Get PKCE Access Token
After the user logs in successfully, obtain the access token Access Token. The difference from OAuth2 is that the client-generated verification code code_verifier needs to be passed. The Token Endpoint will return the corresponding token. In addition to the data specified by OAuth2, an additional id_token field will be included.
Request Description
http
POST https://{your_domain}/api/v1/oauth2/tokenRequest Headers
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| Content-Type | Data type | Required | application/x-www-form-urlencoded | Submit parameters using form data. |
Request Example
http
POST https://{your_domain}/api/v1/oauth2/tokenContent-Type: application/x-www-form-urlencoded
grant_type=authorization_code&client_id=RqB2HJt9N676qA&code=stRWlW&code_verifier=lw22ZEI0JwNflL4sjEISwk8&redirect_uri=
http://oidcdemo.bccastle.com/demo/index.jsp
Request Parameters
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| grant_type | Authorization type | Required | authorization_code | Fixed value: authorization_code. |
| code | Authorization code | Required | stRWlW | Authorization code returned in the previous step. If the user logs in successfully, they will be redirected to the specified callback address, and the URL will contain the Authorization Code. Note: this code expires in 5 minutes. |
| redirect_uri | Callback address | Optional | http://oidcdemo.bccastle.com /demo/index.jsp | Must be consistent with the redirect_uri passed in the previous step. |
| code_verifier | PKCE verifier | Required | lw22ZEINflL4sjEISwk8 | The application randomly generates a string of 43-128 characters and URL-Safe Base64 encodes it as the code_verifier. The string is then SHA256 hashed and URL-Safe Base64 encoded as the code_challenge. |
| client_id | Application client_id | Required | RqB2HJt9N676qA | client_id passed when the application requests authorization. |
Response Example
Success response example
json
HTTP Status: 200 OK
{
"access_token": "Z43T3KWH9lecmy3H1IaCI...XRmsXaA",
"token_type": "Bearer",
"refresh_token": "WEAFOmOJ-A4LOhF_I39DvJuqxP0...XkFlFA",
"expires_in": 7199,
"scope": "openid"
}Client ID not found
json
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_grant",
"error_description": "Client ID mismatch"
}Response Parameters
If successful, the Access Token can be obtained from the response.
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| access_token | Authorization token | Required | cn8AWnZyIMkOvBgHIo8 | Authorization token returned by the authorization server to the third-party application. |
| expires_in | Access token validity period | Required | 7199 | Validity period of the access ticket returned by the authorization server to the application. Note: the validity period is in seconds. |
| refresh_token | Refresh token | wuGzSMMTjb4YhRUOjXH | ||
| token_type | Token type | Required | Bearer | |
| scope | Authorization scope | Required | get_user_info |