Skip to content

Latest commit

 

History

History
481 lines (292 loc) · 8.04 KB

configure-the-client-to-call-identity-authentication-token-endpoint-for-authorization-cod-3a74ef8.md

File metadata and controls

481 lines (292 loc) · 8.04 KB

Configure the Client to Call Identity Authentication Token Endpoint for Authorization Code Flow

The token endpoint is used to get the user's access token, id token and refresh token.

This document explains how to call the token endpoint and what are the parameters supported by Identity Authentication.

Request

URI:https://<Cloud Identity Services domain>/oauth2/token

Note:

The domain part has the following pattern:

<tenant ID>.accounts.ondemand.com or <tenant ID>.accounts.cloud.sap. If you have a configured custom domain, the domain has the following pattern: <your custom domain>.

Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation email with a URL in it. This URL contains the tenant ID. For more information about your tenants, see View Assigned Tenants and Admins.

**HTTP Method:**POST

Request Headers

Header

Required

Values

Content-Type

Yes

application/x-www-form-urlencoded

Authorization

Yes

  • Basic Username and password are:

    Client ID and a Secret to authenticate the client (relying party). For more information, see Configure Secrets for API Authentication.

    Note:

    The client ID and secret must be encoded using the "application/x-www-form-urlencoded" encoding algorithm.

  • X.509 Certificate

  • JWT (client_assertion)

Request Parameters

Parameter

Required

Data Type

Description

Parameter Type

grant_type

Yes

string

authorization_code

Request body

code

Yes

string

The code generated by Identity Authentication in the authorize endpoint. It's returned wit'sh the request to the authorize endpoint.

Note:

The code parameter can be used within 2 minutes after it generated and returned in the URL. It can be used only once.

Request body

redirect_uri

Yes

string

The same URL that has been sent with the authorization request. For more information, see Configure OpenID Connect Application.

Request body

client_id

Yes

string

The user ID configured for basic authentication for the application. For more information, see Configure Secrets for API Authentication.

Request body

code_verifier

No

string

Validation value for the code_challenge. Required for PKCE.

Request body

refresh_expiry

No

string

Reduces the expiry of a refresh token. It is useful if your application is called from mobile and web applications, and both have different session requirements. If you set the token lifetime to 0 or less, you won't receive a refresh_token in response.

Request body

token_format

No

string

The token_format can be set to opaque to retrieve an opaque access token or to jwt to retrieve a JWT based access token. If not set, the current defaults per grant type are used.

Request body

app_tid

No

string

Reserved.

Path

Request Example

grant_type=authorization_code&client_id=12b52d2c-1q34-5r5t-a576-75e85asdf523&code=768fsd1206we951236729134fa4a247ee&redirect_uri=https://www.example.com

Request Example with PKCE

grant_type=authorization_code&client_id=23q45d2c-1e98-4c7f-a576-69e85dddb456&code=b1d87f103c9f4c8a936a2f164c8728a0&redirect_uri=https://www.example.com&code_verifier=e4yAeaa_OLJ-8ZC1sj6JWFqgRK8QR-egfqG4lQlsy0~NOrjOcVdIpPxPvUEsG1Il1LP76F0MGr4a0miVD2Z84Gn_Lw67BhZ9GQDTF6wN_fUwQtJJeN3bnvk7J.Ty6jDi

Response

Response Status and Error Codes

Code

Reason

Description

200 OK

Successful operation.

Returns access_token, refresh_token, and id_token.

Note:

The refresh_token is used to obtain a new id_token and access_token when the current token becomes invalid or expires. For more information, see Call Identity Authentication Refresh Token.

The id_token is in the form of a JWT (JSON Web Token) and contains information about the user. The id_token is valid for 60 minutes.

400 Bad Request

Missing or wrong parameter.

Returns information about the error.

Response Payload Example


{
 "access_token": 
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIxMmEzNGI1Yy02ZDc4LTl
lMWYtZzM0NS02N2g4OWlqa2wxMjMiLCJzdWIiOiJQMTIzNDU2IiwibWFpbCI6ImRvbmEu
bW9vcmVAZXhhbXBsZS5jb20iLCJpc3MiOiJodHRwczovL215LXRlbmFudC5hY2NvdW50c
y5vbmRlbWFuZC5jb20iLCJsYXN0X25hbWUiOiJNb29yZSIsInNhcF91aWQiOiIxMjM0NT
ZhYmM3ZGU4LWZnaGktOTEyMy1qNDU2LTc4OTEya2wzNG01NiIsImV4cCI6MTU4ODAxOTA
0NCwiaWF0IjoxNTg4MDEzNzYwLCJub25jZSI6Im0tMEc2X0ZhUzNLZyIsImZpcnN0X25h
bWUiOiJEb25hIiwianRpIjoiMzhlNDIzMzAtZGU3YS00MTMwLWEzYTEtYjU4MmI1MjhkY
Tk4In0.J-aygbQ8IQlw4KD2t1hTPB2gyu3NdTbINDJ9eRs997g",
 "refresh_token": "d12a12abcd198765dd54r456e98321",
 "id_token": 
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIxMmEzNGI1Yy02ZDc4LTl
lMWYtZzM0NS02N2g4OWlqa2wxMjMiLCJzdWIiOiJQMTIzNDU2IiwibWFpbCI6ImRvbmEu
bW9vcmVAZXhhbXBsZS5jb20iLCJpc3MiOiJodHRwczovL215LXRlbmFudC5hY2NvdW50c
y5vbmRlbWFuZC5jb20iLCJsYXN0X25hbWUiOiJNb29yZSIsInNhcF91aWQiOiIxMjM0NT
ZhYmM3ZGU4LWZnaGktOTEyMy1qNDU2LTc4OTEya2wzNG01NiIsImV4cCI6MTU4ODAxOTA
0NCwiaWF0IjoxNTg4MDEzNzYwLCJub25jZSI6Im0tMEc2X0ZhUzNLZyIsImZpcnN0X25h
bWUiOiJEb25hIiwianRpIjoiMzhlNDIzMzAtZGU3YS00MTMwLWEzYTEtYjU4MmI1MjhkY
Tk4In0.J-aygbQ8IQlw4KD2t1hTPB2gyu3NdTbINDJ9eRs997g",
 "token_type": "Bearer",
 "expires_in": 3600
}

Note:

The format of the issuer depends on the configuration in the administration console for SAP Cloud Identity Services. For more information, see Tenant OpenID Connect Configurations.

Related Information

Configuring OpenID Connect

Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow with PKCE