Access Token
Successful OAuth transactions require the Oracle Identity Cloud Service OAuth Authorization Server to issue access tokens for use in authenticating an API call. An access token represents an authorization issued to the client application containing credentials used to access protected OAuth resources.
The Access Token provides a session (with scope and expiration), that your client application can use to perform tasks in Oracle Identity Cloud Service via REST APIs. The access token can be obtained either via Identity Cloud Service UI or programmatically (performing a REST API call using the application client id and secret). Applications can request an access token to access protected endpoints in different ways, depending on the type of grant type specified in the application. A grant is a credential representing the Resource Owner's authorization to access a protected resource. See Access Grant Types.
| Name | Value |
|---|---|
tok_type* |
Identifies the token type: AT |
iss |
The principal that issued the token: https://identity.oraclecloud.com |
sub |
Identifies the entity ( User/Client ) that is requesting access. The subject identifier is locally unique and is intended to be consumed by the client. In case of IDPropagation tokens, this contains the user's user ID. In other cases, it contains the clientID. |
sub_mappingattr* |
The attribute used to locate the sub in the ID store. This is the mapping attr from SSO settings. |
sub_type |
The Oracle Identity Cloud Service access token contains the Entities processing and validating the access token can use the value of the |
user_id* |
The user's Oracle Identity Cloud Service GUID from AuthN Context for user tokens. Not present in client-only tokens. |
user_displayname* |
The user's Oracle Identity Cloud Service Display Name (255 maximum ASCII characters) from AuthN Context. Not present in client-only tokens. |
user_tenantname* |
The User Tenant Name (255 maximum ASCII characters). May be different from resource tenancy for cross tenant use cases. Tenant??s GUID is specifically not saved in the token and is not present in client-only tokens. |
tenant* |
The Resource Tenant Name when the request for the access token was made (255 maximum ASCII characters). Resource Tenant's GUID is specifically not saved in the token. |
user.tenant.name* |
Same as tenant. This is tracked for backward compatibility purposes until there are no more legacy consumers.
Note: The Tenant Name is the Identity Domain. |
aud |
Contains the URI string expected by the Resource Server to match the target URL's resource prefixes. Multiple URI strings may be specified using the standard AUD format. This is the case when OIDC request also contains scopes for some other resource server. For example:["https://tenant-base-url.com", "https://example.com"] |
iat |
The time (UNIX epoch time) when the JWT was issued. UNIX Epoch Time is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in Coordinated Universal Time (UTC) until the date/time. |
sid |
The session ID from the Identity Token is the Identity Token that was used during token request. |
exp |
The time (UNIX epoch time) when the JWT expires (in seconds). See the Token Expiry Table. |
scope |
The space delimited string containing scopes. |
jti |
The server-generated unique identifier for the JWT ID. |
client_id* |
OAuth client ID. This is the GUID of the OAuth client making the request. When Cloud Gate is making requests, this is the GUID of the OAuth CloudGate defined in the global oracle tenancy. |
client_name* |
OAuth client_name. This is the name of the OAuth client making the request. When CloudGate is making requests, this is the name of the CloudGate OAuth client defined in the global oracle tenancy. |
client_tenantname* |
Client Tenant Name (max 255). May be different from resource tenancy for cross tenant use cases. |