Token is a standard endpoint used for exchanging an Authorization Code with an Access Token or to Refresh a previously received Access Token.

The Authorization Code is contained in the foregoing response from the Authorize endpoint. The practise to exchange an Authorization Code for an Access Token applies for Autorization Code flow and Hybrid flow. The Access Token is used for subsequent access to Protected Resources, among them resources behind the Userinfo endpoint.

Refresh Tokens are currently not supported.

Request parameters

Access Token request

Name	Support	Description
grant_type		Grant type is always authorization_code
code		Value from response of the foregoing Authorize  request
redirect_uri		Redirect URI used in the foregoing Authorize request
client_id		Not supported since the OIDC clients must always authenticate

Refresh Token request

Refresh Tokens are currently not supported.

Response elements

Access Token response

Return is a JSON structure with name/value pairs. 

1. An access_token is required to enable the OIDC Client to get Additional Information by requesting the UserInfo endpoint. This currently only concerns the Norwegian National Identity Number (nnin) in case of BankID. To get access to nnin  the authorization request scope must contain "nnin" and return type should be "code id_token". The response body, from point 2, will additionally contain an autorization_code. This authorization_code is used to call the Token endpoint (client_id and client_secret is used for basic authentication of the request) to obtain an access_token.
2. Use the access_token in the authorization header as a "Bearer" token to request the UserInfo endpoint. The response will contain a JSON structure which is much like the id_token, but with addition of "nnin" (client must be approved to use scope "nnin"). 

Refresh Token response

Refresh Tokens are currently not supported.