Invoking the Token Endpoint for OpenID Connect

Invoking the Token Endpoint for OpenID Connect

In the OpenID Connect Authorization Code Flow, the token endpoint is used by a client to obtain an ID token, access token, and refresh token.
When starting the token endpoint from an in-browser client application or a client application implemented in a scripting language such as Javascript, for example, no configuration of a Liberty profile server as an OpenID Connect Client is necessary.

The token endpoint accepts a request from the client that includes an authorization code issued to the client by the authorization endpoint. When the authorization code is validated, the appropriate tokens are returned in a response to the client.
The token endpoint is not used in the OpenID Connect Implicit Flow.
A Liberty profile server with OpenID Connect enabled has access to the OpenID Connect token endpoint at the following URL:
https://server.example.com:443/oidc/endpoint/<provider_name>/token

In this example, the SSL port of the OP is expected to be 443. All communication with the token endpoint must use TLS.

Prepare an HTTP POST request with the following parameters.

grant_type: The value of this parameter must be authorization_code.

code: The authorization code received from the authorization endpoint.

The parameters must be added using the application/x-www-form-urlencoded format.

POST the request to the token endpoint URL.

Results
After completing these steps we have a valid HTTP POST request that is being sent to the token endpoint. The token endpoint returns a response as described in the Examples section.
When the OpenID Connect Provider validates the token request that is received from the client, the OpenID Connect Provider returns an HTTP 200 response back to the client with a JSON object in application/json format. The response includes the ID token, access token, and refresh token, along with the following additional parameters:

token_type: OAuth 2.0 Token Type. For OpenID Connect, this value is Bearer.

expires_in: Expiration time of the access token in seconds since the response was generated.

All responses from the token endpoint containing tokens, secrets, or other sensitive information have their Cache-Control header value set to no-store and Pragma header value set to no-cache. .

Example
The following shows examples of an HTTP POST request and response
An example request is shown here:
POST /token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

An example response is shown here:
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJ ... zcifQ.ewo ... NzAKfQ.ggW8h ... Mzqg" }

Parent topic:
Configure an OpenID Connect Client
Concepts:

OpenID Connect
OAuth
Tasks:

Invoking the Authorization Endpoint for OpenID Connect

Invoking the Introspection Endpoint for OpenID Connect

Invoking the UserInfo Endpoint for OpenID Connect