Requests to the token endpoint are URL form encoded not JSON in your example.
The use of the password credentials grant was to allow migration from HTTP
basic, but it not recommended for privacy and security reasons.
OpenID Connect is a better way to authenticate users.
However assuming you have a closed system and don’t care about interoperability
between clients and the Token endpoint, you could just add that parameter to
your AS and the world will not end.
If you want to have interoperable clients then you should register the new
element in the IANA registry Sec 11.2 of the spec.
Parameter name:
The name requested (e.g., “username").
Parameter usage location:
token response.
Change controller:
For Standards Track RFCs, state "IETF". For others, give the name
of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included.
You need to have a specification to do that.
I don’t see this as a good idea, but that is how you would do it.
Regards
John B.
> On Aug 20, 2015, at 11:15 AM, Donghwan Kim <flowersinthes...@gmail.com> wrote:
>
> Hi,
>
> I would like to add a custom property representing the account who just
> authenticated to the access token response for the sake of convenience like
> login request's response. Then, an exchange of request and response will look
> like this:
>
> POST /tokens HTTP/1.1
> Host: api.example.com <http://api.example.com/>
> Content-Type: application/json
>
> {"grant_type":"password","username":"${username}","password":"${password}"}
>
> HTTP/1.1 200 OK
> Content-Type: application/json
> Cache-Control: no-store
> Pragma: no-cache
>
> {
> "access_token":"${JSON web token}",
> "token_type":"Bearer",
> "account": {"username":"donghwan", ...}
> }
>
> However http://tools.ietf.org/html/rfc6749#section-5.1
> <http://tools.ietf.org/html/rfc6749#section-5.1> says that
>
> > The client MUST ignore unrecognized value names in the response.
>
> Does it mean that I shouldn't add such property, 'account'? Though, I saw
> Instagram API adds such custom property to access token response for the same
> purpose from https://instagram.com/developer/authentication/
> <https://instagram.com/developer/authentication/> (Please find 'snoopdogg' to
> see that token response.) If it's not allowed or desirable, how should I add
> such information to the access token response?
>
> BTW, I have some questions on usage of JSON web token with OAuth. Can I post
> them here? If not, where should I do that?
>
> Thanks,
>
> -- Donghawn
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
