Skip to content

Get Access Token

After the user logs in successfully, call the get token Access Token endpoint. This step is consistent with the OAuth2 protocol. In addition to the parameters specified by OAuth2, the Token Endpoint response also includes an additional id_token field. User information is encapsulated in the id token in JWT format.

Request Description

Callback address does not match actual configuration

http
POST https://{your_domain}/api/v1/oauth2/token

Request Headers

ParameterNameRequiredExampleDescription
AuthorizationAuthentication infoRequiredBasic UnFCMkhKdNOWk9xWA==Use client_id and client_secret for Base64 authentication.
Format: base64(client_id:client_secret)
Content-TypeData typeRequiredapplication/x-www-form-urlencodedSubmit parameters using form data.

Request Example

http
POST https://{your_domain}/api/v1/oauth2/token

Authorization: Basic UnFCMkhKdGt6bFU...aT0NObkk4NlNOWk9xWA==

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=stRWlW&redirect_uri=http://oidcdemo.bccastle.com/demo/index.jsp

Request Parameters

ParameterNameRequiredExampleDescription
grant_typeAuthorization typeRequiredauthorization_codeFixed value: authorization_code.
codeAuthorization codeRequiredstRWlWAuthorization code returned in the previous step.
After the user logs in successfully, they are redirected to the specified callback address,
and the URL contains the Authorization Code.
Note: this code expires in 5 minutes.
redirect_uriCallback addressOptionalhttp://oidcdemo.bccastle.com
/demo/index.jsp
Must be consistent with the redirect_uri passed in the previous step.

Response Example

Success response example

json
HTTP Status: 200 OK
{    
    "access_token": "Z43T3KWH9lgPRHP8CmnPmC1hU5lyJNw9es8bruLXRmsXaA",
    "token_type": "Bearer",    
    "refresh_token": "WEAFOmOJ-A4LOhF_I39DvJuqxP0o7YznzDQ2adn5yXkFlFA",
    "expires_in": 7199,    
    "scope": "openid",    
    "id_token": "eyJraWQVlMiIsImFsZOiJodHRwczovL21o...8oEoRsydhg" 
}

Incorrect redirect_uri parameter

json
HTTP Status: 400 BAD REQUEST 
{    
    "error": "invalid_grant",    
    "error_description": "Invalid redirect: [xxx] (xx) does not match one of the registered values." 
}

Error response example

json
HTTP Status: 400 BAD REQUEST 
{
    "error": "invalid_grant",
    "error_description": "Invalid authorization code: a2W0B8Q"
}

Application credentials error

json
HTTP Status: 401 Unauthorized
{
	"error": "invalid_client",
    "error_description": "Bad client credentials"
}

Response Parameters

If successful, the Access Token can be obtained from the response.

ParameterNameRequiredExampleDescription
access_tokenAuthorization tokenRequiredNObiKQS-cn8AWnZyIMkOvBgHIo8Authorization token returned by the authorization server to the third-party application.
expires_inAccess token validity periodRequired7199Validity period of the access ticket returned by the authorization server to the application. Note: the validity period is in seconds.
refresh_tokenRefresh tokenOptionalwuGzSMMTjb4YhRUOjXHj-t-QD84Not returned by default.
token_typeToken typeRequiredBearer
scopeAuthorization scopeRequiredopenid
id_tokenUser tokenRequiredeyJhbGciOiJSUzI1NiIsImtp....User information encapsulated in jwt format

BambooCloud IDaaS Open Platform