7

In my Java app, I'm using the Spring Security OAuth 2 library to implement an OAuth provider. The response to a successful authentication (for the authorization_code grant type) is something like:

{"access_token": "d179bf70-aa40-4df9-a3e1-440e835c273a", 
"expires_in": "43199", 
"refresh_token": "879e7bd0-5e0f-48a9-b64d-f61d5665bf4e", 
"scope": "read", 
"token_type": "bearer"}

Is there a way to add additional properties to this response, e.g. the user's name or email address?

Shaggy
  • 1,444
  • 1
  • 23
  • 34
Antonio Dragos
  • 1,973
  • 2
  • 29
  • 52
  • What are you trying to accomplish by adding such parameters to the token response? According to the [spec](http://tools.ietf.org/html/rfc6749#section-5.1) it's possible to add more values to it (need to check Spring implementation to know if they allow it). What I would recommend and it's in Spring docs is to use "JWT Tokens" where you can add all information you need in an stateless (and signed) access token. If JWT is an option I can point you to nice implementations of it. – jbarrueta Apr 24 '15 at 19:27

1 Answers1

6

Spring OAuth2 allows you to put arbitrary values in the OAuth2AccessToken via its additionalInfo property. You can inject as much as you need in an AccessTokenConverter (which in turn can be added to the DefaultTokenServices easily via configuration callbacks). I'm not really sure why you need it though, and I would consider your use case carefully before sending additional values for consumption by clients (they are supposed to just use the token value, which is opaque).

Dave Syer
  • 56,583
  • 10
  • 155
  • 143
  • 2
    The use case for this can be providing the entry points to hypermedia APIs after authentication instead of spending extra request to the discovery service, so this task makes a lot of sense. – Ivan Gammel Aug 21 '17 at 14:37
  • I'm able to successfully add the additional data to access token response. But facing a challenge that information in OAuth2 client application. Any help? Tried with Principal, OAuth2AuthenticationToken by injecting into controller. But no luck. – Ravi MCA Dec 19 '19 at 07:27