And as John said, if you are doing user authentication use OpenID instead.
On Friday, August 21, 2015 9:38 AM, John Bradley <[email protected]> wrote:
Yes going the unregistered route it is probably best to use a name in you
namespace eg “com.example:username”.
On Aug 21, 2015, at 1:34 PM, William Denniss <[email protected]> wrote:
You can add additional parameters.
"The client MUST ignore unrecognized value names in the response" is there so
that other clients who don't understand your parameters will ignore them. That
line basically enables the behavior you wanted (if it said the client must
*error* on unrecognized values, that would be a problem).
It would be best if you tried to name your params to be hardened against
collision with any future extensions to OAuth/OpenID Connect (e.g., adding a
vendor prefix)
On Thu, Aug 20, 2015 at 7:15 AM, Donghwan Kim <[email protected]>
wrote:
Hi,
I would like to add a custom property representing the account who just
authenticated to the access token response for the sake of convenience like
login request's response. Then, an exchange of request and response will look
like this:
POST /tokens HTTP/1.1Host: api.example.comContent-Type: application/json
{"grant_type":"password","username":"${username}","password":"${password}"}
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma:
no-cache
{ "access_token":"${JSON web token}", "token_type":"Bearer", "account":
{"username":"donghwan", ...}}
However http://tools.ietf.org/html/rfc6749#section-5.1 says that
> The client MUST ignore unrecognized value names in the response.
Does it mean that I shouldn't add such property, 'account'? Though, I saw
Instagram API adds such custom property to access token response for the same
purpose from https://instagram.com/developer/authentication/ (Please find
'snoopdogg' to see that token response.) If it's not allowed or desirable, how
should I add such information to the access token response?
BTW, I have some questions on usage of JSON web token with OAuth. Can I post
them here? If not, where should I do that?
Thanks,
-- Donghawn
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
