IAM Identity Domains API

Generate Access Token and Other OAuth Runtime Tokens to Access the Resource

post

/oauth2/v1/token

Request

Supported Media Types

application/x-www-form-urlencoded

Header Parameters

Authorization(optional): string

Basic Authorization. Base64 encoding of client credentials (for client assertions, the Authorization header is optional). Signature-based Authorization. For example, Authorization: Signature version="1",keyId="[tenancyOcid]/[userOcid]/[keyFingerprint]",algorithm="rsa-sha256",headers="(request-target) date x-content-sha256 content-type content-length",signature="Base64(RSA-SHA256())"

Root Schema : schema

Type: object

Show Source

assertion(optional): string

Assertion of user (only in the assertion grant flow)

Example: eyJraWQiOiJUcnVzdGVkUGFydHlfMSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDQ0LCJpc3MiOiJUcnVzdGVkUGFydHlfMSIsImV4cCI6MTQ0MDc2MDA0NCwiaWF0IjoxNDQwNzU5NDQ0LCJqdGkiOiIyYmViNmQ1ZS1lN2JmLTQ1NTgtOTc1Yy1iNjNhZWJlMzEwOTMifQ.pWDTO81e31h8waDz_eCI3IJuxNBRh4k2hDVhmsQSH8DgztzgL10dVKZnRTBo-Tfj3-NBa9GihzZw1QsLBnd8oeG0ZD-EKz0ZiL6sT13QeYLV7G3gIDLrTO2FbVNd615Dg1wcVPz5f631NQBW5TRl4mcQUGNHEfRrE1F5NrC_Ok
client_assertion(optional): string

Assertion of the client (only in client assertion cases)

Example: eyJraWQiOiJTSUdOSU5HX0tFWSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDA4LCJpc3MiOiJTSUdOSU5HX0tFWSIsImV4cCI6MTQ0MDc2MDAwOCwiaWF0IjoxNDQwNzU5NDA4LCJqdGkiOiJhMmIwYmQzMS1mODFkLTRmNmMtODY1Ni1lOWRjYTczNTU4OTIifQ.jefxnKDUedfJgp40nUbLJrPdoTPGrkWHrp_uiuqJzD_7Pp9N2GkrAN-Nfri26ryGF0aMxjUs_My8qyfyzuDSK9iPHVLMDulbrdnShEAi-rYS8MMs4Uj6KYYhg_S8nquN5SAk00ZjKCjAImAbAghGXjJ51ZfPsBLMTP0fa7zAr9g
client_assertion_type(optional): string

Client assertion type (only in client assertion cases)

Example: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id(optional): string

Unique identifier for the client (only in client assertion cases)

Example: a5bf5db7f6c43b47b1eae399c68319c4
code(optional): string

Authorization Code that is generated during the call to the Authorize endpoint (only in the Authorization (3-legged) grant flow)

Example: AQIDBAXxVUQH5kHqoD1vmxmo-Yh1SCrbeyQQoJv4qaPWk0iu8aXwMvVREFk4YcPNNJ6oxpIanTS253PPqsvyp2KJ8QJfMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA%3D
grant_type: string

Grant type by which a client requests an Access Token

Example: client_credentials
password(optional): string

Password of the user (only when using the Password grant flow)

Example: Test123456
redirect_uri(optional): string

Redirect URI where the response is sent (used in the Authorization or Implicit (3-legged) grant flow)

Example: http://abccorp.com/quote
refresh_token(optional): string

Refresh Token that is generated using the offline_access scope (only in the Refresh Token grant flow)

Example: eyJ4NXQiOiI4Wk5NMEFfNWFuSTc0dGp3Y3FWcWtMN3Z0Q2ciLCJraWQiOiJwcml2YWVrZXkxIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJuYmYiOjE0NDA3NTk0NDYsInNjb3BlIjoiQUNNRUNhbmRpZGF0ZVByb2ZpbGVTZXJ2aWNlLnJlc3VtZXNfbW9udGhzIG9mZmxpbmVfYWNjZXNzIiwiaXNzIjoiaWRjcy5vcmFjbGUuY29tIiwiZXhwIjoxNDQwOTc1NDQ2LCJpYXQiOjE0NDA3NTk0NDYsInRlbmFudCI6IlRFTkFOVDEiLCJqdGkiOiJhZWZhYTUwOC0zZGNlLTQ5OWMtYmExNC04ZDNhYTQ1NzEyMjEifQ.aLfyVU7OZgvJKLG5nkj-2P515QZ1KTcjsPot9r6HGNs7cARCE_OIR4x7bK8CfPU6oY3vs1HC6m9HPg-ieE3ckA
requested_token_type(optional): string

Requested token type (only in token exchange cases)

Example: urn:ietf:params:oauth:token-type:access_token
scope: string

Scope for which the Access Token is requested. For the refresh_token grant type, scope is optional.

Example: http://abccorp.com/quote
subject_token(optional): string

Subject token representing the subject (only in token exchange cases)

Example: AQIDBAXxVUQH5kHqoD1vmxmo-Yh1SCrbeyQQoJv4qaPWk0iu8aXwMvVREFk4YcPNNJ6oxpIanTS253PPqsvyp2KJ8QJfMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA%3D
username(optional): string

Name of the user who wants to access the scope (only when using the Password grant flow)

Example: test@example.com

{
    "type":"object",
    "properties":{
        "grant_type":{
            "description":"Grant type by which a client requests an Access Token",
            "type":"string",
            "example":"client_credentials"
        },
        "username":{
            "description":"Name of the user who wants to access the scope (only when using the <b>Password</b> grant flow)",
            "type":"string",
            "example":"test@example.com"
        },
        "client_assertion":{
            "description":"Assertion of the client (only in <b>client assertion</b> cases)",
            "type":"string",
            "example":"eyJraWQiOiJTSUdOSU5HX0tFWSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDA4LCJpc3MiOiJTSUdOSU5HX0tFWSIsImV4cCI6MTQ0MDc2MDAwOCwiaWF0IjoxNDQwNzU5NDA4LCJqdGkiOiJhMmIwYmQzMS1mODFkLTRmNmMtODY1Ni1lOWRjYTczNTU4OTIifQ.jefxnKDUedfJgp40nUbLJrPdoTPGrkWHrp_uiuqJzD_7Pp9N2GkrAN-Nfri26ryGF0aMxjUs_My8qyfyzuDSK9iPHVLMDulbrdnShEAi-rYS8MMs4Uj6KYYhg_S8nquN5SAk00ZjKCjAImAbAghGXjJ51ZfPsBLMTP0fa7zAr9g"
        },
        "scope":{
            "description":"Scope for which the Access Token is requested. For the <b>refresh_token</b> grant type, scope is optional.",
            "type":"string",
            "example":"http://abccorp.com/quote"
        },
        "refresh_token":{
            "description":"Refresh Token that is generated using the <b>offline_access</b> scope (only in the <b>Refresh Token</b> grant flow)",
            "type":"string",
            "example":"eyJ4NXQiOiI4Wk5NMEFfNWFuSTc0dGp3Y3FWcWtMN3Z0Q2ciLCJraWQiOiJwcml2YWVrZXkxIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJuYmYiOjE0NDA3NTk0NDYsInNjb3BlIjoiQUNNRUNhbmRpZGF0ZVByb2ZpbGVTZXJ2aWNlLnJlc3VtZXNfbW9udGhzIG9mZmxpbmVfYWNjZXNzIiwiaXNzIjoiaWRjcy5vcmFjbGUuY29tIiwiZXhwIjoxNDQwOTc1NDQ2LCJpYXQiOjE0NDA3NTk0NDYsInRlbmFudCI6IlRFTkFOVDEiLCJqdGkiOiJhZWZhYTUwOC0zZGNlLTQ5OWMtYmExNC04ZDNhYTQ1NzEyMjEifQ.aLfyVU7OZgvJKLG5nkj-2P515QZ1KTcjsPot9r6HGNs7cARCE_OIR4x7bK8CfPU6oY3vs1HC6m9HPg-ieE3ckA"
        },
        "client_assertion_type":{
            "description":"Client assertion type (only in <b>client assertion</b> cases)",
            "type":"string",
            "example":"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
        },
        "password":{
            "description":"Password of the user (only when using the <b>Password</b> grant flow)",
            "type":"string",
            "example":"Test123456"
        },
        "assertion":{
            "description":"Assertion of user (only in the <b>assertion</b> grant flow)",
            "type":"string",
            "example":"eyJraWQiOiJUcnVzdGVkUGFydHlfMSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDQ0LCJpc3MiOiJUcnVzdGVkUGFydHlfMSIsImV4cCI6MTQ0MDc2MDA0NCwiaWF0IjoxNDQwNzU5NDQ0LCJqdGkiOiIyYmViNmQ1ZS1lN2JmLTQ1NTgtOTc1Yy1iNjNhZWJlMzEwOTMifQ.pWDTO81e31h8waDz_eCI3IJuxNBRh4k2hDVhmsQSH8DgztzgL10dVKZnRTBo-Tfj3-NBa9GihzZw1QsLBnd8oeG0ZD-EKz0ZiL6sT13QeYLV7G3gIDLrTO2FbVNd615Dg1wcVPz5f631NQBW5TRl4mcQUGNHEfRrE1F5NrC_Ok"
        },
        "redirect_uri":{
            "description":"Redirect URI where the response is sent (used in the Authorization or Implicit (3-legged) grant flow)",
            "type":"string",
            "example":"http://abccorp.com/quote"
        },
        "code":{
            "description":"Authorization Code that is generated during the call to the Authorize endpoint (only in the Authorization (3-legged) grant flow)",
            "type":"string",
            "example":"AQIDBAXxVUQH5kHqoD1vmxmo-Yh1SCrbeyQQoJv4qaPWk0iu8aXwMvVREFk4YcPNNJ6oxpIanTS253PPqsvyp2KJ8QJfMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA%3D"
        },
        "client_id":{
            "description":"Unique identifier for the client (only in <b>client assertion</b> cases)",
            "type":"string",
            "example":"a5bf5db7f6c43b47b1eae399c68319c4"
        },
        "subject_token":{
            "description":"Subject token representing the subject (only in <b>token exchange</b> cases)",
            "type":"string",
            "example":"AQIDBAXxVUQH5kHqoD1vmxmo-Yh1SCrbeyQQoJv4qaPWk0iu8aXwMvVREFk4YcPNNJ6oxpIanTS253PPqsvyp2KJ8QJfMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA%3D"
        },
        "requested_token_type":{
            "description":"Requested token type (only in <b>token exchange</b> cases)",
            "type":"string",
            "example":"urn:ietf:params:oauth:token-type:access_token"
        }
    },
    "required":[
        "grant_type",
        "scope"
    ]
}

Response

Supported Media Types

application/json

200 Response

Access Token generated

Root Schema : token

Type: object

Generate the Access Token in JSON Web Token format (JWT).

Show Source

access_token: string

Access Token used to access the scopes
expires_in: number

Expiry time of the Access Token in seconds
id_token(optional): string

Identity Token generated for the associated client and user (only in 3-legged flows)
refresh_token(optional): string

Refresh Token used to regenerate the Access Token (only when the offline_access scope is used)
token_type: string

Type of Access Token (Bearer)

{
    "description":"Generate the Access Token in JSON Web Token format (JWT).",
    "type":"object",
    "properties":{
        "access_token":{
            "type":"string",
            "description":"Access Token used to access the scopes"
        },
        "expires_in":{
            "type":"number",
            "description":"Expiry time of the Access Token in seconds"
        },
        "token_type":{
            "type":"string",
            "description":"Type of Access Token (Bearer)"
        },
        "refresh_token":{
            "type":"string",
            "description":"Refresh Token used to regenerate the Access Token (only when the <b>offline_access</b> scope is used)"
        },
        "id_token":{
            "type":"string",
            "description":"Identity Token generated for the associated client and user (only in 3-legged flows)"
        }
    },
    "required":[
        "access_token",
        "expires_in",
        "token_type"
    ]
}

400 Response

Invalid request

Root Schema : error

Type: object

Error message that appears during Access Token generation

Show Source

error: string

Error values that are based on the OAuth specification
error_description: string

Detailed error messages

{
    "description":"Error message that appears during Access Token generation",
    "type":"object",
    "properties":{
        "error":{
            "type":"string",
            "description":"Error values that are based on the OAuth specification"
        },
        "error_description":{
            "type":"string",
            "description":"Detailed error messages"
        }
    },
    "required":[
        "error",
        "error_description"
    ]
}

401 Response

Unauthorized client

Root Schema : error

Type: object

Error message that appears during Access Token generation

Show Source

error: string

Error values that are based on the OAuth specification
error_description: string

Detailed error messages

{
    "description":"Error message that appears during Access Token generation",
    "type":"object",
    "properties":{
        "error":{
            "type":"string",
            "description":"Error values that are based on the OAuth specification"
        },
        "error_description":{
            "type":"string",
            "description":"Detailed error messages"
        }
    },
    "required":[
        "error",
        "error_description"
    ]
}