Skip to main content
POST
/
api
/
{serviceId}
/
auth
/
token
Typescript (SDK)
import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.token.process({
    serviceId: "<id>",
    tokenRequest: {
      parameters: "grant_type=authorization_code&code=Xv_su944auuBgc5mfUnxXayiiQU9Z4-T_Yae_UfExmo&redirect_uri=https%3A%2F%2Fmy-client.example.com%2Fcb1&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
      clientId: "26478243745571",
      clientSecret: "gXz97ISgLs4HuXwOZWch8GEmgL4YMvUJwu3er_kDVVGcA0UOhA9avLPbEmoeZdagi9yC_-tEiT2BdRyH9dbrQQ",
    },
  });

  console.log(result);
}

run();
{
  "resultCode": "A050001",
  "resultMessage": "[A050001] The token request (grant_type=authorization_code) was processed successfully.",
  "accessToken": "C4SrUTijIj2IxqE1xBASr3dxQWgso3BpY49g8CyjGjQ",
  "accessTokenDuration": 3600,
  "accessTokenExpiresAt": 1640252942736,
  "action": "OK",
  "clientAttributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "clientId": 26478243745571,
  "clientIdAlias": "my-client",
  "clientIdAliasUsed": false,
  "grantType": "AUTHORIZATION_CODE",
  "refreshToken": "60k0cZ38sJcpTgdxvG9Sqa-3RG5AmGExGpFB-1imSxo",
  "refreshTokenDuration": 3600,
  "refreshTokenExpiresAt": 1640252942736,
  "responseContent": "{\\\"access_token\\\":\\\"C4SrUTijIj2IxqE1xBASr3dxQWgso3BpY49g8CyjGjQ\\\",\\\"refresh_token\\\":\\\"60k0cZ38sJcpTgdxvG9Sqa-3RG5AmGExGpFB-1imSxo\\\",\\\"scope\\\":\\\"history.read timeline.read\\\",\\\"token_type\\\":\\\"Bearer\\\",\\\"expires_in\\\":3600}",
  "scopes": [
    "history.read",
    "timeline.read"
  ],
  "serviceAttributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "subject": "john"
}
This API is supposed to be called from with the implementation of the token endpoint of the service. The endpoint implementation must extract the request parameters from the token request from the client application and pass them as the value of parameters request parameter to Authlete’s /auth/token API. The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the token request. In addition, if the token endpoint of the authorization server implementation supports basic authentication as a means of client authentication, the client credentials must be extracted from Authorization header and they must be passed as clientId request parameter and clientSecret request parameter to Authlete’s /auth/token API. The following code snippet is an example in JAX-RS showing how to extract request parameters from the token request and client credentials from Authorization header.
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response post(
@HeaderParam(HttpHeaders.AUTHORIZATION) String auth,
String parameters)
&#123;
// Convert the value of Authorization header (credentials of
// the client application), if any, into BasicCredentials.
BasicCredentials credentials = BasicCredentials.parse(auth);
// The credentials of the client application extracted from
// 'Authorization' header. These may be null.
String clientId = credentials == null ? null
: credentials.getUserId();
String clientSecret = credentials == null ? null
: credentials.getPassword();
// Process the given parameters.
return process(parameters, clientId, clientSecret);
&#125;
The response from /auth/token API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete. In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of “500 Internal Server Error”. Authlete recommends application/json as the content type although OAuth 2.0 specification does not mention the format of the error response when the redirect URI is not usable. The value of responseContent is a JSON string which describes the error, so it can be used as the entity body of the response.
The following illustrates the response which the service implementation should generate and return to the client application.
HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;
The endpoint implementation may return another different response to the client application since “500 Internal Server Error” is not required by OAuth 2.0.

INVALID_CLIENT

When the value of action is INVALID_CLIENT, it means that authentication of the client failed. In this case, the HTTP status of the response to the client application is either “400 Bad Request” or “401 Unauthorized”. This requirement comes from RFC 6749, 5.2. Error Response. The description about invalid_client shown below is an excerpt from RFC 6749.
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the WWW-Authenticate response header field matching the authentication scheme used by the client.
In either case, the value of responseContent is a JSON string which can be used as the entity body of the response to the client application.
The following illustrate responses which the service implementation must generate and return to the client application.
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

HTTP/1.1 401 Unauthorized
WWW-Authenticate: &#123;challenge&#125;
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client application is invalid. A response with HTTP status of “400 Bad Request” must be returned to the client application and the content type must be application/json. The value of responseContent is a JSON string which describes the error, so it can be used as the entity body of the response.The following illustrates the response which the service implementation should generate and return to the client application.
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

PASSWORD

When the value of "action" is "PASSWORD", it means that the request from the client application is valid and grant_type is "password". That is, the flow is “Resource Owner Password Credentials”. In this case, {@link #getUsername()} returns the value of "username" request parameter and {@link #getPassword()} returns the value of {@code “password”} request parameter which were contained in the token request from the client application. The service implementation must validate the credentials of the resource owner (= end-user) and take either of the actions below according to the validation result.
  1. When the credentials are valid, call Authlete’s /auth/token/issue} API to generate an access token for the client application. The API requires "ticket" request parameter and "subject" request parameter. Use the value returned from {@link #getTicket()} method as the value for "ticket" parameter.
  2. The response from /auth/token/issue API ({@link TokenIssueResponse}) contains data (an access token and others) which should be returned to the client application. Use the data to generate a response to the client application.
  3. When the credentials are invalid, call Authlete’s {@code /auth/token/fail} API with reason={@link TokenFailRequest.Reason#INVALID_RESOURCE_OWNER_CREDENTIALS INVALID_RESOURCE_OWNER_CREDENTIALS} to generate an error response for the client application. The API requires "ticket" request parameter. Use the value returned from {@link #getTicket()} method as the value for "ticket" parameter.
  4. The response from /auth/token/fail API ({@link TokenFailResponse}) contains error information which should be returned to the client application. Use it to generate a response to the client application.

OK

When the value of action is OK, it means that the request from the client application is valid and an access token, and optionally an ID token, is ready to be issued. The HTTP status of the response returned to the client application must be “200 OK” and the content type must be application/json. The value of responseContent is a JSON string which contains an access token (and optionally an ID token), so it can be used as the entity body of the response.
The following illustrates the response which the service implementation must generate and return to the client application.
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

TOKEN_EXCHANGE (Authlete 2.3 onwards)

When the value of "action" is "TOKEN_EXCHANGE", it means that the request from the client application is a valid token exchange request (cf. RFC 8693 OAuth 2.0 Token Exchange) and that the request has already passed the following validation steps.
  1. Confirm that the value of the requested_token_type request parameter is one of the registered token type identifiers if the request parameter is given and its value is not empty.
  2. Confirm that the subject_token request parameter is given and its value is not empty.
  3. Confirm that the subject_token_type request parameter is given and its value is one of the registered token type identifiers.
  4. Confirm that the actor_token_type request parameter is given and its value is one of the registered token type identifiers if the actor_token request parameter is given and its value is not empty.
  5. Confirm that the actor_token_type request parameter is not given or its value is empty when the actor_token request parameter is not given or its value is empty. Furthermore, Authlete performs additional validation on the tokens specified by the subject_token request parameter and the actor_token request parameter according to their respective token types as shown below.

Token Validation Steps

*Token Type: urn:ietf:params:oauth:token-type:jwt*
  1. Confirm that the format conforms to the JWT specification [RFC 7519][https://www.rfc-editor.org/rfc/rfc7519.html].
  2. Check if the JWT is encrypted and if it is encrypted, then (a) reject the token exchange request when the {@link Service#isTokenExchangeEncryptedJwtRejected() tokenExchangeEncryptedJwtRejected} flag of the service is true or (b) skip remaining validation steps when the flag is false. Note that Authlete does not verify an encrypted JWT because there is no standard way to obtain the key to decrypt the JWT with. This means that you must verify an encrypted JWT by yourself when one is used as an input token with the token type { @code “urn:ietf:params:oauth:token-type:jwt” }.
  3. Confirm that the current time has not reached the time indicated by the exp claim if the JWT contains the claim.
  4. Confirm that the current time is equal to or after the time indicated by the iat claim if the JWT contains the claim. 5.Confirm that the current time is equal to or after the time indicated by the nbf claim if the JWT contains the claim.
  5. Check if the JWT is signed and if it is not signed, then (a) reject the token exchange request when the {@link Service#isTokenExchangeUnsignedJwtRejected() tokenExchangeUnsignedJwtRejected} flag of the service is true or (b) finish validation on the input token. Note that Authlete does not verify the signature of the JWT because there is no standard way to obtain the key to verify the signature of a JWT with. This means that you must verify the signature by yourself when a signed JWT is used as an input token with the token type "urn:ietf:params:oauth:token-type:jwt". *Token Type: urn:ietf:params:oauth:token-type:access_token*
  6. Confirm that the token is an access token that has been issued by the Authlete server of your service. This implies that access tokens issued by other systems cannot be used as a subject token or an actor token with the token type urn:ietf:params:oauth:token-type:access_token.
  7. Confirm that the access token has not expired.
  8. Confirm that the access token belongs to the service. *Token Type: urn:ietf:params:oauth:token-type:refresh_token*
  9. Confirm that the token is a refresh token that has been issued by the Authlete server of your service. This implies that refresh tokens issued by other systems cannot be used as a subject token or an actor token with the token type urn:ietf:params:oauth:token-type:refresh_token.
  10. Confirm that the refresh token has not expired.
  11. Confirm that the refresh token belongs to the service. *Token Type: urn:ietf:params:oauth:token-type:id_token*
  12. Confirm that the format conforms to the JWT specification (RFC 7519).
  13. Check if the ID Token is encrypted and if it is encrypted, then (a) reject the token exchange request when the {@link Service#isTokenExchangeEncryptedJwtRejected() tokenExchangeEncryptedJwtRejected} flag of the service is true or (b) skip remaining validation steps when the flag is false. Note that Authlete does not verify an encrypted ID Token because there is no standard way to obtain the key to decrypt the ID Token with in the context of token exchange where the client ID for the encrypted ID Token cannot be determined. This means that you must verify an encrypted ID Token by yourself when one is used as an input token with the token type "urn:ietf:params:oauth:token-type:id_token".
  14. Confirm that the ID Token contains the exp claim and the current time has not reached the time indicated by the claim.
  15. Confirm that the ID Token contains the iat claim and the current time is equal to or after the time indicated by the claim.
  16. Confirm that the current time is equal to or after the time indicated by the nbf claim if the ID Token contains the claim.
  17. Confirm that the ID Token contains the iss claim and the value is a valid URI. In addition, confirm that the URI has the https scheme, no query component and no fragment component.
  18. Confirm that the ID Token contains the aud claim and its value is a JSON string or an array of JSON strings.
  19. Confirm that the value of the nonce claim is a JSON string if the ID Token contains the claim.
  20. Check if the ID Token is signed and if it is not signed, then (a) reject the token exchange request when the {@link Service#isTokenExchangeUnsignedJwtRejected() tokenExchangeUnsignedJwtRejected} flag of the service is true or (b) finish validation on the input token.
  21. Confirm that the signature algorithm is asymmetric. This implies that ID Tokens whose signature algorithm is symmetric (HS256, HS384 or HS512) cannot be used as a subject token or an actor token with the token type urn:ietf:params:oauth:token-type:id_token.
  22. Verify the signature of the ID Token. Signature verification is performed even in the case where the issuer of the ID Token is not your service. But in that case, the issuer must support the discovery endpoint defined in OpenID Connect Discovery 1.0. Otherwise, signature verification fails. *Token Type: urn:ietf:params:oauth:token-type:saml1* (Authlete does not perform any validation for this token type.) *Token Type: urn:ietf:params:oauth:token-type:saml2* (Authlete does not perform any validation for this token type.) The specification of Token Exchange (RFC 8693) is very flexible. In other words, the specification has abandoned the task of determining details. Therefore, for secure token exchange, you have to complement the specification with your own rules. For that purpose, Authlete provides some configuration options as listed below. Authorization server implementers may utilize them and/or implement their own rules. In the case of {@link Action#TOKEN_EXCHANGE TOKEN_EXCHANGE}, the {@link #getResponseContent()} method returns null. You have to construct the token response by yourself. For example, you may generate an access token by calling Authlete’s /api/auth/token/create API and construct a token response like below.
HTTP/1.1 401 Unauthorized
WWW-Authenticate: &#123;challenge&#125;
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
&#123;responseContent&#125;

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store
&#123;
"access_token": "&#123;@link TokenCreateResponse#getAccessToken()&#125;",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"token_type": "Bearer",
"expires_in": &#123; @link TokenCreateResponse#getExpiresIn() &#125;,
"scope": "String.join(" ", &#123;@link TokenCreateResponse#getScopes()&#125;)"
&#125;

JWT_BEARER JWT_BEARER (Authlete 2.3 onwards)

When the value of "action" is "JWT_BEARER", it means that the request from the client application is a valid token request with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" (RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants) and that the request has already passed the following validation steps.
  1. Confirm that the assertion request parameter is given and its value is not empty.
  2. Confirm that the format of the assertion conforms to the JWT specification (RFC 7519).
  3. Check if the JWT is encrypted and if it is encrypted, then (a) reject the token request when the {@link Service#isJwtGrantEncryptedJwtRejected() jwtGrantEncryptedJwtRejected} flag of the service is true or (b) skip remaining validation steps when the flag is false. Note that Authlete does not verify an encrypted JWT because there is no standard way to obtain the key to decrypt the JWT with. This means that you must verify an encrypted JWT by yourself.
  4. Confirm that the JWT contains the iss claim and its value is a JSON string.
  5. Confirm that the JWT contains the sub claim and its value is a JSON string.
  6. Confirm that the JWT contains the aud claim and its value is either a JSON string or an array of JSON strings.
  7. Confirm that the issuer identifier of the service (cf. {@link Service#getIssuer()}) or the URL of the token endpoint (cf. {@link Service#getTokenEndpoint()}) is listed as audience in the aud claim.
  8. Confirm that the JWT contains the exp claim and the current time has not reached the time indicated by the claim.
  9. Confirm that the current time is equal to or after the time indicated by by the iat claim if the JWT contains the claim.
  10. Confirm that the current time is equal to or after the time indicated by by the nbf claim if the JWT contains the claim.
  11. Check if the JWT is signed and if it is not signed, then (a) reject the token request when the {@link Service#isJwtGrantUnsignedJwtRejected() jwtGrantUnsignedJwtRejected} flag of the service is true or (b) finish validation on the JWT. Note that Authlete does not verify the signature of the JWT because there is no standard way to obtain the key to verify the signature of a JWT with. This means that you must verify the signature by yourself. Authlete provides some configuration options for the grant type as listed below. Authorization server implementers may utilize them and/or implement their own rules.
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store
&#123;
"access_token": "&#123;@link TokenCreateResponse#getAccessToken()&#125;",
"token_type": "Bearer",
"expires_in": &#123;@link TokenCreateResponse#getExpiresIn()&#125;,
"scope": "String.join(" ", &#123;@link TokenCreateResponse#getScopes()&#125;)"
&#125;
Finally, note again that Authlete does not verify the signature of the JWT specified by the assertion request parameter. You must verify the signature by yourself.

Authorizations

Authorization
string
header
required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId
string
required

A service ID.

Body

parameters
string
required

OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server implementation received from the client application.

The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

clientId
string

The client ID extracted from Authorization header of the token request from the client application.

If the token endpoint of the authorization server implementation supports basic authentication as a means of client authentication, and the request from the client application contained its client ID in Authorization header, the value should be extracted and set to this parameter.

clientSecret
string

The client secret extracted from Authorization header of the token request from the client application.

If the token endpoint of the authorization server implementation supports basic authentication as a means of client authentication, and the request from the client application contained its client secret in Authorization header, the value should be extracted and set to this parameter.

clientCertificate
string

The client certificate from the MTLS of the token request from the client application.

clientCertificatePath
string[]

The certificate path presented by the client during client authentication. These certificates are strings in PEM format.

properties
object[]

Extra properties to associate with an access token. See Extra Properties for details.

dpop
string

DPoP header presented by the client during the request to the token endpoint.

The header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT. See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for details.

htm
string

HTTP method of the token request. This field is used to validate the DPoP header.

In normal cases, the value is POST. When this parameter is omitted, POST is used as the default value. See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for details.

htu
string

URL of the token endpoint. This field is used to validate the DPoP header.

If this parameter is omitted, the tokenEndpoint property of the Service is used as the default value. See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for details.

accessToken
string

The representation of an access token that may be issued as a result of the Authlete API call.

jwtAtClaims
string

Additional claims that are added to the payload part of the JWT access token.

oauthClientAttestation
string

The value of the OAuth-Client-Attestation HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

oauthClientAttestationPop
string

The value of the OAuth-Client-Attestation-PoP HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

accessTokenDuration
integer<int64>

The duration (in seconds) of the access token that may be issued as a result of the Authlete API call.

When this request parameter holds a positive integer, it is used as the duration of the access token in. In other cases, this request parameter is ignored.

refreshTokenDuration
integer<int64>

The duration (in seconds) of the refresh token that may be issued as a result of the Authlete API call.

When this request parameter holds a positive integer, it is used as the duration of the refresh token in. In other cases, this request parameter is ignored.

dpopNonceRequired
boolean

The flag indicating whether to require the DPoP proof JWT to include the nonce claim. Even if the service's dpopNonceRequired property is false, calling the /auth/token API with this dpopNonceRequired parameter true will force the Authlete API to check whether the DPoP proof JWT includes the expected nonce value.

cimdOptions
object

Options for OAuth Client ID Metadata Document (CIMD).

These options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.

Response

Token operation completed successfully

resultCode
string

The code which represents the result of the API call.

resultMessage
string

A short message which explains the result of the API call.

action
enum<string>

The next action that the authorization server implementation should take.

Available options:
INTERNAL_SERVER_ERROR,
INVALID_CLIENT,
BAD_REQUEST,
PASSWORD,
OK,
TOKEN_EXCHANGE,
JWT_BEARER,
NATIVE_SSO,
ID_TOKEN_REISSUABLE
responseContent
string

The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter.

username
string

The value of username request parameter in the token request. The client application must specify username when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, username request parameter must come along.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

password
string

The value of password request parameter in the token request. The client application must specify password when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, password request parameter must come along.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

ticket
string

The ticket which is necessary to call Authlete's /auth/token/fail API or /auth/token/issue API.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

accessToken
string

The newly issued access token.

accessTokenExpiresAt
integer<int64>

The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

accessTokenDuration
integer<int64>

The duration of the newly issued access token in seconds.

refreshToken
string

The newly issued refresh token.

refreshTokenExpiresAt
integer<int64>

The datetime at which the newly issued refresh token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

refreshTokenDuration
integer<int64>

The duration of the newly issued refresh token in seconds.

idToken
string

The newly issued ID token. Note that an ID token is issued from a token endpoint only when the response_type request parameter of the authorization request to an authorization endpoint has contained code and the scope request parameter has contained openid.

grantType
string

The grant type of the token request.

clientId
integer<int64>

The client ID.

clientIdAlias
string

The client ID alias when the token request was made. If the client did not have an alias, this parameter is null. Also, if the token request was invalid and it failed to identify a client, this parameter is null.

clientIdAliasUsed
boolean

The flag which indicates whether the client ID alias was used when the token request was made. true if the client ID alias was used when the token request was made.

subject
string

The subject (= resource owner's ID) of the access token. Even if an access token has been issued by the call of /api/auth/token API, this parameter is null if the flow of the token request was Client Credentials Flow (grant_type=client_credentials) because it means the access token is not associated with any specific end-user.

scopes
string[]

The scopes covered by the access token.

properties
object[]

The extra properties associated with the access token. This parameter is null when no extra property is associated with the issued access token.

jwtAccessToken
string

The newly issued access token in JWT format. If the authorization server is configured to issue JWT-based access tokens (= if the service's accessTokenSignAlg value is a non-null value), a JWT-based access token is issued along with the original random-string one.

resources
string[]

The resources specified by the resource request parameters in the token request. See "Resource Indicators for OAuth 2.0" for details.

accessTokenResources
string[]

The target resources of the access token being issued. See "Resource Indicators for OAuth 2.0" for details.

authorizationDetails
object

The authorization details. This represents the value of the authorization_details request parameter in the preceding device authorization request which is defined in "OAuth 2.0 Rich Authorization Requests".

additionalClaims
string

Additional claims to be embedded in an ID token.

serviceAttributes
object[]

The attributes of this service that the client application belongs to.

clientAttributes
object[]

The attributes of the client.

clientAuthMethod
string

The client authentication method that was performed at the token endpoint.

grantId
string

the value of the grant_id request parameter of the device authorization request.

The grant_id request parameter is defined in Grant Management for OAuth 2.0 , which is supported by Authlete 2.3 and newer versions.

audiences
string[]

The audiences on the token exchange request

requestedTokenType
enum<string>

The token type identifier used in OAuth 2.0 Token Exchange (RFC 8693). The API returns short codes (enum constant names) in response fields.

Available options:
JWT,
ACCESS_TOKEN,
REFRESH_TOKEN,
ID_TOKEN,
SAML1,
SAML2,
DEVICE_SECRET,
DEVICE_CODE,
TOKEN_EXCHANGE,
JWT_BEARER
subjectToken
string
subjectTokenType
enum<string>

The token type identifier used in OAuth 2.0 Token Exchange (RFC 8693). The API returns short codes (enum constant names) in response fields.

Available options:
JWT,
ACCESS_TOKEN,
REFRESH_TOKEN,
ID_TOKEN,
SAML1,
SAML2,
DEVICE_SECRET,
DEVICE_CODE,
TOKEN_EXCHANGE,
JWT_BEARER
subjectTokenInfo
object
actorToken
string
actorTokenType
enum<string>

The token type identifier used in OAuth 2.0 Token Exchange (RFC 8693). The API returns short codes (enum constant names) in response fields.

Available options:
JWT,
ACCESS_TOKEN,
REFRESH_TOKEN,
ID_TOKEN,
SAML1,
SAML2,
DEVICE_SECRET,
DEVICE_CODE,
TOKEN_EXCHANGE,
JWT_BEARER
actorTokenInfo
object
assertion
string

For RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

previousRefreshTokenUsed
boolean

Indicate whether the previous refresh token that had been kept in the database for a short time was used

clientEntityId
string

The entity ID of the client.

clientEntityIdUsed
boolean

Flag which indicates whether the entity ID of the client was used when the request for the access token was made.

cnonceDuration
integer<int64>

Duration of the c_nonce in seconds.

dpopNonce
string

Get the expected nonce value for DPoP proof JWT, which should be used as the value of the DPoP-Nonce HTTP header.

cnonce
string

Get the c_nonce.

cnonceExpiresAt
integer<int64>

Get the time at which the c_nonce expires in milliseconds since the Unix epoch (1970-01-01).

requestedIdTokenClaims
string[]

Get the names of the claims that the authorization request (which resulted in generation of the access token) requested to be embedded in ID tokens.

refreshTokenScopes
string[]

Scopes associated with the refresh token.

sessionId
string

The session ID, which is the ID of the user's authentication session, associated with a newly created access token.

deviceSecret
string

If the response from the /auth/token API contains the deviceSecret parameter, its value should be used as the value of this deviceSecret request parameter to the /nativesso API. The authorization server may choose to issue a new device secret; in that case, it is free to generate a new device secret and specify the new value.

deviceSecretHash
string

The authorization server should compute the hash value of the device secret based on its own logic and specify the computed hash as the value of this deviceSecretHash request parameter to the /nativesso API.

metadataDocumentLocation
string<uri>

The location of the client's metadata document that was used to resolve client metadata.

This property is set when client metadata was retrieved via the OAuth Client ID Metadata Document (CIMD) mechanism.

metadataDocumentUsed
boolean

Flag indicating whether a metadata document was used to resolve client metadata for this request.

When true, the client metadata was retrieved via the CIMD mechanism rather than from the Authlete database.