The Token endpoint is used directly by the client without involving the browser. Hence, it is possible to get an access token offline when the user is not connected via a browser. This endpoint can issue an access token when the client provides either a valid authorization code, SAML2 bearer profile for authorization grant flow, resource owner credentials, or client credentials.
Endpoint URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/token
Request method: POST
NOTE:The authentication is done by using client_id and client_secret in the request body parameters (as mentioned in the preceding curl request), or send client credentials in the basic authorization header (as mentioned in RFC 6749).
The token request must have the following parameters:
|
Parameter |
Required |
Description |
|---|---|---|
|
resourceServer |
No |
Registered resource server name. If this parameter is present, the authorization server will use the respective configured way to encrypt the access token. |
|
grant_type |
Yes |
Use 'authorization_code' for authorization code exchange for a token. Use 'urn:ietf:params:oauth:grant-type:saml2-bearer' as value to exchange SAML token for OAuth token (SAML bearer grant) Use 'password' for Resource Owner Password Credential grant. |
|
assertion |
Yes |
(For SAML bearer grant) A single base64url encoded SAML2.0 Assertion as value for this parameter. |
|
client_id |
Yes |
Client ID of the registered client. |
|
client_secret |
Optional |
Client Secret of the registered client. It is optional for a native application and mandatory for a web application. |
|
code |
Yes |
Code received in the Authorization code flow. |
|
redirect_uri |
Yes |
This should be the same as the one sent during the authorization code request. |
|
device_id |
Optional |
Specify the device ID that token to be associated with the device. |
|
refresh_token |
Yes |
refresh_token that is obtained during authorization grant, resource owner credentials. |
|
scope |
Optional |
List of scopes the application requires. Scope values should be separated using space (%20 or +). |
|
acr_values |
Optional |
This parameter is supported only for grant_type=password (Resource Owner Password Credentials Grant). The value of acr_values should be URI encoded and must match exactly with the Access Manager Authentication contract URI. If no acr_values and no global ROPC authentication contracts are configured, then only the default authentication contract of Identity Server is executed. For more information, see the ‘Contracts for Resource Owner Credentials Authentication’. Sample value can be '/name/password/uri'. |
|
Parameter |
Required |
Description |
|---|---|---|
|
token_type |
Yes |
The type of the token. Authorization server supports only Bearer type. |
|
access_token |
Yes |
Access token that can be used to invoke resource server APIs. |
|
id_token |
Optional if scope contains "OpenID" |
When invoking authorization code request, if the client has sent OpenID, this response object will contain an ID Token. NOTE:The resource owner credential flow and client credential flow does not return id_token. |
|
scope |
Optional |
The list of scopes that user has authorized. This can contain all the scopes the client requested or lesser. |
|
state |
Optional |
if the "state" parameter was present in the client authorization request, the same state value sends in response. |
NOTE:Ensure to not use the Expect: 100-Continue header in the request when using a multi-node Identity Server cluster setup. If the request contains this header, you may experience HTTP 400 Bad Request. If you are using CURL, use "-H 'Expect:'" or do not include IDP cookies.