BD7.7FEA!0008!7BBF.7AFA.A678.7FB3, response_mode=form_post, auth_user=admin}, persisted=true} 2017-06-05 15:51:13,369 INFO [qtp242131142-15] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:527) - Attempting to redirect user: User: org.xdi.oxauth.model.common.User@32a48819 2017-06-05 15:51:13,375 INFO [qtp242131142-15] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:323) - Authentication success for User: 'admin' ```

Hello Sakit, In version 3.0.2 you can use the Custom Response Headers feature, please check the following example: https://github.com/GluuFederation/oxAuth/blob/version_3.0.2/Client/src/test/java/org/xdi/oxauth/ws/rs/AuthorizationResponseCustomHeaderTest.java#L70 Regards Javier

Also, version 3.1.0 will come with Support for Encoding claims in the OAuth 2 state parameter using a JWT: https://github.com/GluuFederation/oxAuth/issues/134

Hi Javier, I already check the example that you mentioned. But when OP redirect my user after successfull login it did not send me extra params. Returns only `code`,`state` and `session_state`. I posted my `oxauth.log` also.

Please check the extra params in the HTTP response headers, for example: **REQUEST** ``` POST /oxauth/seam/resource/restv1/oxauth/authorize HTTP/1.1 Host: ce-dev.gluu.org Authorization: Basic dGVzdF91c2VyOnRlc3RfdXNlcl9wYXNzd29yZA== response_type=code&client_id=%40%215A58.AE0D.D383.1E46%210001%21E38B.7DBE%210008%21055D.C9D8.8C49.D4A9&scope=openid+profile+address+email&redirect_uri=https%3A%2F%2Fce-dev.gluu.org%2Foxauth-rp%2Fhome.seam&state=f979b723-a150-4dd3-9745-9ef6d875b5ee&nonce=3756ae72-f1ac-480f-8a43-8455da6e97a8&prompt=none&custom_response_headers=%5B%7B%22CustomHeader1%22%3A%22custom_header_value_1%22%7D%2C%7B%22CustomHeader3%22%3A%22custom_header_value_3%22%7D%2C%7B%22CustomHeader2%22%3A%22custom_header_value_2%22%7D%5D ``` **RESPONSE** ``` HTTP/1.1 302 Access-Control-Allow-Origin: * Connection: Keep-Alive Content-Length: 0 CustomHeader1: custom_header_value_1 CustomHeader2: custom_header_value_2 CustomHeader3: custom_header_value_3 Date: Thu, 18 May 2017 16:06:52 GMT Keep-Alive: timeout=5, max=100 Location: https://ce-dev.gluu.org/oxauth-rp/home.seam?session_state=79f9406c-2b34-401e-9c8a-09c5865bcb02&scope=email+address+openid+profile&state=f979b723-a150-4dd3-9745-9ef6d875b5ee&code=b150e176-484d-47cf-bb44-0494729b86d2 Server: Apache/2.4.7 (Ubuntu) Set-Cookie: JSESSIONID=B881855C9290D8A8C74655B28FE0C798; Path=/oxauth/; Secure; HttpOnly;HttpOnly ```

Should I use only `POST` request or does not matter

I tested but OP does not return my `custom_response_headers`. I attach my logs [oxauth](https://drive.google.com/file/d/0B0k0w2ZRcqm_eUh3VGw3WkpUa1U/view?usp=sharing), [request](https://drive.google.com/file/d/0B0k0w2ZRcqm_dF91ci1lUmFpOHc/view?usp=sharing), [response](https://drive.google.com/file/d/0B0k0w2ZRcqm_TlM1RHNLeXBKekk/view?usp=sharing), [form_data](https://drive.google.com/file/d/0B0k0w2ZRcqm_dDM5YnJUaERNSVE/view?usp=sharing) I have two steps for authenticate my user. Each of them has own page. At the first step I can see my `custome_response_headers` params in my `request` but not in `response` headers. When OP send me to my second page I don't see my `custom_response_headers` neither my `request` or `response` headers

Let me explain my case. When user redirect to OP for login he enters his phone number. Then OP send him to second page and verify code. If everything ok OP redirect my user to my web site. I want to know that phone number. How can I send this phone number when redirecting my user to my web site? Is it possible or not

Sakit, It seems you want to pass phone explicitly which does not look very secure. You can put "phone" claim (add it to "profile" or create new "phone" scope) and then if user is logged in you can check claim in `id_token` or otherwise call `/user_info` endpoint to get claims (including phone). So each user will have phone on AS side and once authenticated you can always get it. No need to pass it via customer parameter. Does it make sense ? Thanks, Yuriy

Yuriy may be you are right but phone number just an example. The info which we return to back is public.