You can do your own extension in your own app, just don't expect anyone else to
use it. Not understanding why you want this though, because you already had a
username in the request so the client should know.
Take a look at the Token Introspection stuff, it might solve this for you a
different way if I am guessing right on what you're trying to do.
On Friday, August 21, 2015 8:43 AM, Donghwan Kim
<[email protected]> wrote:
Hi,
I would like to add a custom property representing the account who just
authenticated to the access token response for the sake of convenience like
login request's response. Then, an exchange of request and response will look
like this:
POST /tokens HTTP/1.1Host: api.example.comContent-Type: application/json
{"grant_type":"password","username":"${username}","password":"${password}"}
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma:
no-cache
{ "access_token":"${JSON web token}", "token_type":"Bearer", "account":
{"username":"donghwan", ...}}
However http://tools.ietf.org/html/rfc6749#section-5.1 says that
> The client MUST ignore unrecognized value names in the response.
Does it mean that I shouldn't add such property, 'account'? Though, I saw
Instagram API adds such custom property to access token response for the same
purpose from https://instagram.com/developer/authentication/ (Please find
'snoopdogg' to see that token response.) If it's not allowed or desirable, how
should I add such information to the access token response?
BTW, I have some questions on usage of JSON web token with OAuth. Can I post
them here? If not, where should I do that?
Thanks,
-- Donghawn
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
