Token
Clients use the token endpoint to exchange the authorization code for an access_token
. This token is needed to access the user info endpoint. To request a token, send a HTTP POST request to the /api/openid_connect/token endpoint.
View an example for private_key_jwt or PKCE in the side panel.
Request Parameters
client_assertion
required for private_key_jwtA JWT signed with the client’s private key (minimum length of 2048 bits) using the RS256 algorithm and containing the following claims:
- iss (string) — The issuer, which must be the
client_id
. - sub (string) — The subject, which must also be the
client_id
. - aud (string) — The audience, which should be (or, in the case of multiple audience values, include) the URL of the token endpoint, for example:
https://idp.int.identitysandbox.gov/api/openid_connect/token
- jti (string) — The JWT ID, a unique identifier for the token which can be used to prevent reuse of the token. Should be an unguessable, random string generated by the client.
- exp (number) — The expiration time for this token. Should be an integer timestamp (number of seconds since the Unix Epoch) and be a short period of time in the future (such as 5 minutes from now).
client_assertion_type
required for private_key_jwturn:ietf:params:oauth:client-assertion-type:jwt-bearer
code
code_verifier
required for PKCEcode_challenge
.
grant_type
authorization_code
POST https://idp.int.identitysandbox.gov/api/openid_connect/token
code=${CODE}&
code_verifier=${CODE_VERIFIER}&
grant_type=authorization_code
POST https://idp.int.identitysandbox.gov/api/openid_connect/token
client_assertion=${CLIENT_ASSERTION}&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
code=${CODE}&
grant_type=authorization_code
Token response
The token response will be a JSON object containing the following:
access_token (string)
token_type (string)
Bearer
.
expires_in (number)
id_token (string)
RS256
algorithm. The public key used to verify this JWT is available from the certificates endpoint.
The id_token
contains the following claims:
iss (string)
https://idp.int.identitysandbox.gov
.
sub (string)
aud (string)
client_id
acr (string)
at_hash (string)
access_token
value. Provided so the client can verify the access_token
value.
c_hash (string)
code
value. Provided so the client can verify the code
value.
exp (number)
iat (number)
jti (number)
nbf (number)
nonce (number)
id_token
and mitigate replay attacks. This value should include per-session state and be unguessable by attackers. Read more about nonce implementation in the spec.
{
"access_token": "hhJES3wcgjI55jzjBvZpNQ",
"token_type": "Bearer",
"expires_in": 3600,
"id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJiMmQyZDExNS0xZDdlLTQ1NzktYjlkNi1mOGU4NGY0ZjU2Y2EiLCJpc3MiOiJodHRwczovL2lkcC5pbnQubG9naW4uZ292IiwiYWNyIjoiaHR0cDovL2lkbWFuYWdlbWVudC5nb3YvbnMvYXNzdXJhbmNlL2xvYS8xIiwibm9uY2UiOiJhYWQwYWE"
}
{
"sub": "b2d2d115-1d7e-4579-b9d6-f8e84f4f56ca",
"iss": "https://idp.int.identitysandbox.gov",
"acr": "http://idmanagement.gov/ns/assurance/ial/1",
"nonce": "aad0aa969c156b2dfa685f885fac7083",
"aud": "urn:gov:gsa:openidconnect:development",
"jti": "jC7NnU8dNNV5lisQBm1jtA",
"at_hash": "tlNbiqr1Lr2YcNRGjzwlIg",
"c_hash": "hXjq7kOrtQK_za_6tONxcw",
"exp": 1489694196,
"iat": 1489694198,
"nbf": 1489694198
}