I have a use case for which I'd like to leverage the token exchange spec...
1. As part of an identity migration effort, I'd like to exchange a
refresh_token issued by one AS for a refresh_token, access_token and
potentially id_token issued by a second AS.
For this use case I have two questions...
-- does the spec allow me to extend the response to include an
additional "claim" in the response?
refresh_token and access_token are already defined, but id_token
is not
-- what would I use as the desired "requested_token_type"?
should it be a "virtual" token type that then represents the
tokens to be returned in the response?
It looks like I could also leave the "requested_token_type"
blank and just let the AS do what it wants. Is that the best option?
Thanks,
George
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth