The OAuth framework itself isn't particularly RESTful so it's not really specific to token exchange. This document just makes mention of it in the context of talking about the shift from XML/SOAP/WS* to JSON/HTTP as one of the motivations for its existence.
There's nothing precluding sending additional parameters. In general, OAuth says to ignore unrecognized parameters, which allows for extensions or proprietary additions. On Wed, Dec 5, 2018 at 12:29 PM Josh McKinney <[email protected]> wrote: > Hiya, > > In section 1: > > The STS > protocol defined in this specification is not itself RESTful (an STS > doesn't lend itself particularly well to a REST approach) but does > utilize communication patterns and data formats that should be > familiar to developers accustomed to working with RESTful systems. > > A colleague expressed concern that token exchange can not be RESTful. > Given that the token exchange endpoint defined here is the same as the > token endpoint, is this a restatement that this endpoint itself is not > RESTful as opposed to a different change. AFAICT, none of the other OAuth > RFCs mention RESTful concerns. > > In Section 2.1: > Regarding exchanging an access token for an id token, OIDC allows the > caller to provide a claims parameter to specify the specific claims > returned in an id token. See > https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter > I'm not sure that this spec explicitly constrains parameters to be passed > to this method, but it also doesn't have any language to suggest that it > will allow extended parameter lists to be passed and interpreted by the > auth server. > > > -- > Josh McKinney > joshka.net > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
