API Document





POST /oxauth/token

To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client) sends a Token Request to the Token Endpoint to obtain a Token Response.

  • form

    Parameter Required Description Data Type
    grant_type true Grant type value, one of these: authorization_code, implicit, password, client_credentials, refresh_token as described in OAuth 2.0 [RFC6749]. string
    code false Code which is returned by authorization endpoint (For grant_type=authorization_code). string
    redirect_uri false Redirection uri to which the response will be sent. This uri MUST exactly match one of the redirection uri values for the client pre-registered at the OpenID Provider. string
    username false End-User username. string
    password false End-User password. string
    scope false OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. string
    assertion false Assertion. string
    refresh_token false Refresh token. string
    oxauth_exchange_token false oxauth_exchange_token. string
    client_id false OAuth 2.0 Client Identifier valid at the Authorization Server. string
    client_secret false The client secret. The client MAY omit the parameter if the client secret is an empty string. string




Status Code Reason
400 invalid_request The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.
400 invalid_client Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
400 invalid_grant The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection uri used in the authorization request, or was issued to another client.
400 unauthorized_client The authenticated client is not authorized to use this authorization grant type.
400 unsupported_grant_type The authorization grant type is not supported by the authorization server.
400 invalid_scope The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.

Data Types