OAuth - Token Endpoint

About

The token endpoint is an authorization endpoint used by the client to obtain an access token by presenting its:

• authorization grant
• or refresh token.

The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly).

A single token endpoint may issue access tokens accepted by multiple resource servers.

Articles Related

Example

• Access Token Request

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

• Successful Access Token Response

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
	"access_token":"2YotnFZFEjr1zCsicMWpAA",
	"token_type":"example",
	"expires_in":3600,
	"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
	"example_parameter":"example_value"
}

Request

• URI:
  • the end point location is typically provided in the service documentation.
  • The endpoint URI MAY include anapplication/x-www-form-urlencoded formatted query component, which MUST be retained when adding additional query parameters.
  • The endpoint URI MUST NOT include a fragment component.
• HTTPS: Since requests to the token endpoint result in the transmission of clear-text credentials (in the HTTP request and response), the authorization server MUST require the use of TLS when sending requests to the token endpoint.
• HTTP Method: The client MUST use the HTTP “POST” method when making access token requests.
• Parameters sent without a value MUST be treated as if they were omitted from the request.
• The authorization server MUST ignore unrecognized request parameters.
• Request and response parameters MUST NOT be included more than once.

Client Id

• An authenticated client MAY use the client_id request parameter to identify itself when sending requests to the token endpoint.
• An unauthenticated client MUST send its “client_id” in the authorization_code grant_type request (to prevent itself from inadvertently accepting a code intended for a client with a different “client_id”. This protects the client from substitution of the authentication code. (It provides no additional security for the protected resource.)

Scope request

See scope request

Response

Scope response

See scope response

Flow

where:

• (A) The client requests an access token (and refresh token) by authenticating with the token endpoint (authorization server component) and presenting an authorization grant or a refresh token.
• (B) The token endpoint (authorization server component) authenticates the client and validates the authorization grant, and if valid, issues an access token and a refresh token.

Documentation / Reference

• Token Endpoint
• Access Token Request
• Cognito Token Endpoint