Hi,
I would like to add a custom property representing the account who just
authenticated to the access token response for the sake of convenience like
login request's response. Then, an exchange of request and response will
look like this:
POST /tokens HTTP/1.1
Host: api.example.com
Content-Type: application/json
{"grant_type":"password","username":"${username}","password":"${password}"}
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"${JSON web token}",
"token_type":"Bearer",
"account": {"username":"donghwan", ...}
}
However http://tools.ietf.org/html/rfc6749#section-5.1 says that
> The client MUST ignore unrecognized value names in the response.
Does it mean that I shouldn't add such property, 'account'? Though, I saw
Instagram API adds such custom property to access token response for the
same purpose from https://instagram.com/developer/authentication/ (Please
find 'snoopdogg' to see that token response.) If it's not allowed or
desirable, how should I add such information to the access token response?
BTW, I have some questions on usage of JSON web token with OAuth. Can I
post them here? If not, where should I do that?
Thanks,
-- Donghawn
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
