Get Access Token Pkce Flow
Use this API instead:
- /oidc/oauth2/token
This end-point exchanges one of the following grants: authorization_code, refresh_token, client_credentials for an access token.
- Include the parameters using application/x-www-form-urlencoded format in the HTTP request body.
- Include Basic Base64_Encode(client_id:client_secret) value in the HTTP authorization header. Organization ID parameter notes: when organization id is missing from the request the default organization will be used.
- Upon password grant type, user default organization will be set if available.
Upon client_credentials grant type, the organization who own the client will be set if available.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Basic auth client credentials [Basic Base64_Encode(client_id:client_secret)].
Example: authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=
Decoding this string will literally return client_id:client_secret.
Note: when using Public OAuth clients, Authorization is required using the format 'Basic Base64_Encode(client_id:)' with empty client_secret.
The application/x-www-form-urlencoded form data type.
OAuth grant types for different use cases.
Authorization code parameter. Mandatory for grant_type 'authorization_code'.
Service redirect uri. Mandatory for grant_type 'authorization_code'.
Refresh token parameter. Available for grant_type 'refresh_token'.
Currently not supported. Present for CSP compatibility.
Unique identifier (GUID) of the organization. Available for grant_type 'client_credentials'.
Required if the grant_type is 'client_delegate'. A security token that represents the identity of the party on behalf of whom the request is being made. In client_delegate flow, the token provided MUST BE the access token of the user.
Required if the grant_type is 'client_delegate'. The identifier for the subject token provided as per RFC 8693 https://tools.ietf.org/html/rfc8693#section-3. In 'client_delegate' flow, this value MUST BE 'urn:ietf:params:oauth:token-type:access_token'.
A high-entropy cryptographic random key using the characters [A-Z] / [a-z] / [0-9] / '-' / '.' / '_' / '~' with a minimum length of 43 characters and a maximum length of 128 characters which was used to generate the 'code_challenge' and obtain the authorization code. Required if PKCE was used in the authorization code grant request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.
Required if the grant_type is 'authorization_code'.If provided in request body,it must match with the client_id sent in the authorization header.
OK
"AccessToken Object"Scope
Access Token
Refresh Token
ID Token
Token Type
Access Token Expiration
Invalid request body.
"AccessToken Object"Scope
Access Token
Refresh Token
ID Token
Token Type
Access Token Expiration
Client is forbidden for delegation.
"AccessToken Object"Scope
Access Token
Refresh Token
ID Token
Token Type
Access Token Expiration
Organization with this identifier is not found.
"AccessToken Object"Scope
Access Token
Refresh Token
ID Token
Token Type
Access Token Expiration
curl -X POST -H 'Authorization: <value>' -H 'Content-Type: application/x-www-form-urlencoded' -d '{"grant_type:"string"}' https://{api_host}/csp/gateway/am/api/auth/token