Invoking the Token Endpoint for OpenID Connect
In the OpenID Connect Authorization Code Flow, the token endpoint is used by a client to obtain an ID token, access token, and refresh token.
Before you begin
About this task
The token endpoint accepts a request from the client that includes an authorization code that is issued to the client by the authorization endpoint. When the authorization code is validated, the appropriate tokens are returned in a response to the client.
The token endpoint is not used in the OpenID Connect Implicit Flow.
A Liberty server with OpenID Connect enabled has access to the OpenID Connect token endpoint at the following URL:
https://server.example.com:443/oidc/endpoint/<provider_name>/token
Procedure
Results
When the OpenID Connect Provider validates the token request that is received from the client, the OpenID Connect Provider returns an HTTP 200 response back to the client with a JSON object in application/json format. The response includes the ID token, access token, and refresh token, along with the following additional parameters:
- token_type: OAuth 2.0 Token Type. For OpenID Connect, this value is Bearer.
- expires_in: Expiration time of the access token in seconds since the response was generated.
All responses from the token endpoint that contain tokens, secrets, or other sensitive information have their Cache-Control header value set to no-store and Pragma header value set to no-cache.
.Example
An example request is shown here:
POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
An example response is shown here:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token": "eyJ ... zcifQ.ewo ... NzAKfQ.ggW8h ... Mzqg"
}