Token Request API

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 13 OAuth Server : Token Request API

Token Request API

To request an access token from the OAuth server, use the following API:

Name

/access_token

Description

Processes an access token request.

Access Token Request

The client makes a request to the token endpoint by sending the following parameters using the application/x-www-form-urlencoded format with a character encoding of UTF-8 in the HTTP POST request:

Table 134 Access Token Request Parameters

grant_type

Required. The value must be set to authorization_code.

code

Required. The authorization code received from the authorization server.

redirect_uri

Required, if the redirect_uri parameter was included in the authorization request. The value must match the redirect_uri value sent in the authorization request.

client_id

Required, if the client is not authenticating with the authorization server.

scope

Optional. Specifies the scope of the access request.

Access Token Request Example

To request an access token for the authorization code flow, the client makes the following HTTP POST request using TLS:

POST /asg/oauth2/access_token HTTP/1.1

Host: server.example.com

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Access Token Response

If the access token request is valid and authorized, the authorization server issues an access token and an optional refresh token. The refresh token may be returned only for authorization code flow.

Access Token Response Example

The following is a successful response:

HTTP/1.1 200 OK

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"access_token":"2YotnFZFEjr1zCsicMWpAA",

"token_type":"example",

"expires_in":3600,

"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",

"example_parameter":"example_value"

}

Access Token Request Error

If the request client authentication failed or is invalid, the authorization server returns an error response. The authorization server responds with an HTTP 400 status code (unless specified otherwise) and includes the following parameters with the response:

Table 135 Access Token Error Parameter

Parameter

Description

error

Specifies a single error code returned from the authorization server.

Required.

Refer to table Access Token Request Error Codes for the error codes.

The following table lists the error codes for the error returned for an invalid token request::

Table 136 Access Token Request Error Codes

Error Code

Description

invalid_request

The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.

invalid_client

Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the “Authorization” request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.

invalid_grant

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

unauthorized_client

The authenticated client is not authorized to use this authorization grant type.

unsupported_grant_type

The authorization grant type is not supported by the authorization server.

invalid_scope

The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.

error_description

Optional. Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.

error_uri

Optional. A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.

Access Token Error Example

The following is an example of the error response for an access token request:

HTTP/1.1 400 Bad Request

Content-Type: application/json;charset=UTF-8

Cache-Control: no-store

Pragma: no-cache

{

"error":"invalid_request"

}

grant_type	Required. The value must be set to authorization_code.
code	Required. The authorization code received from the authorization server.
redirect_uri	Required, if the redirect_uri parameter was included in the authorization request. The value must match the redirect_uri value sent in the authorization request.
client_id	Required, if the client is not authenticating with the authorization server.
scope	Optional. Specifies the scope of the access request.

Parameter	Description
error	Specifies a single error code returned from the authorization server. Required. Refer to table Access Token Request Error Codes for the error codes.

Error Code	Description
invalid_request
	The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.
invalid_client
	Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the “Authorization” request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
invalid_grant
	The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
unauthorized_client
	The authenticated client is not authorized to use this authorization grant type.
unsupported_grant_type
	The authorization grant type is not supported by the authorization server.
invalid_scope
	The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
error_description
	Optional. Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.
error_uri
	Optional. A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.