3. Token Endpoint
Request
When calling the Token endpoint, the customer's client application needs to authenticated by using its unique client_id and client_secret. As mentioned in section Getting Started, there are 2 methods of providing these credentials. In both cases the HTTP Method is POST. The content type should be set to application/x-www-form-urlencoded.
The Token endpoint can be found at the following URL:
https://<servername>/connect/token
This URL can be retrieved from the Discovery Endpoint, using the key token_endpoint.
The Connective Identity Hub supports the following parameters in the POST body:
Parameter | Description | Use |
---|---|---|
grant_type | This must be set to authorization_code. | Required |
code | The Authorization Code received in response to the Authentication Request. | Required |
redirect_uri | The redirection URI supplied in the original Authentication Request. This is the URL to which you want the user to be redirected after the authorization is complete. | Required |
code_verifier | A code verifier is a cryptographically random string that is used to correlate the authorization request to the token request. Use this parameter when a code_challenge was used in the authentication request (PKCE flow). | Conditional |
Response
Success
If the Token Request has been successfully validated, we will return an HTTP 200 OK response including id and access tokens. Content type will be application/json.
The response body will include:
Parameter | Description | Use |
---|---|---|
access_token | The access token which may be used to access the Userinfo Endpoint. | Required |
expires_in | The number of seconds the access_token will remain valid. | Required |
token_type | Set to Bearer | Required |
id_token | The id token is a JSON Web Token (JWT) that contains user profile information represented in the form of claims. | Required |
With the following values returned in the id_token:
Parameter | Description | Use |
---|---|---|
iss | Identifier of the issuer of the Id Token. | Required |
sub | An identifier for the user. Use sub in the customer's client application as the unique identifier key for the user. | Required |
aud | Audience of the Id Token. This will contain the client_id. This is the client identifier you received when registering your customer client application in the Connective Identity Hub. | Required |
exp | Expiration time on or after which the Id Token must not be accepted for processing. | Required |
nbf | The time before which the Id Token must not be accepted for processing. | Required |
iat | The time the Id Token was issued, represented in Unix time (integer seconds). | Required |
auth_time | Time when the End-User authentication occurred, represented in Unix time (integer seconds). | Required |
amr | This value will be set to external. | Required |
idp | This value will be set to the name of the Identity Provider that was used to perform the authentication request. | Required |
nonce | String value used to associate a client session with an Id Token, and to mitigate replay attacks. The value is passed through unmodified from the authentication request to the Id Token*. If* present in the Id token, clients must verify that the nonce claim value is equal to the value of the nonce parameter sent in the authentication request. | Conditional |
at_hash | Access Token hash value. | Required |
s_hash | State hash value. If a state parameter was sent in the authentication request. | Conditional |
Error
If the Token Request is invalid or unauthorized an HTTP 400 response will be returned. Content type will be application/json.
The error response body contains:
Parameter | Description | Use |
---|---|---|
error | The error type. | Required |
error_description | A description of the error, indicating the problem in more detail. | Optional |