Generate Access Token and Other OAuth Runtime Tokens to Access the Resource
/oauth2/v1/token
Request
- application/x-www-form-urlencoded
-
Authorization(optional): string
Basic Authorization. Base64 encoding of client credentials (for client assertions, the Authorization header is optional). Signature-based Authorization. For example, Authorization: Signature version="1",keyId="[tenancyOcid]/[userOcid]/[keyFingerprint]",algorithm="rsa-sha256",headers="(request-target) date x-content-sha256 content-type content-length",signature="Base64(RSA-SHA256(
))"
object
-
assertion(optional):
string
Assertion of user (only in the assertion grant flow)Example:
eyJraWQiOiJUcnVzdGVkUGFydHlfMSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDQ0LCJpc3MiOiJUcnVzdGVkUGFydHlfMSIsImV4cCI6MTQ0MDc2MDA0NCwiaWF0IjoxNDQwNzU5NDQ0LCJqdGkiOiIyYmViNmQ1ZS1lN2JmLTQ1NTgtOTc1Yy1iNjNhZWJlMzEwOTMifQ.pWDTO81e31h8waDz_eCI3IJuxNBRh4k2hDVhmsQSH8DgztzgL10dVKZnRTBo-Tfj3-NBa9GihzZw1QsLBnd8oeG0ZD-EKz0ZiL6sT13QeYLV7G3gIDLrTO2FbVNd615Dg1wcVPz5f631NQBW5TRl4mcQUGNHEfRrE1F5NrC_Ok
-
client_assertion(optional):
string
Assertion of the client (only in client assertion cases)Example:
eyJraWQiOiJTSUdOSU5HX0tFWSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDA4LCJpc3MiOiJTSUdOSU5HX0tFWSIsImV4cCI6MTQ0MDc2MDAwOCwiaWF0IjoxNDQwNzU5NDA4LCJqdGkiOiJhMmIwYmQzMS1mODFkLTRmNmMtODY1Ni1lOWRjYTczNTU4OTIifQ.jefxnKDUedfJgp40nUbLJrPdoTPGrkWHrp_uiuqJzD_7Pp9N2GkrAN-Nfri26ryGF0aMxjUs_My8qyfyzuDSK9iPHVLMDulbrdnShEAi-rYS8MMs4Uj6KYYhg_S8nquN5SAk00ZjKCjAImAbAghGXjJ51ZfPsBLMTP0fa7zAr9g
-
client_assertion_type(optional):
string
Client assertion type (only in client assertion cases)Example:
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
-
client_id(optional):
string
Unique identifier for the client (only in client assertion cases)Example:
a5bf5db7f6c43b47b1eae399c68319c4
-
code(optional):
string
Authorization Code that is generated during the call to the Authorize endpoint (only in the Authorization (3-legged) grant flow)Example:
AQIDBAXxVUQH5kHqoD1vmxmo-Yh1SCrbeyQQoJv4qaPWk0iu8aXwMvVREFk4YcPNNJ6oxpIanTS253PPqsvyp2KJ8QJfMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA%3D
-
grant_type:
string
Grant type by which a client requests an Access TokenExample:
client_credentials
-
password(optional):
string
Password of the user (only when using the Password grant flow)Example:
Test123456
-
redirect_uri(optional):
string
Redirect URI where the response is sent (used in the Authorization or Implicit (3-legged) grant flow)Example:
http://abccorp.com/quote
-
refresh_token(optional):
string
Refresh Token that is generated using the offline_access scope (only in the Refresh Token grant flow)Example:
eyJ4NXQiOiI4Wk5NMEFfNWFuSTc0dGp3Y3FWcWtMN3Z0Q2ciLCJraWQiOiJwcml2YWVrZXkxIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJuYmYiOjE0NDA3NTk0NDYsInNjb3BlIjoiQUNNRUNhbmRpZGF0ZVByb2ZpbGVTZXJ2aWNlLnJlc3VtZXNfbW9udGhzIG9mZmxpbmVfYWNjZXNzIiwiaXNzIjoiaWRjcy5vcmFjbGUuY29tIiwiZXhwIjoxNDQwOTc1NDQ2LCJpYXQiOjE0NDA3NTk0NDYsInRlbmFudCI6IlRFTkFOVDEiLCJqdGkiOiJhZWZhYTUwOC0zZGNlLTQ5OWMtYmExNC04ZDNhYTQ1NzEyMjEifQ.aLfyVU7OZgvJKLG5nkj-2P515QZ1KTcjsPot9r6HGNs7cARCE_OIR4x7bK8CfPU6oY3vs1HC6m9HPg-ieE3ckA
-
requested_token_type(optional):
string
Requested token type (only in token exchange cases)Example:
urn:ietf:params:oauth:token-type:access_token
-
scope:
string
Scope for which the Access Token is requested. For the refresh_token grant type, scope is optional.Example:
http://abccorp.com/quote
-
subject_token(optional):
string
Subject token representing the subject (only in token exchange cases)Example:
AQIDBAXxVUQH5kHqoD1vmxmo-Yh1SCrbeyQQoJv4qaPWk0iu8aXwMvVREFk4YcPNNJ6oxpIanTS253PPqsvyp2KJ8QJfMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA%3D
-
username(optional):
string
Name of the user who wants to access the scope (only when using the Password grant flow)Example:
test@oracle.com
Response
- application/json
200 Response
object
-
access_token:
string
Access Token used to access the scopes
-
expires_in:
number
Expiry time of the Access Token in seconds
-
id_token(optional):
string
Identity Token generated for the associated client and user (only in 3-legged flows)
-
refresh_token(optional):
string
Refresh Token used to regenerate the Access Token (only when the offline_access scope is used)
-
token_type:
string
Type of Access Token (Bearer)
400 Response
object
-
error:
string
Error values based on the OAuth specification
-
error_description:
string
Detailed error messages
401 Response
object
-
error:
string
Error values based on the OAuth specification
-
error_description:
string
Detailed error messages
Examples
The following examples show how to generate an access token and other OAuth Runtime tokens to access the resource using one of the grant type flows by submitting a POST request on the REST resource using cURL. For more information about cURL, see Using cURL. See the Managing Authorization section for more information on grant types.
Note:
See Scopes for more information on using various scopes to more specifically define a set of resources and operations that an access token allows. The size of the access token is limited to 16000 characters by default.The following examples show an example request to obtain an access token by grant type, and then an example response:
-
Authorization Code Grant Type (3-Legged Flow) Request and Response Examples
-
Resource Owner Password Credentials Grant Type Request and Response Examples
Custom Claims (2-Legged Flow) Request and Response Examples
Sample Request: Custom Claims 2-Legged
Use token requests with Custom Claims in the Request mode when you want that custom_claim to be attached to the token. The custom claim is attached to the token only if it is requested or overridden. custom_claims
parameter must be in the token request.
curl --insecure -i
-H 'Authorization: Basic ODExOTA1OWU3MTE5NGY4N2JkMjc5ZjMzNGJmNDkzOTY6YWYzZjE4ZjEtZTQxNS00NjdmLWEyMjYtMmRjODc5ZjQ0NTAz'
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
?-request POST 'https://tenant1.idcs.internal.oracle.com:8943/oauth2/v1/token' -d 'grant_type=password&scope=http://www.docservice.com/test1+http://www.docservice.com/test2&custom_claims=requestTest1ATClaim alwaysTest1ATClaim requestTest2BothClaim=myValue&username=admin@oracle.com&password=Welc0me@1'
Sample Response: Custom Claims 2-Legged
{"access_token":"<access_token>","token_type":"Bearer","expires_in":3600}
Sample Request: Custom Claims Overrides
You can override the value that is configured in the claim. The custom_claims parameter can be in the format custom_claims=claim1 claim2
or custom_claims=claim1=myValue claim2 claim3=myOtherValue
.
curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&scope=<value>&custom_claims=<optional space separated request custom claim names and/or space separated request custom claim names with overridden values>'
Sample Response: Custom Claims Overrides
In a successful response, the requested custom claim is embedded in the token or if the requested custom claim doesn't exist or if you're trying to override a custom claim that doesn't exist, the request will error.
-
For a use case, see Managing Custom Claims.
-
For the end points see Custom Claims REST Endpoints.
Refresh Token: Custom Claims
For a refresh token flow, the custom_claims parameter can be included in the token request with the grant_type = refresh_token.
curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=refresh_token&refresh_token=<refresh-token>&scope==<optional space separated request custom claim names and/or separated request custom claim names with overridden values>'
Sample Response: Custom Claims Refresh Token
"access_token": "eyJraWQiO....WDjY",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "<refresh token>"
-
For a use case, see Managing Custom Claims.
-
For the end points see Custom Claims REST Endpoints.
Authorization Code Grant Type (3-Legged Flow) Request and Response Examples
The Authorization Code grant type flow is used only in the 3-legged OAuth flow. The following examples are the next step that you take to obtain the access token, after Generating an Authorization Code and an Identity Token.
Note:
The command in this example uses the URL structurehttps://tenant-base-url/resource-path,
where
tenant-base-url
represents the Identity Service URL, and the resource path represents the Identity Service API. See
Send Requests for the appropriate URL structure to use.
Request Example: Confidential/Trusted Client
The following shows an example cURL request when a confidential/trusted client uses the Authorization Code grant type to obtain an access token and other OAuth Runtime tokens.
curl -i
-H 'Authorization: Basic <base64-clientid-secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=authorization_code&code=<authz-code>&redirect_uri=<client-redirect-uri>'
Request Example: Public Client
The following shows an example cURL request when a public client uses the Authorization Code grant type to obtain an access token and other OAuth Runtime tokens.
curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=authorization_code&code=<authz-code>&redirect_uri=<client-redirect-uri>&client_id=<client-id>'
Response Example
The following example shows the contents of the response body in JSON format when you use the Authorization Code grant type to obtain an access token and other OAuth Runtime tokens.
{
"access_token": "eyJraWQiO.......Ao8A",
"token_type": "Bearer",
"id_token": "eyJraWQiO..........vMZQ",
"expires_in": 3600
}
Request Example: Custom Claims
If you are using a 3-legged flow, you must include the custom_claims=<optional. space separated request custom claim names and/or space separated request custom claim names with overridden values>
parameter in the URL of the Authorization Code request. This is because when requesting the Authorization Code, the custom claim is validated. If you don't add the custom_claims
parameter, you will get an error. The steps are that you first ask for the Authorization Code and then use that Authorization Code to request an access token. When you use the Authorization Code to get the access token, you do not need to include the custom claim.
The following shows an example of a request when a custom claim uses the Authorization Code grant type to obtain an access token. The custom_claims
parameter can be in the format 'custom_claims=claim1%20claim2
' or 'custom_claims=claim1=myValue%20claim2%20claim3=myOtherValue
' where %20
is the URL encoded space character.
GET
https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/authorize?client_id=<client_id>&response_type=code&redirect_uri=<client-redirect-uri>&scope=openid&nonce=<nonce-value>&state=1234&custom_claims=< space separated request custom claim names and/or space separated request custom claim with overidden values>
Response Example: Custom Claims
In a successful response, the requested custom claim is embedded in the token or if the requested custom claim doesn't exist or if you're trying to override a custom claim, which is not allowed when requesting Authorization Code, the request will error.
-
For a use case, see Managing Custom Claims.
-
For the end points see Custom Claims REST Endpoints.
{"access_token":"<access_token>","token_type":"Bearer","expires_in":3600}
Client Credentials Grant Type Request and Response Examples
Request Example Using the Authorization Header
The following shows an example cURL request using the Client Credentials grant type and the Authorization header to obtain an access token.
curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=client_credentials&scope=<scope value>'
Response Example Using the Authorization Header
The following example shows the contents of the response body in JSON format when you use the Client Credentials grant type and the Authorization header to obtain an access token.
{
"access_token": "eyJraWQiO.....WDjY",
"token_type": "Bearer",
"expires_in": 3600
}
Request Example Using a Client Assertion
The following shows an example cURL request using the Client Credentials grant type and a client assertion to obtain an access token.
curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=client_credentials&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'
Response Example Using a Client Assertion
The following example shows the contents of the response body in JSON format when you use the Client Credentials grant type and a client assertion to obtain an access token.
{
"access_token": "eyJ4NXQiO......HFpw",
"token_type": "Bearer",
"expires_in": 3600
}
Resource Owner Password Credentials Grant Type Request and Response Examples
Request Example Using the Authorization Header
The following shows an example cURL request using the Resource Owner Password Credentials grant type and the Authorization header to obtain an access token.
curl --insecure -i
-H 'Authorization: Basic <your base64 encoded clientid:clientsecret>' \
-H 'Content-Type: application/x-www-form-urlencoded;charset=utf-8' \
--request POST 'https://tenant-base-url/oauth2/v1/token-d 'grant_type=password&scope=<your scope>+offline_access&username=<name>&password=<password>&custom_claims=<optional space separated request custom claim names and/or separated request custom claim names with overridden values>
Response Example Using the Authorization Header
The following example shows the contents of the response body in JSON format when you use the Resource Owner Password Credentials grant type and the Authorization header to obtain an access token.
{"access_token":"<access_token>","token_type":"Bearer","expires_in":3600}
Request Example Using a Client Assertion
The following shows an example cURL request using the Resource Owner Password Credentials grant type and a client assertion to obtain an access token.
curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'
Response Example Using a Client Assertion
The following example shows the contents of the response body in JSON format when you use the Resource Owner Password Credentials grant type and a client assertion to obtain an access token.
{
"access_token": "eyJraWQiO......sPds",
"token_type": "Bearer",
"expires_in": 3600
}
SAML2 Assertion Grant Type Request and Response Examples
Request Example Using the Authorization Header
The following shows an example cURL request using the Assertion grant type (in SAML2 format) and the Authorization header to obtain an access token. The SAML2 assertion must be Base64 encoded.
curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=<Base64 Encoded user-saml2-assertion-value>&scope=<scope value>'
Response Example Using the Authorization Header
The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in SAML2 format) and the Authorization header to obtain an access token.
{
"access_token": "eyJraWQiO.....WDjY",
"token_type": "Bearer",
"expires_in": 3600
}
Request Example Using a Client Assertion
The following shows an example cURL request using the Assertion grant type (in SAML2 format) and a client assertion to obtain an access token. The SAML2 assertion must be Base64 encoded.
curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=<Base64 Encoded user-saml2-assertion-value>&<client_id>=client-id&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer&client_assertion=<client-saml2-assertion>&scope=<scope value>'
Response Example Using a Client Assertion
The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in SAML2 format) and a client assertion to obtain an access token.
{
"access_token": "eyJraWQi......WDjY",
"token_type": "Bearer",
"expires_in": 3600
}
JWT Assertion Grant Type Request and Response Examples
Request Example Using the Authorization Header
The following shows an example cURL request using the Assertion grant type (in JWT format) and the Authorization header to obtain an access token.
curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<user-assertion-value>&scope=<scope value>'
Response Example Using the Authorization Header
The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in JWT format) and the Authorization header to obtain an access token.
{
"access_token": "eyJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIxMzViMDdkN2YxNzAzODNkOThmNGMyMTZlMmM5ODllNyIsInVzZXIudGVuYW50Lm5hbWUiOiJURU5BTlQxIiwic3ViX21hcHBpbmdhdHRyIjoidXNlck5hbWUiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkub3JhY2xlY2xvdWQuY29tXC8iLCJ0b2tfdHlwZSI6IkFUIiwiY2xpZW50X2lkIjoiMTM1YjA3ZDdmMTcwMzgzZDk4ZjRjMjE2ZTJjOTg5ZTciLCJhdWQiOiJodHRwOlwvXC9hYmNjb3JwLmNvbVwvIiwic2NvcGUiOiJxdW90ZSB1c2VyIiwiY2xpZW50X3RlbmFudG5hbWUiOiJURU5BTlQxIiwiZXhwIjoxNDYyMzAxNjgyLCJpYXQiOjE0NjIyOTgwODIsImNsaWVudF9uYW1lIjoiQmV0YWRlbW8iLCJ0ZW5hbnQiOiJURU5BTlQxIiwianRpIjoiZTVmMmQ5ZjAtODM5Mi00YjBlLTkzMDYtMDgyZTEwNDY1NmNiIn0.XafxdwNakfc01mNeNcrSVPQcprsfPsbMgWAnKHCIGtxG1gBRE4ZfS5DByJWt7wVByauvawql_ebqVMVOi1lrxw9aZxTfGFN6jMXu5nsnuEH26zN1q3hEZLkzSoyrFrpBaVWCAbmxyWz138QsVpqcdfahGw1fA_4qx4S6CU5WDjY",
"token_type": "Bearer",
"expires_in": 3600
}
Request Example Using a Client Assertion
The following shows an example cURL request using the Assertion grant type (in JWT format) and a client assertion to obtain an access token.
curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<user-assertion-value>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'
Response Example Using a Client Assertion
The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in JWT format) and a client assertion to obtain an access token.
{
"access_token": "eyJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIxMzViMDdkN2YxNzAzODNkOThmNGMyMTZlMmM5ODllNyIsInVzZXIudGVuYW50Lm5hbWUiOiJURU5BTlQxIiwic3ViX21hcHBpbmdhdHRyIjoidXNlck5hbWUiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkub3JhY2xlY2xvdWQuY29tXC8iLCJ0b2tfdHlwZSI6IkFUIiwiY2xpZW50X2lkIjoiMTM1YjA3ZDdmMTcwMzgzZDk4ZjRjMjE2ZTJjOTg5ZTciLCJhdWQiOiJodHRwOlwvXC9hYmNjb3JwLmNvbVwvIiwic2NvcGUiOiJxdW90ZSB1c2VyIiwiY2xpZW50X3RlbmFudG5hbWUiOiJURU5BTlQxIiwiZXhwIjoxNDYyMzAxNjgyLCJpYXQiOjE0NjIyOTgwODIsImNsaWVudF9uYW1lIjoiQmV0YWRlbW8iLCJ0ZW5hbnQiOiJURU5BTlQxIiwianRpIjoiZTVmMmQ5ZjAtODM5Mi00YjBlLTkzMDYtMDgyZTEwNDY1NmNiIn0.XafxdwNakfc01mNeNcrSVPQcprsfPsbMgWAnKHCIGtxG1gBRE4ZfS5DByJWt7wVByauvawql_ebqVMVOi1lrxw9aZxTfGFN6jMXu5nsnuEH26zN1q3hEZLkzSoyrFrpBaVWCAbmxyWz138QsVpqcdfahGw1fA_4qx4S6CU5WDjY",
"token_type": "Bearer",
"expires_in": 3600
}
Device Code Grant Type Request and Response Examples
The following examples show an example request to obtain an access token using the Device Code grant type, and then an example response that is returned. There are several steps involved when using the Device Code grant type flow. First, the /device
endpoint is used to obtain a device code and a user code, and then that device code is used in a request to the /token
endpoint to obtain an access token so that a user can access a resource. See Generate Device Code and User Code (OAuth Device Flow) for example requests to obtain the device code and user code.
Request Example: Confidential Client
The following shows an example cURL request when a confidential/trusted client uses the Device Code grant type to obtain an access token.
curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
-H 'Authorization: Basic <base64 clientid:secret>
--request POST 'https://tenant-base-url/oauth2/v1/token'
-d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'
Request Example: Public Client
The following shows an example cURL request when a public client uses the Device Code grant type to obtain an access token.
curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
--request POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=3e51760ceb1245b7b77d0b1ff280bb72&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'
Request Example Using a Client Assertion
The following shows an example cURL request using the Device Code grant type and a client assertion to obtain an access token.
curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
--request POST 'https://tenant-base-url/oauth2/v1/token'
-d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<clientAssertion>&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'
Request Example Using a SAML Assertion
The following shows an example cURL request using the Device Code grant type and an assertion (in SAML2 format) to obtain an access token.
curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
--request POST 'https://tenant-base-url/oauth2/v1/token'
-d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer&client_assertion=<samlAssertion>&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'
Response Example
The following example shows the contents of the response body in JSON format when you use the Device Code grant type to obtain an access token.
{
"access_token":"eyJ4NXQjU....fw1Q",
"token_type":"Bearer",
"expires_in":3600
}
Refresh Token Grant Type Request and Response Examples
Request Example Using the Authorization Header
The following shows an example cURL request using the refresh token grant type and the Authorization header to obtain an access token.
curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=refresh_token&refresh_token=<refresh-token>&scope=<optional value>&custom_claims=<optional space separated request custom claim names and/or separated request custom claim names with overridden values>'
Response Example Using the Authorization Header
The following example shows the contents of the response body in JSON format when you use the refresh token grant type the Authorization Header to obtain an access token.
{
"access_token": "eyJraWQiO....WDjY",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "<token>
}
Request Example Using a Client Assertion
The following shows an example cURL request using the refresh token grant type and a client assertion to obtain an access token.
curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=refresh_token&refresh_token=<refresh-token>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<optional scope value>'
Response Example Using a Client Assertion
The following example shows the contents of the response body in JSON format when you use the refresh token grant type and a client assertion to obtain an access token.
{
"access_token": "eyJraWQiO....2nqA",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "AQIDBAUn_jFYHxaLKIxQiAX7BpnfHQs-lvv9VZq_NTRq75NoqIbfpgXnCw1h2El7EuNIE9SGhK_GXo6JjDSDvtt6oUsyMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA="
}