OpenID Connect Token Endpoint
This OpenID Connect endpoint can be used to exchange authorization codes, refresh tokens and to request an App token.
POST /{tenant}/oauth2/v1/token
The OpenID Connect endpoint supports all operations and request parameters of the OAuth 2.0 Token Endpoint.
For more information on OpenID Connect see the specifications
Exchanging an authorization code
Only OpenID Connect specific parameters are listed. For the OAuth 2.0 parameters see the OAuth 2.0 Token Endpoint.
Request
POST /{tenant}/oauth2/v1/token/ HTTP/1.1
Host: theidentityhub.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=X5678IYHI690UJJJ000
&client_id=[YOUR_CLIENT_ID]
&client_secret=[YOUR_CLIENT_SECRET]
&redirect_uri=[YOUR_APP_REDIRECT_URI]
&code_verifier=[CODE_VERIFIER]
Response
If the request was successfully validated, The Identity Hub will issue an access and refresh token. These values will be returned as a json result.
Only OpenID Connect specific parameters are listed. For the OAuth 2.0 parameters see the OAuth 2.0 Authorization Endpoint.
Name | Values | Description |
---|---|---|
id_token | The OpenID Connect ID Token | Only when openid scope was specified in authorization request. The ID token is in the format |
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"7779HHKHKHKK6683TY3",
"token_type":"bearer",
"expires_in":3600,
"scope": "profile.read",
"refresh_token":"703JH3YU89YH389T3878T38",
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5
NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ
fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz
AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q
Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ
NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd
QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS
K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4
XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"
}
}
Handling errors
If the specified parameters of the request are invalid, The Identity Hub will respond with an error.
Only OpenID Connect specific response parameters are listed. For the OAuth 2.0 parameters see the OAuth 2.0 Authorization Endpoint.
Name | Values | Description |
---|---|---|
error | request_not_supported | The Identity Hub does not support use of the request parameter defined. |
account_selection_required | This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface to prompt for a session to use. | |
login_required | This error returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication. |
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error":"invalid_request"
}