You can add additional parameters. "The client MUST ignore unrecognized value names in the response" is there so that other clients who don't understand your parameters will ignore them. That line basically enables the behavior you wanted (if it said the client must *error* on unrecognized values, that would be a problem).
It would be best if you tried to name your params to be hardened against collision with any future extensions to OAuth/OpenID Connect (e.g., adding a vendor prefix) On Thu, Aug 20, 2015 at 7:15 AM, Donghwan Kim <[email protected]> wrote: > Hi, > > I would like to add a custom property representing the account who just > authenticated to the access token response for the sake of convenience like > login request's response. Then, an exchange of request and response will > look like this: > > POST /tokens HTTP/1.1 > Host: api.example.com > Content-Type: application/json > > {"grant_type":"password","username":"${username}","password":"${password}"} > > > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } > > > However http://tools.ietf.org/html/rfc6749#section-5.1 says that > > > The client MUST ignore unrecognized value names in the response. > > Does it mean that I shouldn't add such property, 'account'? Though, I saw > Instagram API adds such custom property to access token response for the > same purpose from https://instagram.com/developer/authentication/ (Please > find 'snoopdogg' to see that token response.) If it's not allowed or > desirable, how should I add such information to the access token response? > > BTW, I have some questions on usage of JSON web token with OAuth. Can I > post them here? If not, where should I do that? > > Thanks, > > -- Donghawn > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
