Feb 19th, 2013, 03:53 AM
Identify end user from bearer token
I have a webservice that is secured using OAuth 2.0. I have a website client where users log in. Upon logging the user in the website uses the password grant to obtain an access token from the webservice.
Subsequent requests are made to the webservice with the access token.
The webservice needs to know some end user id to be able to carry out some of the requests. So my questions are:
1. Does the bearer access token have any such information that would enable the webservice to find out who the end user is that the website is acting on behalf of?
2. If not, what is the best way to add/store additional end user information into the bearer token when it is issued by the webservice. This way the webservice can use it when servicing resource requests. In terms of the oauth configuration where would this be done?
Please provide as much info as possible as I'm finding Spring OAuth support/configuration a huge learning curve.