Skip to content

Get PKCE Access Token

After the user logs in successfully, obtain the access token Access Token. The difference from OAuth2 is that the client-generated verification code code_verifier needs to be passed. The Token Endpoint will return the corresponding token. In addition to the data specified by OAuth2, an additional id_token field will be included.

Request Description

http
POST https://{your_domain}/api/v1/oauth2/token

Request Headers

ParameterNameRequiredExampleDescription
Content-TypeData typeRequiredapplication/x-www-form-urlencodedSubmit parameters using form data.

Request Example

http
POST https://{your_domain}/api/v1/oauth2/token

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=RqB2HJt9N676qA&code=stRWlW&code_verifier=lw22ZEI0JwNflL4sjEISwk8&redirect_uri=
http://oidcdemo.bccastle.com/demo/index.jsp

Request Parameters

ParameterNameRequiredExampleDescription
grant_typeAuthorization typeRequiredauthorization_codeFixed value: authorization_code.
codeAuthorization codeRequiredstRWlWAuthorization code returned in the previous step. If the user logs in successfully, they will be redirected to the specified callback address, and the URL will contain the Authorization Code. Note: this code expires in 5 minutes.
redirect_uriCallback addressOptionalhttp://oidcdemo.bccastle.com
/demo/index.jsp
Must be consistent with the redirect_uri passed in the previous step.
code_verifierPKCE verifierRequiredlw22ZEINflL4sjEISwk8The application randomly generates a string of 43-128 characters and URL-Safe Base64 encodes it as the code_verifier. The string is then SHA256 hashed and URL-Safe Base64 encoded as the code_challenge.
client_idApplication client_idRequiredRqB2HJt9N676qAclient_id passed when the application requests authorization.

Response Example

Success response example

json
HTTP Status: 200 OK
{
	"access_token": "Z43T3KWH9lecmy3H1IaCI...XRmsXaA",
	"token_type": "Bearer",
	"refresh_token": "WEAFOmOJ-A4LOhF_I39DvJuqxP0...XkFlFA",
	"expires_in": 7199,
	"scope": "openid"
}

Client ID not found

json
HTTP Status: 400 BAD REQUEST
{ 		
    "error": "invalid_grant",		
    "error_description": "Client ID mismatch"
}

Response Parameters

If successful, the Access Token can be obtained from the response.

ParameterNameRequiredExampleDescription
access_tokenAuthorization tokenRequiredcn8AWnZyIMkOvBgHIo8Authorization token returned by the authorization server to the third-party application.
expires_inAccess token validity periodRequired7199Validity period of the access ticket returned by the authorization server to the application. Note: the validity period is in seconds.
refresh_tokenRefresh tokenwuGzSMMTjb4YhRUOjXH
token_typeToken typeRequiredBearer
scopeAuthorization scopeRequiredget_user_info

BambooCloud IDaaS Open Platform