Page tree
Skip to end of metadata
Go to start of metadata
RequestPOST with parameters as application/x-www-form-urlencoded data
Request parametersSee below
Response elementsSee below
ExampleSee below

Token is a standard endpoint used for exchanging an Authorization Code with an Access Token or to Refresh a previously received Access Token.

The Authorization Code is contained in the foregoing response from the Authorize endpoint. The practise to exchange an Authorization Code for an Access Token applies for Autorization Code flow and Hybrid flow. The Access Token is used for subsequent access to Protected Resources, among them resources behind the Userinfo endpoint.

Refresh Tokens are currently not supported.

Request parameters

Request parameters are different for Access Token requests and Refresh Token requests.

Access Token request

(tick) = According to standard. (error) = Feature restriction. 

grant_type(tick)Grant type is always authorization_code
code(tick)Value from response of the foregoing Authorize  request
redirect_uri(tick)Redirect URI used in the foregoing Authorize request
client_id(error)Not supported since the OIDC clients must always authenticate

Refresh Token request

Refresh Tokens are currently not supported.

Response elements

Reponses are different for Access Token requests and Refresh Token requests.

Access Token response

The response is a JSON structure according to standard that contains an Access Token along with associated attributes. An ID Token associated with the authenticated end-user is also contained in the response. The token_type attribute is given by the type of token "negotiated" with the OIDC Provider in the foregoing Authorize request. The OIDC Provider uses the authorization code contained in the Access Token request to lookup the type  of token "negotiated" for corresponding session in progress.

The inclusion of Refresh Tokens in the Acces Token response is currently not supported. 

Refresh Token response

Refresh Tokens are currently not supported.


The following example shows a request / response pair for the Token endpoint at the BankID pilot in pre-production. The example is generated from Postman (which is configured as a client at the OIDC Provider). The value for the authorization code in the request (code=b860604adbf40f6c53a797290916771) is taken from the corresponding example for the Authorize endpoint. 

Request / Response
POST /oidc/oauth/token HTTP/1.1
cache-control: no-cache
Postman-Token: 8eb00e4b-3e18-46c2-96f9-d27461d04a09
Content-Type: application/x-www-form-urlencoded
Authorization: Basic UG9zdG1hbjoxMjM0
User-Agent: PostmanRuntime/3.0.11-hotfix.2
Accept: */*
Content-Length: 132
Connection: close

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ARR/3.0
X-Powered-By: ASP.NET
Date: Thu, 25 May 2017 11:12:16 GMT
Connection: close
Content-Length: 1027

    "access_token": "4497db915b5b479191c81a7854a2fa8",
    "expires_in": 3600,
    "id_token": "eyJraWQiOiJiYW5raWQtb2F1dGgiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJwcmVmZXJyZWRfdXNlcm5hbWUiOiJGcm9kZSBCZWNrbWFubiBOaWxzZW4iLCJuYW1lIjoiRnJvZGUgQmVja21hbm4gTmlsc2VuIiwiZ2l2ZW5fbmFtZSI6IkZyb2RlIEJlY2ttYW5uIiwiZmFtaWx5X25hbWUiOiJOaWxzZW4iLCJzdWIiOiI5NTc4LTYwMDAtNC0zMDc5OSIsImlhdCI6MTQ5NTcxMDU3NiwiaXNzIjoiaHR0cHM6Ly9wcmVwcm9kLmJhbmtpZGFwaXMubm8iLCJhdXRoX3RpbWUiOjE0OTU3MTA1NjMsImV4cCI6MTQ5NTcxNDE2MywiYmlydGhkYXRlIjoiMTk2Ni0xMi0xOCIsIm5vbmNlIjpudWxsLCJhbXIiOlsiQmFua0lEIl0sImF6cCI6IlBvc3RtYW4iLCJhdWQiOiJQb3N0bWFuIiwiYXRfaGFzaCI6IlBrOUFEYTlZTU1IVE1kcTdwTGpWSEEifQ.kO95jBTHtjXnxJT_iloPNsWMqHylBq5hV7rw5jaS-1Adg4A9kwK8J_9ZKeQrd6OMG_SZeS4nwkypkkx8pdnqJ85cVJ5t2KXDGklutouYRBFUWJ0ZJiAabaQUT1UvKCjmQcK006k_hpCXrRsc76NbQP0sb8Wm14kGAD-eN49JuyxixxhuO4usYulIwV1xZDmOEnmeJjUe5OhS-YgnJgZptLZi_RP8Uhj_ko63x-vOXGZinITo3I9vkOpQPmzrM9VUue8hTiXiSOEJrJZyIAiGXPZGwrXbpdZM9DGDCQVhknQ21VcMtOoYhx5yXVLFmPQ56rp3T3AwyWY-uTSVyxvIJw",
    "scope": "openid",
    "token_type": "Bearer"

The following is a base64 decoding of the signed part of the ID Token (id_token) returned in the above response. 

    "amr": [
    "at_hash": "Pk9ADa9YMMHTMdq7pLjVHA",
    "aud": "Postman",
    "auth_time": 1495710563,
    "azp": "Postman",
    "birthdate": "1966-12-18",
    "exp": 1495714163,
    "family_name": "Nilsen",
    "given_name": "Frode Beckmann",
    "iat": 1495710576,
    "iss": "",
    "name": "Frode Beckmann Nilsen",
    "nonce": null,
    "preferred_username": "Frode Beckmann Nilsen",
    "sub": "9578-6000-4-30799"







  • No labels