Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Jenni Wallin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Access Token Endpoint

The access token endpoint is used by the client to request for access tokens. All clients have to be registered by using the Management API before the access token can be requested as all unregistered clients will not have their token request accepted. See the Client Registration section above for more information.

Every registered client will have a client_id and client_secret assigned by the Authorization Server and the access token can only be requested using this set of client credentials.

The access token can be requested using the Access Token URI that was configured using the access-token-uri parameter.

Info
titleExample - Access Token URI

if the access-token-uri parameter value was configured to /token. The access token endpoint would be:

http(s)://hostname:port/token

The client can request for the access token at the access token endpoint by following the steps below:

  • Setting the "client_id" and "client_secret" as username and password respectively in the HTTP Basic Authentication header.
  • Setting the "grant_type" parameter using the "application/x-www-form-urlencoded" format in the HTTP request entity-body. The value MUST be set to "client_credentials".
  • In the case that the client doesn't support HTTP Basic Authentication, the "client_id" and "client_secret" can be set using the the "application/x-www-form-urlencoded" format in the HTTP request entity-body as well using the "client_id" and "client_secret" parameter names respectively.
Info
titleExample - Using HTTP Basic Authentication header

HTTP access token request by specifying client_id and client_secret in the HTTP Basic Authentication header

Code Block
POST /token HTTP/1.1
Host: oauth2.server.com
Authorization: Basic WUN1SVBZVmEwR3J5ZWJwem5pQVpVNVZHcXllX2R4QkdkY1hJOk9meTEtUWZPM3lyRllkazNkajFwbU0zMEdLVnJlOVE2Yk1rNlY3WUlSbXFHSHdhaWpR
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials



Info
titleExample - Using application/x-www-form-urlencoded in the HTTP request entity-body

HTTP access token request by specifying client_id and client_secret in the application/x-www-form-urlencoded format in the HTTP request entity-body

Code Block
POST /token HTTP/1.1
Host: oauth2.server.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
client_id=YCuIPYVa0GryebpzniAZU5VGqye_dxBGdcXI
client_secret=Ofy1-QfO3yrFYdk3dj1pmM30GKVre9Q6bMk6V7YIRmqGHwaijQ



The access token response will contain the following parameters to the entity-body of the HTTP response with a 200 (OK) status code:

entity-bodyDescription
access_token
The access token issued by the Authorization Server
token_type
Value will always be Bearer
expires_in
The lifetime (in seconds) of the access token


Info
titleExample - HTTP access token response


Code Block
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 572

{
"access_token":"eyJraWQiOiJqd3QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJSaWVsbGUgQXBwIiwic2NvcGUiOiJzY29wZTEgc2NvcGUzIiwiaXNzIjoiZGlnaXRhbHJvdXRlIiwiZXhwIjoxNTIwMjY4MTk2LCJpYXQiOjE1MjAyNjYzOTZ9.fInkdt_Fe4QQ-gAgI7CszIMkru61aec6OYxQsotkydh5xVczJsaJ-QkAfPtJ0tTVkAYeJZYmVEi_aApY8HNJMrZgvS07S8PnBOwsPUAPAHTDVU3u3c9zqhVzV5233rcoMdiUK61Qa7MoreE_4BwxjYMbek08DscwPWRZ-3V1r49PZ5i2MI5kfj4LdNTcuJZZ62-oILupdvVCiGTt9poGZqZdktEkgKANXPhxp1oQ-w1LD9uhmsRWP_6Cd4R1ky1HJxEocbDtx0uf068De4v1rxH2myaz7faZBexeQEUHjiDLxomnBnQENTfxTEVIj7WLqenAzPIkAOC_KvVv5EaJJg",
"token_type":"Bearer",
"expires_in":1800
}



In the event of an error when requesting for an access token, The Authorization Server will respond with an HTTP 400 (Bad Request) status code, unless it is specified otherwise. The response will include the following parameters:

entity-bodyDescription
error

A single ASCII [USASCII] error code from the following:

  • invalid_client
  • unsupported_grant_type
error_descriptionHuman-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.


Info
titleExample - HTTP access token error response


Code Block
HTTP/1.1 400 Bad Request
Content-Type: application/json
Content-Length: 64

{"error":"invalid_client","error_description":"Unknown client"}

Scroll pagebreak