Token
The token endpoint, in general terms, is used to get access tokens through grants. The grants are identified through a grant type. The supported grant types are listed in Table 1.
| Name | Description |
|---|---|
| Authorization Code | Use a code in exchange of tokens. |
| Refresh Token | Use a refresh token in exchange of tokens. |
| Client Credentials | Use client authentication in exchange of tokens. |
| Name | Description |
|---|---|
| OAuth2.1 | Core specification for OAuth |
| OpenId Connect | Core specification for OpenId Connect |
| JWT | JsonWebToken specification |
| JWS | JsonWebSignature specification |
| JWE | JsonbWebEncryption specification |
| Resource | Resource indicators specification |
| Step up authentication | Step up authentication specification |
The tokens returned can be in different formats. The supported formats are JWT or Reference.
JWT is a well structured token format using JSON, and it supports signatures and encryption.
Reference is a random string, which is only understood by AuthServer. The content of the token, can be retrieved from the Introspection endpoint.
The client can choose between the two in its metadata, through the field "UseReferenceToken".
If bandwidth of the client is of concern, or you require the content of token is only send through backchannels, then the Reference token is a suitable candidate. It however requires an extra roundtrip at the protected resource, to verify the token at AuthServer.
Finally, it is also possible to sender-constraint a token, irrespective of its structure.
It means the token is cryptographically bound to the client that requested the token, and therefore can only be used by that client.
This is achievable through DPoP.
It is recommended that tokens have a short lifespan, in minutes and at most an hour.
This can be adjusted for each client in its metadata. Each type of token, has a specific field for adjusting its expiration.
It is recommended that tokens are only used at protected resources, which the client requests.
This is done through the "resource" parameter, which is a single protected resource absolute base URI. The parameter can be provided as many times as needed, and the URI is visible in the audience claim.
For example if a protected resource URI is reachable at "https://weather.authserver.dk", then that URI will be provded as the resource parameter.
It is recommended that tokens are only used for what they request.
This is done through the "scope" parameter, which is a space seperated string of scopes that the token is authorized for.
For example if a token must be used to fetch data about the weather, and the scope required for requesting weather is named "weather:read". Then the scope parameter will be set to "weather:read".
Structured access tokens contain payload claims listed in the following table.
| Name | Description |
|---|---|
| jti | Unique identifier of the token |
| scope | String of space delimited scope values, which the token is authorized for |
| aud | List of URIs of resources, which are authorized to receive the token |
| grant_id | Unique identifier of the grant, which the token is authorized through |
| sub | Identifier of the subject, which the token acts from |
| sid | Identifier of the session, which the subject owns |
| client_id | Identifier of the client, which requested the token |
| auth_time | Unix time of the subjects authentication |
| acr | String of the authentication context reference from when the subject authenticated |
| access_control | Custom object of permission claims belonging to the subject |
Id tokens contain payload claims listed in the following table.
| Name | Description |
|---|---|
| jti | Unique identifier of the token |
| nonce | Client provided nonce during authorization |
| aud | List of URIs of resources, which are authorized to receive the token |
| grant_id | Unique identifier of the grant, which the token is authorized through |
| sub | Identifier of the subject, which the token acts from |
| sid | Identifier of the session, which the subject owns |
| client_id | Identifier of the client, which requested the token |
| auth_time | Unix time of the subjects authentication |
| acr | String of the authentication context reference from when the subject authenticated |
| amr | List of strings of the authentication method references from when the subject authenticated |
| azp | Identifier of the client, which is the authorized party |
The token endpoint accepts the POST HTTP method, and the content is application/x-www-form-urlencoded.
The endpoint also allows for client authentication, and the parameters are defined in the Client Authentication page.
The content differs by which grant_type is provided, a list of all parameters is seen in the following table.
| Name | Description |
|---|---|
| grant_type | The type of grant to authorize for an exchange of a token |
| code | The authorization_code grant which is used in the authorization_code grant type |
| code_verifier | The value to verify against the code_challenge provided during authorization |
| redirect_uri | The redirect_uri provided during authorization |
| refresh_token | The refresh_token grant which is used in the refresh_token grant type |
| scope | The scope which the token is authorized for |
| resource | The resource URIs which the token is authorized to |
The token endpoint returns HTTP 200 if successful, and 400 if an error occurred.
The content is application/json, and a list of all parameters is seen in the following table.
| Name | Description |
|---|---|
| access_token | The access token in exchange of the grant |
| refresh_token | The refresh token, if the client is authorized for the refresh_token grant_type |
| id_token | The id token, if the grant_type is used with openid |
| expires_in | Unix time of when the access_token expires |
| scope | Space delimitied string of scopes, which the access_token is authorized for |
| grant_id | The identifier of the grant, from where the access_token comes from. |
| error | The code of the error |
| error_description | The description of the error |
HTTP request examples are provided for each grant type, as each request and response differs depending on the grant type used.
However, the error does not differ, and the following request example shows an error scenario.
POST /connect/token HTTP/1.1
Host: idp.authserver.dk
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=invalid_grant_type
The following HTTP example shows the error response.
HTTP/1.1 400 BadRequest
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache, no-store
{
"error":"unsupported_grant_type",
"error_description":"grant_type is unsupported"
}