Get Access Token
After the user logs in successfully, call the get token Access Token endpoint. This step is consistent with the OAuth2 protocol. In addition to the parameters specified by OAuth2, the Token Endpoint response also includes an additional id_token field. User information is encapsulated in the id token in JWT format.
Request Description
Callback address does not match actual configuration
http
POST https://{your_domain}/api/v1/oauth2/tokenRequest Headers
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| Authorization | Authentication info | Required | Basic UnFCMkhKdNOWk9xWA== | Use client_id and client_secret for Base64 authentication. Format: base64(client_id:client_secret) |
| Content-Type | Data type | Required | application/x-www-form-urlencoded | Submit parameters using form data. |
Request Example
http
POST https://{your_domain}/api/v1/oauth2/tokenAuthorization: Basic UnFCMkhKdGt6bFU...aT0NObkk4NlNOWk9xWA==
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=stRWlW&redirect_uri=http://oidcdemo.bccastle.com/demo/index.jsp
Request Parameters
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| grant_type | Authorization type | Required | authorization_code | Fixed value: authorization_code. |
| code | Authorization code | Required | stRWlW | Authorization code returned in the previous step. After the user logs in successfully, they are redirected to the specified callback address, and the URL contains the Authorization Code. Note: this code expires in 5 minutes. |
| redirect_uri | Callback address | Optional | http://oidcdemo.bccastle.com /demo/index.jsp | Must be consistent with the redirect_uri passed in the previous step. |
Response Example
Success response example
json
HTTP Status: 200 OK
{
"access_token": "Z43T3KWH9lgPRHP8CmnPmC1hU5lyJNw9es8bruLXRmsXaA",
"token_type": "Bearer",
"refresh_token": "WEAFOmOJ-A4LOhF_I39DvJuqxP0o7YznzDQ2adn5yXkFlFA",
"expires_in": 7199,
"scope": "openid",
"id_token": "eyJraWQVlMiIsImFsZOiJodHRwczovL21o...8oEoRsydhg"
}Incorrect redirect_uri parameter
json
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_grant",
"error_description": "Invalid redirect: [xxx] (xx) does not match one of the registered values."
}Error response example
json
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_grant",
"error_description": "Invalid authorization code: a2W0B8Q"
}Application credentials error
json
HTTP Status: 401 Unauthorized
{
"error": "invalid_client",
"error_description": "Bad client credentials"
}Response Parameters
If successful, the Access Token can be obtained from the response.
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| access_token | Authorization token | Required | NObiKQS-cn8AWnZyIMkOvBgHIo8 | Authorization token returned by the authorization server to the third-party application. |
| expires_in | Access token validity period | Required | 7199 | Validity period of the access ticket returned by the authorization server to the application. Note: the validity period is in seconds. |
| refresh_token | Refresh token | Optional | wuGzSMMTjb4YhRUOjXHj-t-QD84 | Not returned by default. |
| token_type | Token type | Required | Bearer | |
| scope | Authorization scope | Required | openid | |
| id_token | User token | Required | eyJhbGciOiJSUzI1NiIsImtp.... | User information encapsulated in jwt format |