Jump to

• Request
• Response
• Examples

Create Access Token Flow

post

/oauth2/rest/token

Request

Supported Media Types

• application/x-www-form-urlencoded

Query Parameters

• identityDomain: string
  Identity Domain under which the token is being requested. This is an optional parameter if 'x-oauth-identity-domain-name' header parameter is provided.

Header Parameters

• authorization(required): string
  Base64 encoded header of clientID:secret. This is an authentication mechanism for the Confidential Clients. Client Authentication can be specified through this header or ClientAssertionTokens. Either one of these mechanisms should be used.
• x-oauth-identity-domain-name(required): string
  Identity Domain under which the token is being requested.

Form Parameters

• assertion: string
  User Assertion token.Mandatory parameter in case GrantType is JWT_BEARER.
• client_assertion: string
  Client Assertion token. This is mandatory if the Client Authentication mechanism is via the ClientAssertionToken. If this is passed, then the authorization header is not required.
• client_assertion_type: string
  Type of client assertion. This is mandatory if the Client Authentication mechanism is via the ClientAssertionToken. If this is passed, then the authorization header is not required.

  Allowed Values: [ "JWT_BEARER", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" ]
• code: string
  Authorization Code obtained.Mandatory parameter in case GrantType is AUTHORIZATION_CODE.
• grant_type(required): string
  Grant Type for the Access Token Request

  Allowed Values: [ "CLIENT_CREDENTIALS", "AUTHORIZATION_CODE", "PASSWORD", "JWT_BEARER", "REFRESH_TOKEN" ]
• password: string
  Password of resource owner.Mandatory parameter in case GrantType is PASSWORD.
• redirect_uri: string
  Redirect URI.Mandatory parameter in case GrantType is AUTHORIZATION_CODE.
• refresh_token: string
  Refresh Token played to generate the new Access Token.Mandatory parameter in case GrantType is REFRESH_TOKEN.
• scope: string
  Scope requested in the Access Token. In case of REFRESH_TOKEN flows, defaulted to the values in the RefreshToken if not specified. In case JWT_BEARER flow access token requests UserInfo related scopes, supported scopes are UserInfo.me, UserInfo.email, UserInfo.profile, UserInfo.address or UserInfo.phone.

  Default Value: DefaultScope defined for Client
• username: string
  Username of resource owner. Mandatory parameter in case GrantType is PASSWORD.

Back to Top

Response

Supported Media Types

• application/json

200 Response

Access Token was generated successfully

Body ()

Root Schema : AccessToken

Type: object

Show Source

• access_token: string
  Access Token Generated
• expires_in: integer
  Time before the Access Token expires
• refresh_token: string
  Refresh Token Generated if enabled. This is also generated only for GrantType - AUTHORIZATION_CODE and PASSWORD
• token_type: string
  Type of token generated. eg:- Bearer

{
    "type":"object",
    "properties":{
        "access_token":{
            "type":"string",
            "description":"Access Token Generated"
        },
        "token_type":{
            "type":"string",
            "description":"Type of token generated. eg:- Bearer"
        },
        "expires_in":{
            "type":"integer",
            "description":"Time before the Access Token expires"
        },
        "refresh_token":{
            "type":"string",
            "description":"Refresh Token Generated if enabled. This is also generated only for GrantType - AUTHORIZATION_CODE and PASSWORD"
        }
    }
}

400 Response

Bad Request

Body ()

Root Schema : ErrorCode

Type: object

Show Source

• errorCode: string
  Error Code Generated
• errorDesc: string
  Translated Error Description
• secErrorDesc: string
  Secondary Error Message

{
    "type":"object",
    "properties":{
        "errorCode":{
            "type":"string",
            "description":"Error Code Generated"
        },
        "errorDesc":{
            "type":"string",
            "description":"Translated Error Description"
        },
        "secErrorDesc":{
            "type":"string",
            "description":"Secondary Error Message"
        }
    }
}

Back to Top

Examples

The following cURL command shows a sample request against the server for creating access tokens using Resource Owner Credentials in 2 - Legged Flows.

Note:

Headers of interest in requests

• Authorization : Base64 Url encoded ClientID:secret combination. 

• X-OAUTH-IDENTITY-DOMAIN-NAME: Identity Domain that the client belongs to.

cURL Example

curl -i -H 'Authorization: Basic U1NPTGlua0NsaWVudDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -H "X-OAUTH-IDENTITY-DOMAIN-NAME: SSOLink" --request POST http://<ManagedServerHost>:<ManagedServerPort>/oauth2/rest/token -d 'grant_type=PASSWORD&username=<username>&password=<password>&scope=SSOLink.link1'

cURL Eamples for Create Token

curl -i -H 'Authorization: Basic U1NPTGlua0NsaWVudDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -H "X-OAUTH-IDENTITY-DOMAIN-NAME: SSOLink" --request POST http://<ManagedServerHost>:<ManagedServerPort>/oauth2/rest/token -d 'grant_type=PASSWORD&username=<username>&password=<password>&scope=SSOLink.link1'

curl -i -H 'Authorization: Basic U1NPTGlua0NsaWVudDp3ZWxjb21lMQ==' -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --request POST 'http://<ManagedServerHost>:<ManagedServerPort>/oauth2/rest/token?identityDomain=SSOLink' -d 'grant_type=PASSWORD&username=<username>&password=<password>&scope=SSOLink.link1'

Back to Top