Hi, > Requests to the token endpoint are URL form encoded not JSON in your example.
My bad. According to http://tools.ietf.org/html/rfc6749#section-4.3, application/x-www-form-urlencoded not application/json is correct for token endpoint request's content type. Right? Thanks, -- Donghwan On Sat, Aug 22, 2015 at 1:35 AM, John Bradley <ve7...@ve7jtb.com> wrote: > Requests to the token endpoint are URL form encoded not JSON in your > example. > > The use of the password credentials grant was to allow migration from HTTP > basic, but it not recommended for privacy and security reasons. > > OpenID Connect is a better way to authenticate users. > > However assuming you have a closed system and don’t care about > interoperability between clients and the Token endpoint, you could just add > that parameter to your AS and the world will not end. > > If you want to have interoperable clients then you should register the new > element in the IANA registry Sec 11.2 of the spec. > > Parameter name: > The name requested (e.g., “username"). > > Parameter usage location: > token response. > > Change controller: > For Standards Track RFCs, state "IETF". For others, give the name > of the responsible party. Other details (e.g., postal address, > email address, home page URI) may also be included. > > You need to have a specification to do that. > > I don’t see this as a good idea, but that is how you would do it. > > Regards > John B. > > > On Aug 20, 2015, at 11:15 AM, Donghwan Kim <flowersinthes...@gmail.com> > wrote: > > Hi, > > I would like to add a custom property representing the account who just > authenticated to the access token response for the sake of convenience like > login request's response. Then, an exchange of request and response will > look like this: > > POST /tokens HTTP/1.1 > Host: api.example.com > Content-Type: application/json > > {"grant_type":"password","username":"${username}","password":"${password}"} > > > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"${JSON web token}", > "token_type":"Bearer", > "account": {"username":"donghwan", ...} > } > > > However http://tools.ietf.org/html/rfc6749#section-5.1 says that > > > The client MUST ignore unrecognized value names in the response. > > Does it mean that I shouldn't add such property, 'account'? Though, I saw > Instagram API adds such custom property to access token response for the > same purpose from https://instagram.com/developer/authentication/ (Please > find 'snoopdogg' to see that token response.) If it's not allowed or > desirable, how should I add such information to the access token response? > > BTW, I have some questions on usage of JSON web token with OAuth. Can I > post them here? If not, where should I do that? > > Thanks, > > -- Donghawn > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
