I'm using ASP.NET Identity in a Web API 2 project. I currently have it up and running fine for authenticating with a username and password using the following example:
grant_type=password&username=alice%40example.com&password=Password1!
And this is working fine.
Now, my service can be called from a mobile app and I want to give the user the option to be able to log in with a passcode. I've added two extra fields (passcode and device id) to the user table and have extended the UserStore to be able to retrieve a user based on this information.
My question is how to allow the user to supply a passcode? I need them to be able to log in with either password or passcode, so I was thinking of sending the following for passcode:
grant_type=passcode&username=alice%40example.com&passcode=1234&deviceid=abcdef
and depending on the grant_type I can either query the user store by password or passcode. However this throws an error (unsupported_grant_type
) and having a quick search it looks like these are predefined values so I can't add a new one?
Am I able to add a new grant_type
or do I have to stick with password
and have an additional field in the post data stating if it's passcode?
Thanks
Adding another grant_type
doesn't seem to be a major issue. There is though: compliance. Every OAuth endpoint has a specific set of allowed grant_type
s. If you add another one, you are actually bypassing the standard, which will lead to problems with others implementing it.