curl

curl -v -X POST https://us.authlete.com/api/21653835348762/auth/token \
-H 'Content-Type: application/json' \
-u 'Authorization: Bearer V5a40R6dWvw2gMkCOBFdZcM95q4HC0Z-T0YKD9-nR6F' \
-d '{ "parameters": "grant_type=authorization_code&code=Xv_su944auuBgc5mfUnxXayiiQU9Z4-T_Yae_UfExmo&redirect_uri=https%3A%2F%2Fmy-client.example.com%2Fcb1&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk", "clientId": "57297408867", "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A" }'

{
  "resultCode": "A050001",
  "resultMessage": "[A050001] The token request (grant_type=authorization_code) was processed successfully.",
  "accessToken": "C4SrUTijIj2IxqE1xBASr3dxQWgso3BpY49g8CyjGjQ",
  "accessTokenDuration": 3600,
  "accessTokenExpiresAt": 1640252942736,
  "action": "OK",
  "clientAttributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "clientId": 26478243745571,
  "clientIdAlias": "my-client",
  "clientIdAliasUsed": false,
  "grantType": "AUTHORIZATION_CODE",
  "refreshToken": "60k0cZ38sJcpTgdxvG9Sqa-3RG5AmGExGpFB-1imSxo",
  "refreshTokenDuration": 3600,
  "refreshTokenExpiresAt": 1640252942736,
  "responseContent": "{\\\"access_token\\\":\\\"C4SrUTijIj2IxqE1xBASr3dxQWgso3BpY49g8CyjGjQ\\\",\\\"refresh_token\\\":\\\"60k0cZ38sJcpTgdxvG9Sqa-3RG5AmGExGpFB-1imSxo\\\",\\\"scope\\\":\\\"history.read timeline.read\\\",\\\"token_type\\\":\\\"Bearer\\\",\\\"expires_in\\\":3600}",
  "scopes": [
    "history.read",
    "timeline.read"
  ],
  "serviceAttributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "subject": "john"
}

Token Endpoint

Process Token Request

This API parses request parameters of an authorization request and returns necessary data for the authorization server implementation to process the authorization request further. ### Description This API is supposed to be called from with the implementation of the token endpoint of the service. The endpoint implementation must extract the request parameters from the token request from the client application and pass them as the value of parameters request parameter to Authlete's `/auth/token` API. The value of parameters is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the token request. In addition, if the token endpoint of the authorization server implementation supports basic authentication as a means of [client authentication](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3), the client credentials must be extracted from `Authorization` header and they must be passed as `clientId` request parameter and `clientSecret` request parameter to Authlete's `/auth/token` API. The following code snippet is an example in JAX-RS showing how to extract request parameters from the token request and client credentials from Authorization header. ```java @POST @Consumes(MediaType.APPLICATION\_FORM\_URLENCODED) public Response post( @HeaderParam(HttpHeaders.AUTHORIZATION) String auth, String parameters) { // Convert the value of Authorization header (credentials of // the client application), if any, into BasicCredentials. BasicCredentials credentials = BasicCredentials.parse(auth); // The credentials of the client application extracted from // 'Authorization' header. These may be null. String clientId = credentials == null ? null : credentials.getUserId(); String clientSecret = credentials == null ? null : credentials.getPassword(); // Process the given parameters. return process(parameters, clientId, clientSecret); } ``` The response from `/auth/token` API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below. **INTERNAL\_SERVER\_ERROR** When the value of `action` is `INTERNAL\_SERVER\_ERROR`, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete. In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error". Authlete recommends `application/json` as the content type although OAuth 2.0 specification does not mention the format of the error response when the redirect URI is not usable. The value of `responseContent` is a JSON string which describes the error, so it can be used as the entity body of the response. The following illustrates the response which the service implementation should generate and return to the client application. ``` HTTP/1.1 500 Internal Server Error Content-Type: application/json Cache-Control: no-store Pragma: no-cache {responseContent} ``` The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0. **INVALID\_CLIENT** When the value of `action` is `INVALID\_CLIENT`, it means that authentication of the client failed. In this case, the HTTP status of the response to the client application is either "400 Bad Request" or "401 Unauthorized". This requirement comes from [RFC 6749, 5.2. Error Response](https://datatracker.ietf.org/doc/html/rfc6749#section-5.2). The description about `invalid\_client` shown below is an excerpt from RFC 6749. Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the `Authorization` request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the `WWW-Authenticate` response header field matching the authentication scheme used by the client. In either case, the value of `responseContent` is a JSON string which can be used as the entity body of the response to the client application. The following illustrate responses which the service implementation must generate and return to the client application. ``` HTTP/1.1 400 Bad Request Content-Type: application/json Cache-Control: no-store Pragma: no-cache {responseContent} ``` ``` HTTP/1.1 401 Unauthorized WWW-Authenticate: {challenge} Content-Type: application/json Cache-Control: no-store Pragma: no-cache {responseContent} ``` **BAD\_REQUEST** When the value of `action` is `BAD\_REQUEST`, it means that the request from the client application is invalid. A response with HTTP status of "400 Bad Request" must be returned to the client application and the content type must be `application/json`. The value of `responseContent` is a JSON string which describes the error, so it can be used as the entity body of the response. The following illustrates the response which the service implementation should generate and return to the client application. ``` HTTP/1.1 400 Bad Request Content-Type: application/json Cache-Control: no-store Pragma: no-cache {responseContent} ``` **PASSWORD** When the value of `"action"` is `"PASSWORD"`, it means that the request from the client application is valid and `grant\_type` is `"password"`. That is, the flow is ["Resource Owner Password Credentials"](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.3). In this case, {@link #getUsername()} returns the value of `"username"` request parameter and {@link #getPassword()} returns the value of {@code "password"} request parameter which were contained in the token request from the client application. The service implementation must validate the credentials of the resource owner (= end-user) and take either of the actions below according to the validation result. 1. When the credentials are valid, call Authlete's /auth/token/issue} API to generate an access token for the client application. The API requires `"ticket"` request parameter and `"subject"` request parameter. Use the value returned from {@link #getTicket()} method as the value for `"ticket"` parameter. 2. The response from `/auth/token/issue` API ({@link TokenIssueResponse}) contains data (an access token and others) which should be returned to the client application. Use the data to generate a response to the client application. 3. When the credentials are invalid, call Authlete's {@code /auth/token/fail} API with `reason=`{@link TokenFailRequest.Reason#INVALID\_RESOURCE\_OWNER\_CREDENTIALS INVALID\_RESOURCE\_OWNER\_CREDENTIALS} to generate an error response for the client application. The API requires `"ticket"` request parameter. Use the value returned from {@link #getTicket()} method as the value for `"ticket"` parameter. 4. The response from `/auth/token/fail` API ({@link TokenFailResponse}) contains error information which should be returned to the client application. Use it to generate a response to the client application. **OK** When the value of `action` is `OK`, it means that the request from the client application is valid and an access token, and optionally an ID token, is ready to be issued. The HTTP status of the response returned to the client application must be "200 OK" and the content type must be `application/json`. The value of `responseContent` is a JSON string which contains an access token (and optionally an ID token), so it can be used as the entity body of the response. The following illustrates the response which the service implementation must generate and return to the client application. ``` HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache {responseContent} ``` **TOKEN\_EXCHANGE (Authlete 2.3 onwards)** When the value of `"action"` is `"TOKEN\_EXCHANGE"`, it means that the request from the client application is a valid token exchange request (cf. [RFC 8693 OAuth 2.0 Token Exchange](https://www.rfc-editor.org/rfc/rfc8693.html)) and that the request has already passed the following validation steps. 1. Confirm that the value of the `requested\_token\_type` request parameter is one of the registered token type identifiers if the request parameter is given and its value is not empty. 2. Confirm that the `subject\_token` request parameter is given and its value is not empty. 3. Confirm that the `subject\_token\_type` request parameter is given and its value is one of the registered token type identifiers. 4. Confirm that the `actor\_token\_type` request parameter is given and its value is one of the registered token type identifiers if the `actor\_token` request parameter is given and its value is not empty. 5. Confirm that the `actor\_token\_type` request parameter is not given or its value is empty when the `actor\_token` request parameter is not given or its value is empty. Furthermore, Authlete performs additional validation on the tokens specified by the `subject\_token` request parameter and the `actor\_token` request parameter according to their respective token types as shown below. **Token Validation Steps** \*Token Type: `urn:ietf:params:oauth:token-type:jwt`\* 1. Confirm that the format conforms to the JWT specification [RFC 7519][https://www.rfc-editor.org/rfc/rfc7519.html]. 2. Check if the JWT is encrypted and if it is encrypted, then (a) reject the token exchange request when the {@link Service#isTokenExchangeEncryptedJwtRejected() tokenExchangeEncryptedJwtRejected} flag of the service is `true` or (b) skip remaining validation steps when the flag is `false`. Note that Authlete does not verify an encrypted JWT because there is no standard way to obtain the key to decrypt the JWT with. This means that you must verify an encrypted JWT by yourself when one is used as an input token with the token type { @code "urn:ietf:params:oauth:token-type:jwt" }. 3. Confirm that the current time has not reached the time indicated by the `exp` claim if the JWT contains the claim. 4. Confirm that the current time is equal to or after the time indicated by the `iat` claim if the JWT contains the claim. 5.Confirm that the current time is equal to or after the time indicated by the `nbf` claim if the JWT contains the claim. 6. Check if the JWT is signed and if it is not signed, then (a) reject the token exchange request when the {@link Service#isTokenExchangeUnsignedJwtRejected() tokenExchangeUnsignedJwtRejected} flag of the service is `true` or (b) finish validation on the input token. Note that Authlete does not verify the signature of the JWT because there is no standard way to obtain the key to verify the signature of a JWT with. This means that you must verify the signature by yourself when a signed JWT is used as an input token with the token type `"urn:ietf:params:oauth:token-type:jwt"`. \*Token Type: `urn:ietf:params:oauth:token-type:access\_token`\* 1. Confirm that the token is an access token that has been issued by the Authlete server of your service. This implies that access tokens issued by other systems cannot be used as a subject token or an actor token with the token type `urn:ietf:params:oauth:token-type:access_token`. 2. Confirm that the access token has not expired. 3. Confirm that the access token belongs to the service. \*Token Type: `urn:ietf:params:oauth:token-type:refresh\_token`\* 1. Confirm that the token is a refresh token that has been issued by the Authlete server of your service. This implies that refresh tokens issued by other systems cannot be used as a subject token or an actor token with the token type `urn:ietf:params:oauth:token-type:refresh_token`. 2. Confirm that the refresh token has not expired. 3. Confirm that the refresh token belongs to the service. \*Token Type: `urn:ietf:params:oauth:token-type:id\_token`\* 1. Confirm that the format conforms to the JWT specification ([RFC 7519](https://www.rfc-editor.org/rfc/rfc7519.html)). 2. Check if the ID Token is encrypted and if it is encrypted, then (a) reject the token exchange request when the {@link Service#isTokenExchangeEncryptedJwtRejected() tokenExchangeEncryptedJwtRejected} flag of the service is `true` or (b) skip remaining validation steps when the flag is `false`. Note that Authlete does not verify an encrypted ID Token because there is no standard way to obtain the key to decrypt the ID Token with in the context of token exchange where the client ID for the encrypted ID Token cannot be determined. This means that you must verify an encrypted ID Token by yourself when one is used as an input token with the token type `"urn:ietf:params:oauth:token-type:id\_token"`. 3. Confirm that the ID Token contains the `exp` claim and the current time has not reached the time indicated by the claim. 4. Confirm that the ID Token contains the `iat` claim and the current time is equal to or after the time indicated by the claim. 5. Confirm that the current time is equal to or after the time indicated by the `nbf` claim if the ID Token contains the claim. 6. Confirm that the ID Token contains the `iss` claim and the value is a valid URI. In addition, confirm that the URI has the `https` scheme, no query component and no fragment component. 7. Confirm that the ID Token contains the `aud` claim and its value is a JSON string or an array of JSON strings. 8. Confirm that the value of the `nonce` claim is a JSON string if the ID Token contains the claim. 9. Check if the ID Token is signed and if it is not signed, then (a) reject the token exchange request when the {@link Service#isTokenExchangeUnsignedJwtRejected() tokenExchangeUnsignedJwtRejected} flag of the service is `true` or (b) finish validation on the input token. 10. Confirm that the signature algorithm is asymmetric. This implies that ID Tokens whose signature algorithm is symmetric (`HS256`, `HS384` or `HS512`) cannot be used as a subject token or an actor token with the token type `urn:ietf:params:oauth:token-type:id\_token`. 11. Verify the signature of the ID Token. Signature verification is performed even in the case where the issuer of the ID Token is not your service. But in that case, the issuer must support the discovery endpoint defined in [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html). Otherwise, signature verification fails. \*Token Type: `urn:ietf:params:oauth:token-type:saml1`\* (Authlete does not perform any validation for this token type.) \*Token Type: `urn:ietf:params:oauth:token-type:saml2`\* (Authlete does not perform any validation for this token type.) The specification of Token Exchange ([RFC 8693](https://www.rfc-editor.org/rfc/rfc8693.html)) is very flexible. In other words, the specification has abandoned the task of determining details. Therefore, for secure token exchange, you have to complement the specification with your own rules. For that purpose, Authlete provides some configuration options as listed below. Authorization server implementers may utilize them and/or implement their own rules. In the case of {@link Action#TOKEN\_EXCHANGE TOKEN\_EXCHANGE}, the {@link #getResponseContent()} method returns `null`. You have to construct the token response by yourself. For example, you may generate an access token by calling Authlete's `/api/auth/token/create` API and construct a token response like below. ``` HTTP/1.1 401 Unauthorized WWW-Authenticate: {challenge} Content-Type: application/json Cache-Control: no-store Pragma: no-cache {responseContent} ``` ``` HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-cache, no-store { "access\_token": "{@link TokenCreateResponse#getAccessToken()}", "issued\_token\_type": "urn:ietf:params:oauth:token-type:access\_token", "token\_type": "Bearer", "expires\_in": { @link TokenCreateResponse#getExpiresIn() }, "scope": "String.join(" ", {@link TokenCreateResponse#getScopes()})" } ``` **JWT\_BEARER JWT\_BEARER (Authlete 2.3 onwards)** When the value of `"action"` is `"JWT\_BEARER"`, it means that the request from the client application is a valid token request with the grant type `"urn:ietf:params:oauth:grant-type:jwt-bearer"` ([RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://www.rfc-editor.org/rfc/rfc7523.html)) and that the request has already passed the following validation steps. 1. Confirm that the `assertion` request parameter is given and its value is not empty. 2. Confirm that the format of the assertion conforms to the JWT specification ([RFC 7519](https://www.rfc-editor.org/rfc/rfc7519.html)). 3. Check if the JWT is encrypted and if it is encrypted, then (a) reject the token request when the {@link Service#isJwtGrantEncryptedJwtRejected() jwtGrantEncryptedJwtRejected} flag of the service is `true` or (b) skip remaining validation steps when the flag is `false`. Note that Authlete does not verify an encrypted JWT because there is no standard way to obtain the key to decrypt the JWT with. This means that you must verify an encrypted JWT by yourself. 4. Confirm that the JWT contains the `iss` claim and its value is a JSON string. 5. Confirm that the JWT contains the `sub` claim and its value is a JSON string. 6. Confirm that the JWT contains the `aud` claim and its value is either a JSON string or an array of JSON strings. 7. Confirm that the issuer identifier of the service (cf. {@link Service#getIssuer()}) or the URL of the token endpoint (cf. {@link Service#getTokenEndpoint()}) is listed as audience in the `aud` claim. 8. Confirm that the JWT contains the `exp` claim and the current time has not reached the time indicated by the claim. 9. Confirm that the current time is equal to or after the time indicated by by the `iat` claim if the JWT contains the claim. 10. Confirm that the current time is equal to or after the time indicated by by the `nbf` claim if the JWT contains the claim. 11. Check if the JWT is signed and if it is not signed, then (a) reject the token request when the {@link Service#isJwtGrantUnsignedJwtRejected() jwtGrantUnsignedJwtRejected} flag of the service is `true` or (b) finish validation on the JWT. Note that Authlete does not verify the signature of the JWT because there is no standard way to obtain the key to verify the signature of a JWT with. This means that you must verify the signature by yourself. Authlete provides some configuration options for the grant type as listed below. Authorization server implementers may utilize them and/or implement their own rules. ``` HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-cache, no-store { "access\_token": "{@link TokenCreateResponse#getAccessToken()}", "token\_type": "Bearer", "expires\_in": {@link TokenCreateResponse#getExpiresIn()}, "scope": "String.join(" ", {@link TokenCreateResponse#getScopes()})" } ``` Finally, note again that Authlete does not verify the signature of the JWT specified by the `assertion` request parameter. You must verify the signature by yourself.

POST

api

{serviceId}

auth

token

curl

curl -v -X POST https://us.authlete.com/api/21653835348762/auth/token \
-H 'Content-Type: application/json' \
-u 'Authorization: Bearer V5a40R6dWvw2gMkCOBFdZcM95q4HC0Z-T0YKD9-nR6F' \
-d '{ "parameters": "grant_type=authorization_code&code=Xv_su944auuBgc5mfUnxXayiiQU9Z4-T_Yae_UfExmo&redirect_uri=https%3A%2F%2Fmy-client.example.com%2Fcb1&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk", "clientId": "57297408867", "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A" }'

{
  "resultCode": "A050001",
  "resultMessage": "[A050001] The token request (grant_type=authorization_code) was processed successfully.",
  "accessToken": "C4SrUTijIj2IxqE1xBASr3dxQWgso3BpY49g8CyjGjQ",
  "accessTokenDuration": 3600,
  "accessTokenExpiresAt": 1640252942736,
  "action": "OK",
  "clientAttributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "clientId": 26478243745571,
  "clientIdAlias": "my-client",
  "clientIdAliasUsed": false,
  "grantType": "AUTHORIZATION_CODE",
  "refreshToken": "60k0cZ38sJcpTgdxvG9Sqa-3RG5AmGExGpFB-1imSxo",
  "refreshTokenDuration": 3600,
  "refreshTokenExpiresAt": 1640252942736,
  "responseContent": "{\\\"access_token\\\":\\\"C4SrUTijIj2IxqE1xBASr3dxQWgso3BpY49g8CyjGjQ\\\",\\\"refresh_token\\\":\\\"60k0cZ38sJcpTgdxvG9Sqa-3RG5AmGExGpFB-1imSxo\\\",\\\"scope\\\":\\\"history.read timeline.read\\\",\\\"token_type\\\":\\\"Bearer\\\",\\\"expires_in\\\":3600}",
  "scopes": [
    "history.read",
    "timeline.read"
  ],
  "serviceAttributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "subject": "john"
}

Authorizations

Authorization

string

header

required

Click the Get Token button below to log in with your Authlete account and retrieve an access token for API access.

Path Parameters

serviceId

string

required

A service ID.

Body

parameters

string

required

OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server implementation received from the client application.

The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

clientId

string

The client ID extracted from Authorization header of the token request from the client application.

If the token endpoint of the authorization server implementation supports basic authentication as a means of client authentication, and the request from the client application contained its client ID in Authorization header, the value should be extracted and set to this parameter.

clientSecret

string

The client secret extracted from Authorization header of the token request from the client application.

If the token endpoint of the authorization server implementation supports basic authentication as a means of client authentication, and the request from the client application contained its client secret in Authorization header, the value should be extracted and set to this parameter.

clientCertificate

string

The client certificate from the MTLS of the token request from the client application.

clientCertificatePath

string

The certificate path presented by the client during client authentication. These certificates are strings in PEM format.

properties

string

Extra properties to associate with an access token. See Extra Properties for details.

dpop

string

DPoP header presented by the client during the request to the token endpoint.

The header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT. See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for details.

htm

string

HTTP method of the token request. This field is used to validate the DPoP header.

In normal cases, the value is POST. When this parameter is omitted, POST is used as the default value. See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for details.

htu

string

URL of the token endpoint. This field is used to validate the DPoP header.

If this parameter is omitted, the tokenEndpoint property of the Service is used as the default value. See OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for details.

accessToken

string

The representation of an access token that may be issued as a result of the Authlete API call.

jwtAtClaims

string

Additional claims that are added to the payload part of the JWT access token.

oauthClientAttestation

string

The value of the OAuth-Client-Attestation HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

oauthClientAttestationPop

string

The value of the OAuth-Client-Attestation-PoP HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

accessTokenDuration

integer<int64>

The duration (in seconds) of the access token that may be issued as a result of the Authlete API call.

When this request parameter holds a positive integer, it is used as the duration of the access token in. In other cases, this request parameter is ignored.

refreshTokenDuration

integer<int64>

The duration (in seconds) of the refresh token that may be issued as a result of the Authlete API call.

When this request parameter holds a positive integer, it is used as the duration of the refresh token in. In other cases, this request parameter is ignored.

dpopNonceRequired

boolean

The flag indicating whether to require the DPoP proof JWT to include the nonce claim. Even if the service's dpopNonceRequired property is false, calling the /auth/token API with this dpopNonceRequired parameter true will force the Authlete API to check whether the DPoP proof JWT includes the expected nonce value.

Response

resultCode

string

The code which represents the result of the API call.

resultMessage

string

A short message which explains the result of the API call.

action

enum<string>

The next action that the authorization server implementation should take.

Available options:

INTERNAL_SERVER_ERROR,

INVALID_CLIENT,

BAD_REQUEST,

PASSWORD,

OK,

TOKEN_EXCHANGE,

JWT_BEARER

responseContent

string

The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter.

username

string

The value of username request parameter in the token request. The client application must specify username when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, username request parameter must come along.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

password

string

The value of password request parameter in the token request. The client application must specify password when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, password request parameter must come along.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

ticket

string

The ticket which is necessary to call Authlete's /auth/token/fail API or /auth/token/issue API.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

accessToken

string

The newly issued access token.

accessTokenExpiresAt

integer<int64>

The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

accessTokenDuration

integer<int64>

The duration of the newly issued access token in seconds.

refreshToken

string

The newly issued refresh token.

refreshTokenExpiresAt

integer<int64>

The datetime at which the newly issued refresh token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

refreshTokenDuration

integer<int64>

The duration of the newly issued refresh token in seconds.

idToken

string

The newly issued ID token. Note that an ID token is issued from a token endpoint only when the response_type request parameter of the authorization request to an authorization endpoint has contained code and the scope request parameter has contained openid.

grantType

string

The grant type of the token request.

clientId

integer<int64>

The client ID.

clientIdAlias

string

The client ID alias when the token request was made. If the client did not have an alias, this parameter is null. Also, if the token request was invalid and it failed to identify a client, this parameter is null.

clientIdAliasUsed

boolean

The flag which indicates whether the client ID alias was used when the token request was made. true if the client ID alias was used when the token request was made.

subject

string

The subject (= resource owner's ID) of the access token. Even if an access token has been issued by the call of /api/auth/token API, this parameter is null if the flow of the token request was Client Credentials Flow (grant_type=client_credentials) because it means the access token is not associated with any specific end-user.

scopes

string[]

The scopes covered by the access token.

properties

object[]

The extra properties associated with the access token. This parameter is null when no extra property is associated with the issued access token.

Show child attributes

jwtAccessToken

string

The newly issued access token in JWT format. If the authorization server is configured to issue JWT-based access tokens (= if the service's accessTokenSignAlg value is a non-null value), a JWT-based access token is issued along with the original random-string one.

resources

string[]

The resources specified by the resource request parameters in the token request. See "Resource Indicators for OAuth 2.0" for details.

accessTokenResources

string[]

The target resources of the access token being issued. See "Resource Indicators for OAuth 2.0" for details.

authorizationDetails

object

The authorization details. This represents the value of the authorization_details request parameter in the preceding device authorization request which is defined in "OAuth 2.0 Rich Authorization Requests".

Show child attributes

serviceAttributes

object[]

The attributes of this service that the client application belongs to.

Show child attributes

clientAttributes

object[]

The attributes of the client.

Show child attributes

clientAuthMethod

string

The client authentication method that was performed at the token endpoint.

grantId

string

the value of the grant_id request parameter of the device authorization request.

The grant_id request parameter is defined in Grant Management for OAuth 2.0 , which is supported by Authlete 2.3 and newer versions.

audiences

string[]

The audiences on the token exchange request

requestedTokenType

enum<string>

The grant type of the access token when the access token was created.

Available options:

urn:ietf:params:oauth:token-type:jwt,

urn:ietf:params:oauth:token-type:access_token,

urn:ietf:params:oauth:token-type:refresh_token,

urn:ietf:params:oauth:token-type:id_token,

urn:ietf:params:oauth:token-type:saml1,

urn:ietf:params:oauth:token-type:saml2,

DEVICE_CODE,

TOKEN_EXCHANGE,

JWT_BEARER

subjectToken

string

subjectTokenType

enum<string>

The grant type of the access token when the access token was created.

Available options:

urn:ietf:params:oauth:token-type:jwt,

urn:ietf:params:oauth:token-type:access_token,

urn:ietf:params:oauth:token-type:refresh_token,

urn:ietf:params:oauth:token-type:id_token,

urn:ietf:params:oauth:token-type:saml1,

urn:ietf:params:oauth:token-type:saml2,

DEVICE_CODE,

TOKEN_EXCHANGE,

JWT_BEARER

subjectTokenInfo

object

Show child attributes

actorToken

string

actorTokenType

enum<string>

The grant type of the access token when the access token was created.

Available options:

urn:ietf:params:oauth:token-type:jwt,

urn:ietf:params:oauth:token-type:access_token,

urn:ietf:params:oauth:token-type:refresh_token,

urn:ietf:params:oauth:token-type:id_token,

urn:ietf:params:oauth:token-type:saml1,

urn:ietf:params:oauth:token-type:saml2,

DEVICE_CODE,

TOKEN_EXCHANGE,

JWT_BEARER

actorTokenInfo

object

Show child attributes

assertion

string

For RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

previousRefreshTokenUsed

boolean

Indicate whether the previous refresh token that had been kept in the database for a short time was used

clientEntityId

string

The entity ID of the client.

clientEntityIdUsed

boolean

Flag which indicates whether the entity ID of the client was used when the request for the access token was made.

cnonceDuration

integer<int64>

Duration of the c_nonce in seconds.

dpopNonce

string

Get the expected nonce value for DPoP proof JWT, which should be used as the value of the DPoP-Nonce HTTP header.

cnonce

string

Get the c_nonce.

cnonceExpiresAt

integer<int64>

Get the time at which the c_nonce expires in milliseconds since the Unix epoch (1970-01-01).

requestedIdTokenClaims

string[]

Get the names of the claims that the authorization request (which resulted in generation of the access token) requested to be embedded in ID tokens.

refreshTokenScopes

string[]

Scopes associated with the refresh token.

sessionId

string

The session ID, which is the ID of the user's authentication session, associated with a newly created access token.

deviceSecret

string

If the response from the /auth/token API contains the deviceSecret parameter, its value should be used as the value of this deviceSecret request parameter to the /nativesso API. The authorization server may choose to issue a new device secret; in that case, it is free to generate a new device secret and specify the new value.

If the response from the /auth/token API does not contain the deviceSecret parameter, or if its value is invalid, the authorization server must generate a new device secret and specify it in the deviceSecret parameter to the /nativesso API.

The specified value is used as the value of the device_secret property in the token response.

deviceSecretHash

string

The authorization server should compute the hash value of the device secret based on its own logic and specify the computed hash as the value of this deviceSecretHash request parameter to the /nativesso API.

When the deviceSecretHash parameter is omitted, the implementation of the /nativesso API generates the device secret hash by computing the SHA-256 hash of the device secret and encoding it with base64url. Note that this hash computation logic is not a rule defined in the Native SSO specification; rather, it is Authlete-specific fallback logic used when the deviceSecretHash parameter is omitted.

Process Pushed Authorization Request Fail Token Request

⌘I

Guides

Authelte APIs

Process Token Request

Authorizations

Path Parameters

Body

Response