Endpoint URL: /{customerId}/login/token
Description
Issues access tokens and refresh tokens based on the requested grant type:
- If the grant_type is set to authorization_code, an authorization code is exchanged for an access token, a refresh token, and an identity token.
- If the grant_type is set to refresh_token, a refresh token is exchanged for a new access token.
- If the grant_type is set to client_credentials, an access token is issued for the client based on its associated token policy.
Authentication
The authentication method used when calling this endpoint varies depending on the type of grant you are requesting:
- authorization_code using a public client (PKCE). Authentication is not required when using a public client. However, you must include the code_verifier parameter when making a call from a public client.
- authorization_code using a confidential client. Use Basic authentication, specifying the client ID of a confidential client as your username and the client secret of that same OIDC client as your password.
- refresh_token. Authentication is not required.
- client_credentials. Use Basic authentication, specifying the client ID of a configuration client as your username and the client secret of that same OIDC client as your password.
Path Parameters
The path parameters that must be included in the request are listed in the following table:
Name | Type | Required | Description |
---|---|---|---|
{customerId} | string | Yes | Unique identifier of the customer requesting a token. |
Body Parameters
The xxx-www-urlencoded body parameters for the /{customerId}/login/tokens endpoint include the following:
Name | Type | Description |
---|---|---|
grant_type | string | Specifies the type of authorization grant being requested. Allowed values are:
|
code | string | The authorization code being exchanged. This parameter is required when using the following grant types:
|
refresh_token | The refresh token being exchanged. This parameter is required when using the following grant types:
| |
code_verifier | Required if you are using PKCE (Proof Key for Code Exchange) and your original authorization request includes the code_challenge parameter. The code_verifier value must be the same value used to generate the initial code challenge. This parameter is required when using the following grant types:
| |
redirect_uri | URL of the page the user will be redirected to following the token exchange. This parameter is required when using the following grant types:
| |
scope | The value specified must match the scopes requested in the token policy associated with the OIDC configuration client. This parameter is required when using the following grant types:
| |
client_id | ID of the OIDC client that made the initial authorization request. This parameter is required when using the following grant types:
|
Sample Request (Curl): authorization_code Grant (non-PKCE)
The following command exchanges the authorization code K2MzvxY8nIRhNQYe for a set of tokens:
curl -X POST \ https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=authorization_code' \ -d 'redirect_uri=https://documentation.akamai.com' \ -d 'code=K2MzvxY8nIRhNQYe' \ -d 'client_id=9e7f2429-496d-4437-b516-048472613cf9' \
-d 'client_secret=hr645hewi348kewr'
Sample Request (Curl): authorization_code Grant (PKCE)
The following command uses the PKCE flow to exchange the authorization code K2MzvxY8nIRhNQYe for a set of tokens:
curl -X POST \
https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=authorization_code' \
-d 'client_id=9e7f2429-496d-4437-b516-048472613cf9' \
-d 'redirect_uri=https://documentation.akamai.com' \
-d 'code=K2MzvxY8nIRhNQYe' \
-d 'code_verifier=AdleUo9ZVcn0J7HkXOdzeqN6pWrW36K3JgVRwMW8BBQazEPV3kFnHyWIZi2jt9gA'
Sample Request (Curl): refresh_token Grant
The following command exchanges the refresh token iTsA4i2Px4TEzBrfLIvddjnDVBJxjPDuCARHH_Xk7EzdpGq5GPQcsxCWM2SxdlwU for an access token:
curl -X POST \
https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token' \
-d 'refresh_token=iTsA4i2Px4TEzBrfLIvddjnDVBJxjPDuCARHH_Xk7EzdpGq5GPQcsxCWM2SxdlwU' \
-d 'client_id=9e7f2429-496d-4437-b516-048472613cf9'
Sample Request (Curl): client_credentials Grant
The following command requests an access token for use with the Configuration APIs:
curl -X POST \
https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
-H 'Authorization: Basic YTIyYzk2MDQtN2IyNy00NjRmLWJmZjUDNiYTIyOTMyM2FmOmVJbTVnYkQ0QjF3NEswNGVYYUJ6dDVSRnhTaGMzcG1D' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials' \
-d 'scope=*:**'
Responses
200 OK
If your call to this endpoint succeeds, and depending on the type of grant you’ve requested, you'll get back a response that includes an access token, a refresh token, and an identity token:
{
"access_token": "5na7KhMcUqnpoVDCRBX5na7Lwgh7L6qOaAlb1r2r_VKcemGgbh634rv261zbghfg6t",
"refresh_token": "iTsA4i2Px4TEzBrfLIvddjnDVBJxjPDuCARHH_Xk7EzdpGq5GPQcsxCWM2SxdlwU",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "email openid profile",
"id_token": "kyJhbGciOiJSUzI1NiIsImtpZCI6ImE5NjRhNjE3YTc0YjZjZWNlMDM4NTdkYWExZThlMTQ0ZDExMTMyY
TkiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiV1Y0STlVbjFWSi96Q25iRHVoWndIUSIsImF1ZCYwNC03YjI3LTQ2NGYtYmZ
mNS04M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNTUzMDI3MjEzLCJleHAiOjE1NTMwMzA4MzksImdsb2JhbF9zdWIiOiJj
YXB0dXJlLXYxOi8vYjI3LTQ2NGYtYmZmNS04M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNTUzMDI3bm5qZXl6eXJydDJub
TVkcmY1bmtuOC91c2VyLzc5OGQ2NTQwLWExYTYtNDFiNS1iZjcxLTg1YjY5NDFkY2E4MCIsImlhdCI6MTU1MzAyNzIzOSwiaX
NzIjoiaHR0cHM6Ly9hcGkubXVsdGkuZGV2Lm9yLmphbnJhaW4uY29tLzAwMDAwMDAwLTAwMDAtMzAwYjI3LTQ2NGYtYmZmNS0
4M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNTUzMDI3NDFiNS1iZjcxLTg1YjY5NDFkY2E4MCJ9.TRaDPi2_a0Z2s6MYh3L
QEyTU5UkR1el6w_waPFeV2hZgv10pDHu6xVrAZUZwErU0_mSDbe9bJo5I_yuecgXZ_4Q1WNV0Z4zhTJT9ycpNeSwgPQcDGddh
8J1ybI0Rg6yM54OOcf6o_shqrQMGiiFirm9GrtPYjI3LTQ2NGYtYmZmNS04M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNT
UzMDI319S83qGyLStH5db06iVjFahdNex0w39uQSHlTf7Ay0Acb0JOtMOk7JUC406wT5WT5Jz1qGV2q_ChvxdUCCnd2Vp8lNb
a3AyznkehABHeISkNYtJ6BKigQ"
}
Response Codes
The following table includes information about some of the response codes that you might encounter when calling this endpoint.
Response Code | Description |
---|---|
400 | Invalid_grant. Typically occurs if you pass an invalid authorization code or if the authorization code has expired. Authorization codes are valid only for a few minutes. |