I have a use case for which I'd like to leverage the token exchange spec...

1. As part of an identity migration effort, I'd like to exchange a refresh_token issued by one AS for a refresh_token, access_token and potentially id_token issued by a second AS.

For this use case I have two questions...

   -- does the spec allow me to extend the response to include an additional "claim" in the response?        refresh_token and access_token are already defined, but id_token is not

   -- what would I use as the desired "requested_token_type"?
       should it be a "virtual" token type that then represents the tokens to be returned in the response?        It looks like I could also leave the "requested_token_type" blank and just let the AS do what it wants. Is that the best option?

Thanks,
George
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to