Token is a standard endpoint used for exchanging an Authorization Code with an Access Token. The Authorization Code is contained in the foregoing response from the Authorize endpoint. The practise to exchange an Authorization Code for an Access Token applies for Autorization Code flow and Hybrid flow. The Access Token is used for subsequent access to Protected Resources, among them resources behind the Userinfo endpoint.

Request parameters

Response elements

Return is a JSON structure with name/value pairs. 

1. An access_token is required to enable the OIDC Client to get Additional Information by requesting the UserInfo endpoint. This currently only concerns the Norwegian National Identity Number (nnin) in case of BankID. To get access to nnin  the authorization request scope must contain "nnin" and return type should be "code id_token". The response body, from point 2, will additionally contain an autorization_code. This authorization_code is used to call the Token endpoint (client_id and client_secret is used for basic authentication of the request) to obtain an access_token.
2. Use the access_token in the authorization header as a "Bearer" token to request the UserInfo endpoint. The response will contain a JSON structure which is much like the id_token, but with addition of "nnin" (client must be approved to use scope "nnin").