Sure, you can do that, if you've got an ID Token or similar. You could alternatively define another endpoint to get user info back. Not every API is going to have an ID Token defined (or even end users), so this isn't exactly a general construct. But if it works for your API, go ahead and pass it along with the rest of the information.
It's important to make a distinction between ID Tokens that are gotten in this way, which pass information about the user who authorized the access token, and ID Tokens that are gotten in the normal OpenID Connect way, which convey information about the authentication event and are more closely tied to the end user's authentication. In other words, you wouldn't want to accept an access token, introspect to get an ID token, and then assume the user is "present" and log them in. -- Justin On Nov 28, 2013, at 6:51 AM, Prabath Siriwardena <prab...@wso2.com<mailto:prab...@wso2.com>> wrote: Currently the introspection response has an optional parameter to pass the client_id to the caller. It would also be useful to pass an ID token back in the response - just like in OpenID Connect - to include end user details. WDYT ? Thanks & regards, -Prabath On Tue, Nov 12, 2013 at 3:27 AM, Nat Sakimura <sakim...@gmail.com<mailto:sakim...@gmail.com>> wrote: Great. I may have something for you based on our implementation. I will get back to you individually. Best, Nat 2013/11/12 Richer, Justin P. <jric...@mitre.org<mailto:jric...@mitre.org>> Expiration of drafts happens automatically after a set amount of time has passed without edits. There haven't needed to be any edits to the introspection draft in many months (apart from a couple typos), so I haven't updated it. -- Justin ________________________________ From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org> [oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] on behalf of Nat Sakimura [sakim...@gmail.com<mailto:sakim...@gmail.com>] Sent: Monday, November 11, 2013 9:47 AM To: Todd W Lainhart Cc: IETF oauth WG Subject: Re: [OAUTH-WG] Introspection spec still active? By no means. If Justin let it go, I will pick it up :-) 2013/11/11 Todd W Lainhart <lainh...@us.ibm.com<mailto:lainh...@us.ibm.com>> http://tools.ietf.org/html/draft-richer-oauth-introspection-04 expired as of 11/02/13. I'm assuming that this spec still has some traction, and that the expiration is not an indicator of retraction? Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) lainh...@us.ibm.com<mailto:lainh...@us.ibm.com> _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com<http://blog.facilelogin.com/> http://blog.api-security.org<http://blog.api-security.org/>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
