Oracle Cloud Infrastructure Documentation

Token Exchange Grant Type Two-Legged Authorization Flow Example

Use the following examples to create your Token Exchange grant type requests.

Each of these examples requires a signed request. To learn how to create signature header requests, see Request Signatures.

Request Example: Exchange an API Key for an Identity Domain Access Token

Use the API Key of a User to make a signed request to obtain an access token for the user who owns that API Key.
   curl  -X POST -sS https://<domainURL>/oauth2/v1/token -i 
   -H 'date: Mon, 20 Nov 2023 00:32:02 GMT' 
   -H 'x-content-sha256: 5AfZSV0021K+QUDAdfV7g4wwqBsF2rgVOQWRMIrTa9Q=' 
   -H 'content-type: application/x-www-form-urlencoded;charset=utf-8' 
   -H 'content-length: 185' 
   -H 'Authorization: Signature version="1",keyId="<key-id>",algorithm="rsa-sha256",headers="(request-target) date host x-content-sha256 content-type content-length",signature="<signature>"' 
   -d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange&scope=http://www.ocisampleservice.com/resume&requested_token_type=urn:ietf:params:oauth:token-type:access_token'

Request Example: Exchange a User Principal for an Identity Domain Access Token

Use a User Principal to make a signed request to obtain an access token for that user.
   curl  -X POST -sS https://<domainURL>/oauth2/v1/token -i 
   -H 'date: Mon, 20 Nov 2023 23:51:18 GMT' 
   -H 'x-content-sha256: n0NyZzoYSrKNC6r6f3mrNxYCtZOuG1zK2TY/r+N676Y=' 
   -H 'content-type: application/x-www-form-urlencoded;charset=utf-8' 
   -H 'content-length: 163' 
   -H 'Authorization: Signature version="1",keyId="<key-id>",algorithm="rsa-sha256",headers="(request-target) date host x-content-sha256 content-type content-length",signature="<signature>"' 
   -d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange&scope=http://www.ocisampleservice.com/resume&requested_token_type=urn:ietf:params:oauth:token-type:access_token'
The following additional scopes can also be used:
  • offline_access
  • urn:opc:resource:consumer:tokengenerator:appid::<appId>
  • urn:opc:resource:consumer:<scopeExtension>::<scopeQualifier>
The following is request example using the offline_access scope.
   curl  -X POST -sS https://<domainURL>/oauth2/v1/token -i 
   -H 'date: Mon, 20 Nov 2023 18:58:49 GMT' 
   -H 'x-content-sha256: 7zRa1qI4iIQouzn2TCTisZKi1CSoXRDe1pUJ58IFyVk=' 
   -H 'content-type: application/x-www-form-urlencoded;charset=utf-8' 
   -H 'content-length: 284' 
   -H 'Authorization: Signature version="1",keyId="<key-id>",algorithm="rsa-sha256",headers="(request-target) date host x-content-sha256 content-type content-length",signature="<signature>"' 
   -d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange&client_id=<client-id>&scope=http://www.docservice.com/report offline_access&isCLI=true&requested_token_type=urn:ietf:params:oauth:token-type:access_token???
When this scope is included, both an access token and a refresh token are produced. The refresh token format is listed in the response example below.
{
    "access_token": "<access-token>",
    "token_type": "Bearer",
    "expires_in": 3600
    "refresh_token": "<refresh token>"
}

Request Example: Exchange an Instance Principal (IPST) for an Identity Domain Access Token

Use an Instance Principal to make a signed request to obtain an access token for that instance.
   curl  -X POST -sS https://<domainURL>/oauth2/v1/token -i 
   -H 'date: Mon, 20 Nov 2023 12:07:10 GMT' 
   -H 'x-content-sha256: t7NyZzoWSrKNC6r6f3mrNxYCtZOuG1zK2TY/r+N676Y=' 
   -H 'content-type: application/x-www-form-urlencoded;charset=utf-8' 
   -H 'content-length: 170' 
   -H 'Authorization: Signature version="1",keyId="<key-id>",algorithm="rsa-sha256",headers="(request-target) date host x-content-sha256 content-type content-length",signature="<signature>"' 
   -d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange&scope=http://www.ocisampleservice.com/resume&requested_token_type=urn:ietf:params:oauth:token-type:access_token'

Request Example: Exchanging Resource Principal (RPST) for an Identity Domain Access Token

Use a Resource Principal to make a signed request to obtain an access token for that resource.
   curl  -X POST -sS https://<domainURL>/oauth2/v1/token -i 
   -H 'date: Mon, 20 Nov 2023 01:17:33 GMT' 
   -H 'x-content-sha256: t7NyZzoWSrKNC6r6f3mrNxYCtZOuG1zK2TY/r+N676Y=' 
   -H 'content-type: application/x-www-form-urlencoded;charset=utf-8' 
   -H 'content-length: 197' 
   -H 'Authorization: Signature version="1",keyId="<key-id>",algorithm="rsa-sha256",headers="(request-target) date host x-content-sha256 content-type content-length",signature="<signature>"' 
   -d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange&scope=http://www.ocisampleservice.com/resume&requested_token_type=urn:ietf:params:oauth:token-type:access_token'

Response Example

The following example shows the contents of the response body in JSON format when you use the Token Exchange grant type to obtain an access token for all 2-legged flow requests.
{
    "access_token": "<access-token>",
    "token_type": "Bearer",
    "expires_in": 3600
}