To obtain an Open ID Access Token, an ID Token, and optionally a Refresh Token, the relying party RP client sends a Token Request to this Token Endpoint and obtains a Token Response, as described in Section 3.2 of OAuth 2.0 RFC6749, when using the Authorization Code Flow.
This access token resource is provided to for third party applications that wish to authenticate Key Bridge users for their own online services, which must use the Authorization Code Flow strategy and Key Bridge OpenId service. See OAuth 2.0 RFC6749 at Section 4.1 for details.
Authorization Code Flow
+----------+ | Resource | | Owner | (Your online service) | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | +----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent +----(B)-- User authenticates --->| Server | | | | | |(Browser) +----(C)-- Authorization Code ---<| (This server) | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | |(Your RP)|<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
Note: The lines illustrating steps (A), (B), and (C) are broken into two parts as they pass through the user-agent.
Request and response
A Client makes a Token Request by presenting its Authorization Grant (in the form of an Authorization Code) to the Token Endpoint using the grant_type value authorization_code, as described in OAuth 2.0 RFC6749 Section 4.1.3. The following is a non-normative example of a Token Request (with line wraps within values for display purposes only):
POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
After receiving and validating a valid and authorized Token Request from the
Client, the Authorization Server returns a successful response that includes
an ID Token and an Access Token. The parameters in the successful response
are defined in OAuth 2.0 RFC6749 Section 4.1.4.
The response uses the application/json
media type.
The following is a non-normative example of a successful Token Response.
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5
NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ
fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz
AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q
Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ
NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd
QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS
K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4
XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"
}
Error response
If the Token Request is invalid or unauthorized, the Authorization Server
constructs the error response. The parameters of the Token Error Response are
defined as in OAuth 2.0 RFC6749 Section 4.5.2
The HTTP response body uses the application/json media type with HTTP response code of 400.
The response also uses the application/json
media type.
The following is a non-normative example Token Error Response:
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{ "error": "invalid_request" }
API resources
API resources
Makes a Token Request by presenting the End User Authorization Grant (in the form of an Authorization Code).
Headers and URI patternAuthorization | string | HEADER | Basic authorization header encoding the |
Response | application/json | On success: a new OAuth Token Response containing and access token. On error: an error message and description. |