1. REST API for Oracle Identity Cloud Service
  2. Tasks
  3. OAuth Runtime
  4. OAuth Runtime Tokens

Generate Access Token and Other OAuth Runtime Tokens to Access the Resource

post

/oauth2/v1/token

Request

Supported Media Types
Header Parameters
  • Basic Authorization. Base64 encoding of client credentials (for client assertions, the Authorization header is optional). Signature-based Authorization. For example, Authorization: Signature version="1",keyId="[tenancyOcid]/[userOcid]/[keyFingerprint]",algorithm="rsa-sha256",headers="(request-target) date x-content-sha256 content-type content-length",signature="Base64(RSA-SHA256())"
Body ()
Root Schema : schema
Type: object
Show Source
  • Assertion of user (only in the assertion grant flow)
    Example: eyJraWQiOiJUcnVzdGVkUGFydHlfMSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDQ0LCJpc3MiOiJUcnVzdGVkUGFydHlfMSIsImV4cCI6MTQ0MDc2MDA0NCwiaWF0IjoxNDQwNzU5NDQ0LCJqdGkiOiIyYmViNmQ1ZS1lN2JmLTQ1NTgtOTc1Yy1iNjNhZWJlMzEwOTMifQ.pWDTO81e31h8waDz_eCI3IJuxNBRh4k2hDVhmsQSH8DgztzgL10dVKZnRTBo-Tfj3-NBa9GihzZw1QsLBnd8oeG0ZD-EKz0ZiL6sT13QeYLV7G3gIDLrTO2FbVNd615Dg1wcVPz5f631NQBW5TRl4mcQUGNHEfRrE1F5NrC_Ok
  • Assertion of the client (only in client assertion cases)
    Example: eyJraWQiOiJTSUdOSU5HX0tFWSIsInR5cCI6IkpXVCIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJhdWQiOiJodHRwczpcL1wvd3d3LmlkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwibmJmIjoxNDQwNzU5NDA4LCJpc3MiOiJTSUdOSU5HX0tFWSIsImV4cCI6MTQ0MDc2MDAwOCwiaWF0IjoxNDQwNzU5NDA4LCJqdGkiOiJhMmIwYmQzMS1mODFkLTRmNmMtODY1Ni1lOWRjYTczNTU4OTIifQ.jefxnKDUedfJgp40nUbLJrPdoTPGrkWHrp_uiuqJzD_7Pp9N2GkrAN-Nfri26ryGF0aMxjUs_My8qyfyzuDSK9iPHVLMDulbrdnShEAi-rYS8MMs4Uj6KYYhg_S8nquN5SAk00ZjKCjAImAbAghGXjJ51ZfPsBLMTP0fa7zAr9g
  • Client assertion type (only in client assertion cases)
    Example: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
  • Unique identifier for the client (only in client assertion cases)
    Example: a5bf5db7f6c43b47b1eae399c68319c4
  • Authorization Code that is generated during the call to the Authorize endpoint (only in the Authorization (3-legged) grant flow)
    Example: AQIDBAXxVUQH5kHqoD1vmxmo-Yh1SCrbeyQQoJv4qaPWk0iu8aXwMvVREFk4YcPNNJ6oxpIanTS253PPqsvyp2KJ8QJfMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA%3D
  • Grant type by which a client requests an Access Token
    Example: client_credentials
  • Password of the user (only when using the Password grant flow)
    Example: Test123456
  • Redirect URI where the response is sent (used in the Authorization or Implicit (3-legged) grant flow)
    Example: http://abccorp.com/quote
  • Refresh Token that is generated using the offline_access scope (only in the Refresh Token grant flow)
    Example: eyJ4NXQiOiI4Wk5NMEFfNWFuSTc0dGp3Y3FWcWtMN3Z0Q2ciLCJraWQiOiJwcml2YWVrZXkxIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ0ZXN0QG9yYWNsZS5jb20iLCJhdWQiOiI1YzA4NDcyMi03Njk3LTQ2NzgtOWVmNC01ZDMxYjg5MjgzYTMiLCJuYmYiOjE0NDA3NTk0NDYsInNjb3BlIjoiQUNNRUNhbmRpZGF0ZVByb2ZpbGVTZXJ2aWNlLnJlc3VtZXNfbW9udGhzIG9mZmxpbmVfYWNjZXNzIiwiaXNzIjoiaWRjcy5vcmFjbGUuY29tIiwiZXhwIjoxNDQwOTc1NDQ2LCJpYXQiOjE0NDA3NTk0NDYsInRlbmFudCI6IlRFTkFOVDEiLCJqdGkiOiJhZWZhYTUwOC0zZGNlLTQ5OWMtYmExNC04ZDNhYTQ1NzEyMjEifQ.aLfyVU7OZgvJKLG5nkj-2P515QZ1KTcjsPot9r6HGNs7cARCE_OIR4x7bK8CfPU6oY3vs1HC6m9HPg-ieE3ckA
  • Requested token type (only in token exchange cases)
    Example: urn:ietf:params:oauth:token-type:access_token
  • Scope for which the Access Token is requested. For the refresh_token grant type, scope is optional.
    Example: http://abccorp.com/quote
  • Subject token representing the subject (only in token exchange cases)
    Example: AQIDBAXxVUQH5kHqoD1vmxmo-Yh1SCrbeyQQoJv4qaPWk0iu8aXwMvVREFk4YcPNNJ6oxpIanTS253PPqsvyp2KJ8QJfMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA%3D
  • Name of the user who wants to access the scope (only when using the Password grant flow)
    Example: test@oracle.com
Back to Top

Response

Supported Media Types

200 Response

Access Token generated
Body ()
Root Schema : token
Type: object
Generate the Access Token in JSON Web Token format (JWT).
Show Source

400 Response

Invalid request
Body ()
Root Schema : error
Type: object
Error message that appears during Revoke Refresh Token
Show Source

401 Response

Unauthorized client
Body ()
Root Schema : error
Type: object
Error message that appears during Revoke Refresh Token
Show Source
Back to Top

Examples

The following examples show how to generate an access token and other OAuth Runtime tokens to access the resource using one of the grant type flows by submitting a POST request on the REST resource using cURL. For more information about cURL, see Using cURL. See the Managing Authorization section for more information on grant types.

Note:

See Scopes for more information on using various scopes to more specifically define a set of resources and operations that an access token allows. The size of the access token is limited to 16000 characters by default.

The following examples show an example request to obtain an access token by grant type, and then an example response:

Custom Claims (2-Legged Flow) Request and Response Examples

Sample Request: Custom Claims 2-Legged

Use token requests with Custom Claims in the Request mode when you want that custom_claim to be attached to the token. The custom claim is attached to the token only if it is requested or overridden. custom_claims parameter must be in the token request. 

curl --insecure -i 
-H 'Authorization: Basic ODExOTA1OWU3MTE5NGY4N2JkMjc5ZjMzNGJmNDkzOTY6YWYzZjE4ZjEtZTQxNS00NjdmLWEyMjYtMmRjODc5ZjQ0NTAz' 
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' 
?-request POST 'https://tenant1.idcs.internal.oracle.com:8943/oauth2/v1/token' -d 'grant_type=password&scope=http://www.docservice.com/test1+http://www.docservice.com/test2&custom_claims=requestTest1ATClaim alwaysTest1ATClaim requestTest2BothClaim=myValue&username=admin@oracle.com&password=Welc0me@1'

Sample Response: Custom Claims 2-Legged

{"access_token":"<access_token>","token_type":"Bearer","expires_in":3600}

Sample Request: Custom Claims Overrides

You can override the value that is configured in the claim. The custom_claims parameter can be in the format custom_claims=claim1 claim2 or custom_claims=claim1=myValue claim2 claim3=myOtherValue. 

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&scope=<value>&custom_claims=<optional space separated request custom claim names and/or space separated request custom claim names with overridden values>'

Sample Response: Custom Claims Overrides

In a successful response, the requested custom claim is embedded in the token or if the requested custom claim doesn't exist or if you're trying to override a custom claim that doesn't exist, the request will error.

Refresh Token: Custom Claims

For a refresh token flow, the custom_claims parameter can be included in the token request with the grant_type = refresh_token.

Sample Request: Custom Claims Refresh Token 
curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=refresh_token&refresh_token=<refresh-token>&scope==<optional space separated request custom claim names and/or separated request custom claim names with overridden values>'

Sample Response: Custom Claims Refresh Token

The generated token will have the requested custom claim embedded or if the requested custom claim doesn't exist or if you are trying to override a custom claim, which is not allowed, the request will error. 
"access_token": "eyJraWQiO....WDjY",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "<refresh token>"

Authorization Code Grant Type (3-Legged Flow) Request and Response Examples

The Authorization Code grant type flow is used only in the 3-legged OAuth flow. The following examples are the next step that you take to obtain the access token, after Generating an Authorization Code and an Identity Token.

Note:

The command in this example uses the URL structure https://tenant-base-url/resource-path, where tenant-base-url represents the Identity Service URL, and the resource path represents the Identity Service API. See Send Requests for the appropriate URL structure to use.

Request Example: Confidential/Trusted Client

The following shows an example cURL request when a confidential/trusted client uses the Authorization Code grant type to obtain an access token and other OAuth Runtime tokens.

curl -i
-H 'Authorization: Basic <base64-clientid-secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=authorization_code&code=<authz-code>&redirect_uri=<client-redirect-uri>'

Request Example: Public Client

The following shows an example cURL request when a public client uses the Authorization Code grant type to obtain an access token and other OAuth Runtime tokens.

curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=authorization_code&code=<authz-code>&redirect_uri=<client-redirect-uri>&client_id=<client-id>'

Response Example

The following example shows the contents of the response body in JSON format when you use the Authorization Code grant type to obtain an access token and other OAuth Runtime tokens.

{
    "access_token": "eyJraWQiO.......Ao8A",
    "token_type": "Bearer",
    "id_token": "eyJraWQiO..........vMZQ",
    "expires_in": 3600
  }

Request Example: Custom Claims

If you are using a 3-legged flow, you must include the custom_claims=<optional. space separated request custom claim names and/or space separated request custom claim names with overridden values> parameter in the URL of the Authorization Code request. This is because when requesting the Authorization Code, the custom claim is validated. If you don't add the custom_claims parameter, you will get an error. The steps are that you first ask for the Authorization Code and then use that Authorization Code to request an access token. When you use the Authorization Code to get the access token, you do not need to include the custom claim.

The following shows an example of a request when a custom claim uses the Authorization Code grant type to obtain an access token. The custom_claims parameter can be in the format 'custom_claims=claim1%20claim2' or 'custom_claims=claim1=myValue%20claim2%20claim3=myOtherValue' where %20 is the URL encoded space character. 

GET
https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/authorize?client_id=<client_id>&response_type=code&redirect_uri=<client-redirect-uri>&scope=openid&nonce=<nonce-value>&state=1234&custom_claims=< space separated request custom claim names and/or space separated request custom claim with overidden values>

Response Example: Custom Claims

In a successful response, the requested custom claim is embedded in the token or if the requested custom claim doesn't exist or if you're trying to override a custom claim, which is not allowed when requesting Authorization Code, the request will error.

{"access_token":"<access_token>","token_type":"Bearer","expires_in":3600}

Client Credentials Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the Client Credentials grant type and the Authorization header to obtain an access token.

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=client_credentials&scope=<scope value>'

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the Client Credentials grant type and the Authorization header to obtain an access token.

{
    "access_token": "eyJraWQiO.....WDjY",
    "token_type": "Bearer",
    "expires_in": 3600
  }

Request Example Using a Client Assertion

The following shows an example cURL request using the Client Credentials grant type and a client assertion to obtain an access token.

curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=client_credentials&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the Client Credentials grant type and a client assertion to obtain an access token.

{
    "access_token": "eyJ4NXQiO......HFpw",
    "token_type": "Bearer",
    "expires_in": 3600
  }

Resource Owner Password Credentials Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the Resource Owner Password Credentials grant type and the Authorization header to obtain an access token.

curl --insecure -i 
-H 'Authorization: Basic <your base64 encoded clientid:clientsecret>' \
-H 'Content-Type: application/x-www-form-urlencoded;charset=utf-8' \
--request POST 'https://tenant-base-url/oauth2/v1/token-d 'grant_type=password&scope=<your scope>+offline_access&username=<name>&password=<password>&custom_claims=<optional space separated request custom claim names and/or separated request custom claim names with overridden values>

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the Resource Owner Password Credentials grant type and the Authorization header to obtain an access token.

{"access_token":"<access_token>","token_type":"Bearer","expires_in":3600}

Request Example Using a Client Assertion

The following shows an example cURL request using the Resource Owner Password Credentials grant type and a client assertion to obtain an access token.

curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=password&username=<user-name>&password=<password>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the Resource Owner Password Credentials grant type and a client assertion to obtain an access token.

{
    "access_token": "eyJraWQiO......sPds",
    "token_type": "Bearer",
    "expires_in": 3600
  }

SAML2 Assertion Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the Assertion grant type (in SAML2 format) and the Authorization header to obtain an access token. The SAML2 assertion must be Base64 encoded.

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=<Base64 Encoded user-saml2-assertion-value>&scope=<scope value>'

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in SAML2 format) and the Authorization header to obtain an access token.

{
  "access_token": "eyJraWQiO.....WDjY",
  "token_type": "Bearer",
  "expires_in": 3600
}

Request Example Using a Client Assertion

The following shows an example cURL request using the Assertion grant type (in SAML2 format) and a client assertion to obtain an access token. The SAML2 assertion must be Base64 encoded.

curl -i 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=<Base64 Encoded user-saml2-assertion-value>&<client_id>=client-id&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer&client_assertion=<client-saml2-assertion>&scope=<scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in SAML2 format) and a client assertion to obtain an access token.

{
  "access_token": "eyJraWQi......WDjY",
  "token_type": "Bearer",
  "expires_in": 3600
}

JWT Assertion Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the Assertion grant type (in JWT format) and the Authorization header to obtain an access token.

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret>' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<user-assertion-value>&scope=<scope value>'

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in JWT format) and the Authorization header to obtain an access token.

{
    "access_token": "eyJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIxMzViMDdkN2YxNzAzODNkOThmNGMyMTZlMmM5ODllNyIsInVzZXIudGVuYW50Lm5hbWUiOiJURU5BTlQxIiwic3ViX21hcHBpbmdhdHRyIjoidXNlck5hbWUiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkub3JhY2xlY2xvdWQuY29tXC8iLCJ0b2tfdHlwZSI6IkFUIiwiY2xpZW50X2lkIjoiMTM1YjA3ZDdmMTcwMzgzZDk4ZjRjMjE2ZTJjOTg5ZTciLCJhdWQiOiJodHRwOlwvXC9hYmNjb3JwLmNvbVwvIiwic2NvcGUiOiJxdW90ZSB1c2VyIiwiY2xpZW50X3RlbmFudG5hbWUiOiJURU5BTlQxIiwiZXhwIjoxNDYyMzAxNjgyLCJpYXQiOjE0NjIyOTgwODIsImNsaWVudF9uYW1lIjoiQmV0YWRlbW8iLCJ0ZW5hbnQiOiJURU5BTlQxIiwianRpIjoiZTVmMmQ5ZjAtODM5Mi00YjBlLTkzMDYtMDgyZTEwNDY1NmNiIn0.XafxdwNakfc01mNeNcrSVPQcprsfPsbMgWAnKHCIGtxG1gBRE4ZfS5DByJWt7wVByauvawql_ebqVMVOi1lrxw9aZxTfGFN6jMXu5nsnuEH26zN1q3hEZLkzSoyrFrpBaVWCAbmxyWz138QsVpqcdfahGw1fA_4qx4S6CU5WDjY",
    "token_type": "Bearer",
    "expires_in": 3600
  }

Request Example Using a Client Assertion

The following shows an example cURL request using the Assertion grant type (in JWT format) and a client assertion to obtain an access token.

curl -i 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<user-assertion-value>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the Assertion grant type (in JWT format) and a client assertion to obtain an access token.

{
    "access_token": "eyJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIxMzViMDdkN2YxNzAzODNkOThmNGMyMTZlMmM5ODllNyIsInVzZXIudGVuYW50Lm5hbWUiOiJURU5BTlQxIiwic3ViX21hcHBpbmdhdHRyIjoidXNlck5hbWUiLCJpc3MiOiJodHRwczpcL1wvaWRlbnRpdHkub3JhY2xlY2xvdWQuY29tXC8iLCJ0b2tfdHlwZSI6IkFUIiwiY2xpZW50X2lkIjoiMTM1YjA3ZDdmMTcwMzgzZDk4ZjRjMjE2ZTJjOTg5ZTciLCJhdWQiOiJodHRwOlwvXC9hYmNjb3JwLmNvbVwvIiwic2NvcGUiOiJxdW90ZSB1c2VyIiwiY2xpZW50X3RlbmFudG5hbWUiOiJURU5BTlQxIiwiZXhwIjoxNDYyMzAxNjgyLCJpYXQiOjE0NjIyOTgwODIsImNsaWVudF9uYW1lIjoiQmV0YWRlbW8iLCJ0ZW5hbnQiOiJURU5BTlQxIiwianRpIjoiZTVmMmQ5ZjAtODM5Mi00YjBlLTkzMDYtMDgyZTEwNDY1NmNiIn0.XafxdwNakfc01mNeNcrSVPQcprsfPsbMgWAnKHCIGtxG1gBRE4ZfS5DByJWt7wVByauvawql_ebqVMVOi1lrxw9aZxTfGFN6jMXu5nsnuEH26zN1q3hEZLkzSoyrFrpBaVWCAbmxyWz138QsVpqcdfahGw1fA_4qx4S6CU5WDjY",
    "token_type": "Bearer",
    "expires_in": 3600
  }

Device Code Grant Type Request and Response Examples

The following examples show an example request to obtain an access token using the Device Code grant type, and then an example response that is returned. There are several steps involved when using the Device Code grant type flow. First, the /device endpoint is used to obtain a device code and a user code, and then that device code is used in a request to the /token endpoint to obtain an access token so that a user can access a resource. See Generate Device Code and User Code (OAuth Device Flow) for example requests to obtain the device code and user code.

Request Example: Confidential Client

The following shows an example cURL request when a confidential/trusted client uses the Device Code grant type to obtain an access token.

curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
-H 'Authorization: Basic <base64 clientid:secret>
--request POST 'https://tenant-base-url/oauth2/v1/token'
-d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

Request Example: Public Client

The following shows an example cURL request when a public client uses the Device Code grant type to obtain an access token.

curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
--request POST 'https://tenant-base-url/oauth2/v1/token' -d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=3e51760ceb1245b7b77d0b1ff280bb72&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

Request Example Using a Client Assertion

The following shows an example cURL request using the Device Code grant type and a client assertion to obtain an access token.

curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' 
--request POST 'https://tenant-base-url/oauth2/v1/token'
-d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<clientAssertion>&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

Request Example Using a SAML Assertion

The following shows an example cURL request using the Device Code grant type and an assertion (in SAML2 format) to obtain an access token.

curl -i -k
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8'
--request POST 'https://tenant-base-url/oauth2/v1/token'
-d 'grant_type=urn:ietf:params:oauth:grant-type:device_code&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer&client_assertion=<samlAssertion>&device_code=4d03f7bc-f7a5-4795-819a-5748c4801d35'

Response Example

The following example shows the contents of the response body in JSON format when you use the Device Code grant type to obtain an access token.

{
"access_token":"eyJ4NXQjU....fw1Q",
"token_type":"Bearer",
"expires_in":3600
}

Refresh Token Grant Type Request and Response Examples

Request Example Using the Authorization Header

The following shows an example cURL request using the refresh token grant type and the Authorization header to obtain an access token.

curl -i
-H 'Authorization: Basic <base64Encoded clientid:secret' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token -d  'grant_type=refresh_token&refresh_token=<refresh-token>&scope=<optional value>&custom_claims=<optional space separated request custom claim names and/or separated request custom claim names with overridden values>'

Response Example Using the Authorization Header

The following example shows the contents of the response body in JSON format when you use the refresh token grant type the Authorization Header to obtain an access token.

{
    "access_token": "eyJraWQiO....WDjY",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "<token>
}

Request Example Using a Client Assertion

The following shows an example cURL request using the refresh token grant type and a client assertion to obtain an access token.

curl -i
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://tenant-base-url/oauth2/v1/token -d 'grant_type=refresh_token&refresh_token=<refresh-token>&client_id=<client-id>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<client-assertion>&scope=<optional scope value>'

Response Example Using a Client Assertion

The following example shows the contents of the response body in JSON format when you use the refresh token grant type and a client assertion to obtain an access token.

{
    "access_token": "eyJraWQiO....2nqA",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "AQIDBAUn_jFYHxaLKIxQiAX7BpnfHQs-lvv9VZq_NTRq75NoqIbfpgXnCw1h2El7EuNIE9SGhK_GXo6JjDSDvtt6oUsyMTEgRU5DUllQVElPTl9LRVkxNCB7djF9NCA="
  }
Back to Top