Hi, I would like to add a custom property representing the account who just authenticated to the access token response for the sake of convenience like login request's response. Then, an exchange of request and response will look like this:
POST /tokens HTTP/1.1 Host: api.example.com Content-Type: application/json {"grant_type":"password","username":"${username}","password":"${password}"} HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token":"${JSON web token}", "token_type":"Bearer", "account": {"username":"donghwan", ...} } However http://tools.ietf.org/html/rfc6749#section-5.1 says that > The client MUST ignore unrecognized value names in the response. Does it mean that I shouldn't add such property, 'account'? Though, I saw Instagram API adds such custom property to access token response for the same purpose from https://instagram.com/developer/authentication/ (Please find 'snoopdogg' to see that token response.) If it's not allowed or desirable, how should I add such information to the access token response? BTW, I have some questions on usage of JSON web token with OAuth. Can I post them here? If not, where should I do that? Thanks, -- Donghawn
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth