4.4 Token Endpoint

The Token endpoint is used directly by the client without involving the browser. Hence, it is possible to get an access token offline when the user is not connected via a browser. This endpoint can issue an access token when the client provides either a valid authorization code, SAML2 bearer profile for authorization grant flow, resource owner credentials, or client credentials.

Endpoint URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/token

Request method: POST

NOTE:The authentication is done by using client_id and client_secret in the request body parameters (as mentioned in the preceding curl request), or send client credentials in the basic authorization header (as mentioned in RFC 6749).

4.4.1 Request Parameters

The token request must have the following parameters:

Parameter

Required

Description

resourceServer

No

Registered resource server name. If this parameter is present, the authorization server will use the respective configured way to encrypt the access token.

grant_type

Yes

Use 'authorization_code' for authorization code exchange for a token.

Use 'urn:ietf:params:oauth:grant-type:saml2-bearer' as value to exchange SAML token for OAuth token (SAML bearer grant)

Use 'password' for Resource Owner Password Credential grant.

assertion

Yes

(For SAML bearer grant) A single base64url encoded SAML2.0 Assertion as value for this parameter.

client_id

Yes

Client ID of the registered client.

client_secret

Optional

Client Secret of the registered client.

It is optional for a native application and mandatory for a web application.

code

Yes

Code received in the Authorization code flow.

redirect_uri

Yes

This should be the same as the one sent during the authorization code request.

device_id

Optional

Specify the device ID that token to be associated with the device.

refresh_token

Yes

refresh_token that is obtained during authorization grant, resource owner credentials.

scope

Optional

List of scopes the application requires. Scope values should be separated using space (%20 or +).

acr_values

Optional

This parameter is supported only for grant_type=password (Resource Owner Password Credentials Grant).

The value of acr_values should be URI encoded and must match exactly with the Access Manager Authentication contract URI. If no acr_values and no global ROPC authentication contracts are configured, then only the default authentication contract of Identity Server is executed.

For more information, see the ‘Contracts for Resource Owner Credentials Authentication’.

Sample value can be '/name/password/uri'.

4.4.2 Response Values

Parameter

Required

Description

token_type

Yes

The type of the token. Authorization server supports only Bearer type.

access_token

Yes

Access token that can be used to invoke resource server APIs.

id_token

Optional if scope contains "OpenID"

When invoking authorization code request, if the client has sent OpenID, this response object will contain an ID Token.

NOTE:The resource owner credential flow and client credential flow does not return id_token.

scope

Optional

The list of scopes that user has authorized. This can contain all the scopes the client requested or lesser.

state

Optional

if the "state" parameter was present in the client authorization request, the same state value sends in response.

NOTE:Ensure to not use the Expect: 100-Continue header in the request when using a multi-node Identity Server cluster setup. If the request contains this header, you may experience HTTP 400 Bad Request. If you are using CURL, use "-H 'Expect:'" or do not include IDP cookies.