Currently we use OAuth 2.0 to authorise external software to access APIs for healthcare workers. There is no standard way for external software to get the end user's details (name, role profiles etc). One way to do this would be to support token exchange (there's a separate feature for this). Another way would be to add Open ID Connect to the OAuth server. Under the covers this would retrieve the user's details from NHS Identity.