Generate Access Token and Other OAuth Runtime Tokens to Access the Resource

post

/oauth2/v1/token

Request

Supported Media Types
Header Parameters
Body ()
Root Schema : schema
Type: object
Show Source
  • Assertion of user (only in the assertion grant flow)
    Example: eyJraWQiOiJUcnVzdGVkUGFydHlfMSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDQ0LCJpc3MiOiJUcnVzdGVkUGFydHlfMSIsImV4cCI6MTQ0MDc2MDA0NCwiaWF0IjoxNDQwNzU5NDQ0LCJqdGkiOiIyYmViNmQ1ZS1lN2JmLTQ1NTgtOTc1Yy1iNjNhZWJlMzEwOTMifQ.pWDTO81e31h8waDz_eCI3IJuxNBRh4k2hDVhmsQSH8DgztzgL10dVKZnRTBo-Tfj3-NBa9GihzZw1QsLBnd8oeG0ZD-EKz0ZiL6sT13QeYLV7G3gIDLrTO2FbVNd615Dg1wcVPz5f631NQBW5TRl4mcQUGNHEfRrE1F5NrC_Ok
  • Assertion of the client (only in client assertion cases)
    Example: eyJraWQiOiJTSUdOSU5HX0tFWSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDA4LCJpc3MiOiJTSUdOSU5HX0tFWSIsImV4cCI6MTQ0MDc2MDAwOCwiaWF0IjoxNDQwNzU5NDA4LCJqdGkiOiJhMmIwYmQzMS1mODFkLTRmNmMtODY1Ni1lOWRjYTczNTU4OTIifQ.jefxnKDUedfJgp40nUbLJrPdoTPGrkWHrp_uiuqJzD_7Pp9N2GkrAN-Nfri26ryGF0aMxjUs_My8qyfyzuDSK9iPHVLMDulbrdnShEAi-rYS8MMs4Uj6KYYhg_S8nquN5SAk00ZjKCjAImAbAghGXjJ51ZfPsBLMTP0fa7zAr9g
  • Client assertion type (only in client assertion cases)
    Example: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
  • Unique identifier for the client (only in client assertion cases)
    Example: a5bf5db7f6c43b47b1eae399c68319c4
  • Authorization Code that is generated during the call to the Authorize endpoint (only in the Authorization (3-legged) grant flow)
    Example: AQIDBAXxVUQH5kHqoD1vmxmo-Yh1SCrbeyQQoJv4qaPWk0iu8aXwMvVREFk4YcPNNJ6oxpIanTS253PPqsvyp2KJ8QJfMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA%3D
  • Grant type by which a client requests an Access Token
    Example: client_credentials
  • Password of the user (only when using the Password grant flow)
    Example: Test123456
  • Redirect URI where the response is sent (used in the Authorization or Implicit (3-legged) grant flow)
    Example: http://abccorp.com/quote
  • Refresh Token that is generated using the offline_access scope (only in the Refresh Token grant flow)
    Example: eyJ4NXQiOiI4Wk5NMEFfNWFuSTc0dGp3Y3FWcWtMN3Z0Q2ciLCJraWQiOiJwcml2YWVrZXkxIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJuYmYiOjE0NDA3NTk0NDYsInNjb3BlIjoiQUNNRUNhbmRpZGF0ZVByb2ZpbGVTZXJ2aWNlLnJlc3VtZXNfbW9udGhzIG9mZmxpbmVfYWNjZXNzIiwiaXNzIjoiaWRjcy5vcmFjbGUuY29tIiwiZXhwIjoxNDQwOTc1NDQ2LCJpYXQiOjE0NDA3NTk0NDYsInRlbmFudCI6IlRFTkFOVDEiLCJqdGkiOiJhZWZhYTUwOC0zZGNlLTQ5OWMtYmExNC04ZDNhYTQ1NzEyMjEifQ.aLfyVU7OZgvJKLG5nkj-2P515QZ1KTcjsPot9r6HGNs7cARCE_OIR4x7bK8CfPU6oY3vs1HC6m9HPg-ieE3ckA
  • Scope for which the Access Token is requested. For the refresh_token grant type, scope is optional.
    Example: http://abccorp.com/quote
  • Name of the user who wants to access the scope (only when using the Password grant flow)
    Example: test@oracle.com
Back to Top

Response

Supported Media Types

200 Response

Access Token generated
Body ()
Root Schema : token
Type: object
Generate the Access Token in JSON Web Token format (JWT).
Show Source

400 Response

Invalid request
Body ()
Root Schema : error
Type: object
Error message that appears during Device Code and User Code generation
Show Source

401 Response

Unauthorized client
Body ()
Root Schema : error
Type: object
Error message that appears during Device Code and User Code generation
Show Source
Back to Top

Examples

The following examples show how to generate an access token and other OAuth Runtime tokens to access the resource using one of the grant type flows by submitting a POST request on the REST resource using cURL. For more information about cURL, see Using cURL. See the Managing Authorization section for more information on grant types.

Note:

See Scopes for more information on using various scopes to more specifically define a set of resources and operations that an access token allows. The size of the access token is limited to 16000 characters by default.

The following examples show an example request to obtain an access token by grant type, and then an example response:

Authorization Code Grant Type (3-Legged Flow) Request and Response Examples

The Authorization Code grant type flow is used only in the 3-legged OAuth flow. The following examples are the next step that you take to obtain the access token, after generating an Authorization Code and an Identity Token.

Note:

The command in this example uses the URL structure https://tenant-base-url/resource-path, where tenant-base-url represents the Identity Service URL, and the resource path represents the Identity Service API. See Send Requests for the appropriate URL structure to use.

Request Example: Confidential/Trusted Client

The following shows an example cURL request when a confidential/trusted client uses the Authorization Code grant type to obtain an access token and other OAuth Runtime tokens.

curl -i
-H 'Authorization: Basic <base64-clientid-secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=authorization_code&code=<authz-code>&redirect_uri=<client-redirect-uri>' 

Request Example: Public Client

The following shows an example cURL request when a public client uses the Authorization Code grant type to obtain an access token and other OAuth Runtime tokens.

curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=authorization_code&code=<authz-code>&redirect_uri=<client-redirect-uri>&client_id=<client-id>' 

Response Example

The following example shows the contents of the response body in JSON format when you use the Authorization Code grant type to obtain an access token and other OAuth Runtime tokens.

{
    "access_token": "eyJraWQiO.......Ao8A",
    "token_type": "Bearer",
    "id_token": "eyJraWQiO..........vMZQ",
    "expires_in": 3600
  }

Client Credentials Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the Client Credentials grant type and the Authorization header to obtain an access token.

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=client_credentials&scope=<scope value>'

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the Client Credentials grant type and the Authorization header to obtain an access token.

{
    "access_token": "eyJraWQiO.....WDjY",
    "token_type": "Bearer",
    "expires_in": 3600
  }

Request Example Using a Client Assertion

The following shows an example cURL request using the Client Credentials grant type and a client assertion to obtain an access token.

curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=client_credentials&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the Client Credentials grant type and a client assertion to obtain an access token.

{
    "access_token": "eyJ4NXQiO......HFpw",
    "token_type": "Bearer",
    "expires_in": 3600
  }

Resource Owner Password Credentials Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the Resource Owner Password Credentials grant type and the Authorization header to obtain an access token.

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&scope=<scope value>'

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the Resource Owner Password Credentials grant type and the Authorization header to obtain an access token.

{
    "access_token": "eyJraWQiu.....XMZ8",
    "token_type": "Bearer",
    "expires_in": 3600
  }

Request Example Using a Client Assertion

The following shows an example cURL request using the Resource Owner Password Credentials grant type and a client assertion to obtain an access token.

curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the Resource Owner Password Credentials grant type and a client assertion to obtain an access token.

{
    "access_token": "eyJraWQiO......sPds",
    "token_type": "Bearer",
    "expires_in": 3600
  }

SAML2 Assertion Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the Assertion grant type (in SAML2 format) and the Authorization header to obtain an access token. The SAML2 assertion must be Base64 encoded.

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=<Base64 Encoded user-saml2-assertion-value>&scope=<scope value>'

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in SAML2 format) and the Authorization header to obtain an access token.

{
  "access_token": "eyJraWQiO.....WDjY",
  "token_type": "Bearer",
  "expires_in": 3600
}

Request Example Using a Client Assertion

The following shows an example cURL request using the Assertion grant type (in SAML2 format) and a client assertion to obtain an access token. The SAML2 assertion must be Base64 encoded.

curl -i 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=<Base64 Encoded user-saml2-assertion-value>&<client_id>=client-id&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer&client_assertion=<client-saml2-assertion>&scope=<scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in SAML2 format) and a client assertion to obtain an access token.

{
  "access_token": "eyJraWQi......WDjY",
  "token_type": "Bearer",
  "expires_in": 3600
}

JWT Assertion Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the Assertion grant type (in JWT format) and the Authorization header to obtain an access token.

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<user-assertion-value>&scope=<scope value>'

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in JWT format) and the Authorization header to obtain an access token.

{
    "access_token": "eyJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIxMzViMDdkN2YxNzAzODNkOThmNGMyMTZlMmM5ODllNyIsInVzZXIudGVuYW50Lm5hbWUiOiJURU5BTlQxIiwic3ViX21hcHBpbmdhdHRyIjoidXNlck5hbWUiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkub3JhY2xlY2xvdWQuY29tXC8iLCJ0b2tfdHlwZSI6IkFUIiwiY2xpZW50X2lkIjoiMTM1YjA3ZDdmMTcwMzgzZDk4ZjRjMjE2ZTJjOTg5ZTciLCJhdWQiOiJodHRwOlwvXC9hYmNjb3JwLmNvbVwvIiwic2NvcGUiOiJxdW90ZSB1c2VyIiwiY2xpZW50X3RlbmFudG5hbWUiOiJURU5BTlQxIiwiZXhwIjoxNDYyMzAxNjgyLCJpYXQiOjE0NjIyOTgwODIsImNsaWVudF9uYW1lIjoiQmV0YWRlbW8iLCJ0ZW5hbnQiOiJURU5BTlQxIiwianRpIjoiZTVmMmQ5ZjAtODM5Mi00YjBlLTkzMDYtMDgyZTEwNDY1NmNiIn0.XafxdwNakfc01mNeNcrSVPQcprsfPsbMgWAnKHCIGtxG1gBRE4ZfS5DByJWt7wVByauvawql_ebqVMVOi1lrxw9aZxTfGFN6jMXu5nsnuEH26zN1q3hEZLkzSoyrFrpBaVWCAbmxyWz138QsVpqcdfahGw1fA_4qx4S6CU5WDjY",
    "token_type": "Bearer",
    "expires_in": 3600
  }

Request Example Using a Client Assertion

The following shows an example cURL request using the Assertion grant type (in JWT format) and a client assertion to obtain an access token.

curl -i 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<user-assertion-value>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in JWT format) and a client assertion to obtain an access token.

{
    "access_token": "eyJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIxMzViMDdkN2YxNzAzODNkOThmNGMyMTZlMmM5ODllNyIsInVzZXIudGVuYW50Lm5hbWUiOiJURU5BTlQxIiwic3ViX21hcHBpbmdhdHRyIjoidXNlck5hbWUiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkub3JhY2xlY2xvdWQuY29tXC8iLCJ0b2tfdHlwZSI6IkFUIiwiY2xpZW50X2lkIjoiMTM1YjA3ZDdmMTcwMzgzZDk4ZjRjMjE2ZTJjOTg5ZTciLCJhdWQiOiJodHRwOlwvXC9hYmNjb3JwLmNvbVwvIiwic2NvcGUiOiJxdW90ZSB1c2VyIiwiY2xpZW50X3RlbmFudG5hbWUiOiJURU5BTlQxIiwiZXhwIjoxNDYyMzAxNjgyLCJpYXQiOjE0NjIyOTgwODIsImNsaWVudF9uYW1lIjoiQmV0YWRlbW8iLCJ0ZW5hbnQiOiJURU5BTlQxIiwianRpIjoiZTVmMmQ5ZjAtODM5Mi00YjBlLTkzMDYtMDgyZTEwNDY1NmNiIn0.XafxdwNakfc01mNeNcrSVPQcprsfPsbMgWAnKHCIGtxG1gBRE4ZfS5DByJWt7wVByauvawql_ebqVMVOi1lrxw9aZxTfGFN6jMXu5nsnuEH26zN1q3hEZLkzSoyrFrpBaVWCAbmxyWz138QsVpqcdfahGw1fA_4qx4S6CU5WDjY",
    "token_type": "Bearer",
    "expires_in": 3600
  }

Device Code Grant Type Request and Response Examples

The following examples show an example request to obtain an access token using the Device Code grant type, and then an example response that is returned. There are several steps involved when using the Device Code grant type flow. First, the /device endpoint is used to obtain a device code and a user code, and then that device code is used in a request to the /token endpoint to obtain an access token so that a user can access a resource. See Generate Device Code and User Code (OAuth Device Flow) for example requests to obtain the device code and user code.

Request Example: Confidential Client

The following shows an example cURL request when a confidential/trusted client uses the Device Code grant type to obtain an access token.

curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
-H 'Authorization: Basic <base64 clientid:secret>
--request POST 'https://tenant-base-url/oauth2/v1/token'
-d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

Request Example: Public Client

The following shows an example cURL request when a public client uses the Device Code grant type to obtain an access token.

curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
--request POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=3e51760ceb1245b7b77d0b1ff280bb72&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

Request Example Using a Client Assertion

The following shows an example cURL request using the Device Code grant type and a client assertion to obtain an access token.

curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' 
--request POST 'https://tenant-base-url/oauth2/v1/token'
-d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<clientAssertion>&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

Request Example Using a SAML Assertion

The following shows an example cURL request using the Device Code grant type and an assertion (in SAML2 format) to obtain an access token.

curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
--request POST 'https://tenant-base-url/oauth2/v1/token'
-d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer&client_assertion=<samlAssertion>&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

Response Example

The following example shows the contents of the response body in JSON format when you use the Device Code grant type to obtain an access token.

{
"access_token":"eyJ4NXQjU....fw1Q",
"token_type":"Bearer",
"expires_in":3600
}

Refresh Token Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the refresh token grant type and the Authorization header to obtain an access token.

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=refresh_token&refresh_token=<refresh-token>&scope=<optional scope value>'

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the refresh token grant type the Authorization Header to obtain an access token.

{
    "access_token": "eyJraWQiO....WDjY",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "AQIDBAXEAuWUPCZhxQ0KB-e46W5a53vlRF1fTZvZDcXQqnY63Dby_oOkD_uToVgVWTrx9AvSVFD0gt2cgGOLFg8vKnGLMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA="
  }

Request Example Using a Client Assertion

The following shows an example cURL request using the refresh token grant type and a client assertion to obtain an access token.

curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=refresh_token&refresh_token=<refresh-token>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<optional scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the refresh token grant type and a client assertion to obtain an access token.

{
    "access_token": "eyJraWQiO....2nqA",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "AQIDBAUn_jFYHxaLKIxQiAX7BpnfHQs-lvv9VZq_NTRq75NoqIbfpgXnCw1h2El7EuNIE9SGhK_GXo6JjDSDvtt6oUsyMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA="
  }
Back to Top