Request Tokens

Last Modified on 05/17/2021 9:34 am PDT

Endpoint URL: /{customerId}/login/token



Description

Issues access tokens and refresh tokens based on the requested grant type:

  • If the grant_type is set to authorization_code, an authorization code is exchanged for an access token, a refresh token, and an identity token.
  • If the grant_type is set to refresh_token, a refresh token is exchanged for a new access token.
  • If the grant_type is set to client_credentials, an access token is issued for the client based on its associated token policy.


Authentication

The authentication method used when calling this endpoint varies depending on the type of grant you are requesting:

  • authorization_code using a public client (PKCE). Authentication is not required when using a public client. However, you must include the code_verifier parameter when making a call from a public client.
  • authorization_code using a confidential client. Use Basic authentication, specifying the client ID of a confidential client as your username and the client secret of that same OIDC client as your password.
  • refresh_token. Authentication is not required.
  • client_credentials. Use Basic authentication, specifying the client ID of a configuration client as your username and the client secret of that same OIDC client as your password.


Path Parameters

The path parameters that must be included in the request are listed in the following table:

NameTypeRequiredDescription

{customerId}

string

Yes

Unique identifier of the customer requesting a token.


Body Parameters

The xxx-www-urlencoded body parameters for the /{customerId}/login/tokens endpoint include the following:

NameTypeDescription

grant_type

string

Specifies the type of authorization grant being requested. Allowed values are:

  • authorization_code. Indicates that you want to exchange an authorization code for an access token, a refresh token, and an identity token.
  • refresh_token. Indicates that you want to exchange a refresh token for a new access token.
  • client_credentials. Requests an access token to be issued based on the client’s token policy.

code

string

The authorization code being exchanged. This parameter is required when using the following grant types:

  • authorization_code

refresh_token


The refresh token being exchanged. This parameter is required when using the following grant types:

  • refresh_token

code_verifier


Required if you are using PKCE (Proof Key for Code Exchange) and your original authorization request includes the code_challenge parameter. The code_verifier value must be the same value used to generate the initial code challenge. This parameter is required when using the following grant types:

  • authorization_code (PKCE requests-only)

redirect_uri


URL of the page the user will be redirected to following the token exchange. This parameter is required when using the following grant types:

  • authorization_code

scope


The value specified must match the scopes requested in the token policy associated with the OIDC configuration client. This parameter is required when using the following grant types:

  • client_credentials

client_id


ID of the OIDC client that made the initial authorization request. This parameter is required when using the following grant types:

  • authorization_code
  • refresh_token


Sample Request (Curl): authorization_code Grant (non-PKCE)

The following command exchanges the authorization code K2MzvxY8nIRhNQYe for a set of tokens:

curl -X POST \
 https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=authorization_code' \
  -d 'redirect_uri=https://documentation.akamai.com' \
  -d 'code=K2MzvxY8nIRhNQYe' \
  -d 'client_id=9e7f2429-496d-4437-b516-048472613cf9' \
  -d 'client_secret=hr645hewi348kewr'


Sample Request (Curl): authorization_code Grant (PKCE)

The following command uses the PKCE flow to exchange the authorization code K2MzvxY8nIRhNQYe for a set of tokens:

curl -X POST \
 https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=authorization_code' \
  -d 'client_id=9e7f2429-496d-4437-b516-048472613cf9' \
  -d 'redirect_uri=https://documentation.akamai.com' \
  -d 'code=K2MzvxY8nIRhNQYe' \
  -d 'code_verifier=AdleUo9ZVcn0J7HkXOdzeqN6pWrW36K3JgVRwMW8BBQazEPV3kFnHyWIZi2jt9gA'


Sample Request (Curl): refresh_token Grant

The following command exchanges the refresh token iTsA4i2Px4TEzBrfLIvddjnDVBJxjPDuCARHH_Xk7EzdpGq5GPQcsxCWM2SxdlwU for an access token:

curl -X POST \
 https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=refresh_token' \
  -d 'refresh_token=iTsA4i2Px4TEzBrfLIvddjnDVBJxjPDuCARHH_Xk7EzdpGq5GPQcsxCWM2SxdlwU' \
  -d 'client_id=9e7f2429-496d-4437-b516-048472613cf9'


Sample Request (Curl): client_credentials Grant

The following command requests an access token for use with the Configuration APIs:

curl -X POST \
 https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
  -H 'Authorization: Basic YTIyYzk2MDQtN2IyNy00NjRmLWJmZjUDNiYTIyOTMyM2FmOmVJbTVnYkQ0QjF3NEswNGVYYUJ6dDVSRnhTaGMzcG1D' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=client_credentials' \
  -d 'scope=*:**'


Responses

200 OK

If your call to this endpoint succeeds, and depending on the type of grant you’ve requested, you'll get back a response that includes an access token, a refresh token, and an identity token:

{
   "access_token": "5na7KhMcUqnpoVDCRBX5na7Lwgh7L6qOaAlb1r2r_VKcemGgbh634rv261zbghfg6t",
   "refresh_token": "iTsA4i2Px4TEzBrfLIvddjnDVBJxjPDuCARHH_Xk7EzdpGq5GPQcsxCWM2SxdlwU",
   "expires_in": 3600,
   "token_type": "Bearer",
   "scope": "email openid profile",
   "id_token": "kyJhbGciOiJSUzI1NiIsImtpZCI6ImE5NjRhNjE3YTc0YjZjZWNlMDM4NTdkYWExZThlMTQ0ZDExMTMyY
TkiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiV1Y0STlVbjFWSi96Q25iRHVoWndIUSIsImF1ZCYwNC03YjI3LTQ2NGYtYmZ
mNS04M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNTUzMDI3MjEzLCJleHAiOjE1NTMwMzA4MzksImdsb2JhbF9zdWIiOiJj
YXB0dXJlLXYxOi8vYjI3LTQ2NGYtYmZmNS04M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNTUzMDI3bm5qZXl6eXJydDJub
TVkcmY1bmtuOC91c2VyLzc5OGQ2NTQwLWExYTYtNDFiNS1iZjcxLTg1YjY5NDFkY2E4MCIsImlhdCI6MTU1MzAyNzIzOSwiaX
NzIjoiaHR0cHM6Ly9hcGkubXVsdGkuZGV2Lm9yLmphbnJhaW4uY29tLzAwMDAwMDAwLTAwMDAtMzAwYjI3LTQ2NGYtYmZmNS0
4M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNTUzMDI3NDFiNS1iZjcxLTg1YjY5NDFkY2E4MCJ9.TRaDPi2_a0Z2s6MYh3L
QEyTU5UkR1el6w_waPFeV2hZgv10pDHu6xVrAZUZwErU0_mSDbe9bJo5I_yuecgXZ_4Q1WNV0Z4zhTJT9ycpNeSwgPQcDGddh
8J1ybI0Rg6yM54OOcf6o_shqrQMGiiFirm9GrtPYjI3LTQ2NGYtYmZmNS04M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNT
UzMDI319S83qGyLStH5db06iVjFahdNex0w39uQSHlTf7Ay0Acb0JOtMOk7JUC406wT5WT5Jz1qGV2q_ChvxdUCCnd2Vp8lNb
a3AyznkehABHeISkNYtJ6BKigQ"
}


Response Codes

The following table includes information about some of the response codes that you might encounter when calling this endpoint.

Response CodeDescription

400

Invalid_grant. Typically occurs if you pass an invalid authorization code or if the authorization code has expired. Authorization codes are valid only for a few minutes.

Rate this Article

How would you rate this article?
Thank you for your feedback!
Copyright © 2015 – 2016 Your Company, LLC. All rights reserved.