Yes going the unregistered route it is probably best to use a name in you namespace eg “com.example:username”.
> On Aug 21, 2015, at 1:34 PM, William Denniss <wdenn...@google.com> wrote: > > You can add additional parameters. > > "The client MUST ignore unrecognized value names in the response" is there so > that other clients who don't understand your parameters will ignore them. > That line basically enables the behavior you wanted (if it said the client > must *error* on unrecognized values, that would be a problem). > > It would be best if you tried to name your params to be hardened against > collision with any future extensions to OAuth/OpenID Connect (e.g., adding a > vendor prefix) > > On Thu, Aug 20, 2015 at 7:15 AM, Donghwan Kim <flowersinthes...@gmail.com > <mailto:flowersinthes...@gmail.com>> wrote: > Hi, > > I would like to add a custom property representing the account who just > authenticated to the access token response for the sake of convenience like > login request's response. Then, an exchange of request and response will look > like this: > > POST /tokens HTTP/1.1 > Host: api.example.com <http://api.example.com/> > Content-Type: application/json > > {"grant_type":"password","username":"${username}","password":"${password}"} > > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } > > However http://tools.ietf.org/html/rfc6749#section-5.1 > <http://tools.ietf.org/html/rfc6749#section-5.1> says that > > > The client MUST ignore unrecognized value names in the response. > > Does it mean that I shouldn't add such property, 'account'? Though, I saw > Instagram API adds such custom property to access token response for the same > purpose from https://instagram.com/developer/authentication/ > <https://instagram.com/developer/authentication/> (Please find 'snoopdogg' to > see that token response.) If it's not allowed or desirable, how should I add > such information to the access token response? > > BTW, I have some questions on usage of JSON web token with OAuth. Can I post > them here? If not, where should I do that? > > Thanks, > > -- Donghawn > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth