Skip to content

Latest commit

 

History

History
545 lines (332 loc) · 8.4 KB

configure-the-client-to-call-identity-authentication-token-endpoint-for-resource-owner-pa-67f720d.md

File metadata and controls

545 lines (332 loc) · 8.4 KB

Configure the Client to Call Identity Authentication Token Endpoint for Resource Owner Password Credentials Flow

The token endpoint is used to get the user's access token, id token and refresh token.

This document explains how to call the token endpoint and what are the parameters supported by Identity Authentication.

Request

URI:https://<Cloud Identity Services domain>/oauth2/token

Note:

The domain part has the following pattern:

<tenant ID>.accounts.ondemand.com or <tenant ID>.accounts.cloud.sap. If you have a configured custom domain, the domain has the following pattern: <your custom domain>.

Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation email with a URL in it. This URL contains the tenant ID. For more information about your tenants, see View Assigned Tenants and Admins.

**HTTP Method:**POST

Request Headers

Header

Required

Values

Content-Type

Yes

application/x-www-form-urlencoded

Authentication

No

  • Basic Authentication -

    Client ID and a Secret to authenticate the client (relying party). For more information, see Configure Secrets for API Authentication.

    Note:

    The client ID and secret must be encoded using the "application/x-www-form-urlencoded" encoding algorithm.

  • X.509 Certificate

  • JWT (client_assertion)

Request Parameters

Parameter

Required

Data Type

Additional Information

Parameter Type

grant_type

Yes

string

The supported value is password

Request body

username

Yes

string

The user identifier.

Request body

password

Yes

string

The user password, and the one-time password (OTP) generated by the user's registered device if the application is configured to require two-factor authentication.

Note:

If the application requires two-factor authentication, the OTP code must be linked to the password. For example,password=mypassword123456.

Request body

client_id

No

Remember:

  • client_id is optional if passed in the Authorization header, or JSON Web Token (JWT) for client authentication is configured.

  • client_id is required for public clients.

 

Used to identify the corresponding Identity Authentication application.

Request body

refresh_expiry

No

string

Reduces the expiration of a refresh token. It's useful if your application is called from mobile and web applications, and both have different session requirements. If you set the token lifetime to 0, you won't receive a refresh_token in response.

Request body

max_exchange_period

No

string

You can set а limit on how long the application can exchange user tokens without reauthenticating after having acquired the initial token. The max_exchange_period parameter has a numeric value which can be set at between 1 hour and 4320 hours (six months).

Remember:

If the max_exchange_period value is smaller than the configuration defined in token policy, this value overrides the configuration defined in token policy configuration and propagates it once the token is exchanged or refreshed. If the value is bigger, it is ignored and the configuration defined in token policy is taken into consideration. For more information, see Token Policy Configuration for Applications

Request body

token_format

No

string

The token_format can be set to opaque to retrieve an opaque access token or to jwt to retrieve a JWT based access token. If not set, the current defaults per grant type are used.

Request body

app_tid

No

string

Reserved.

Request body

scope

No

string

Value must be space deliminated parameter, for example: scope=openid email.

The supported values are:

  • openid
  • email
  • profile
  • groups

Request body

Request Example

grant_type=password&username=<user identifier>&password=<user password>[<otpcode>]

Response

Response Status and Error Codes

Code

Result or X-Message Code

Description

200 OK

Successful operation.

Returns access_token, refresh_token, and id_token.

Note:

The refresh_token is used to obtain a new id_token and access_token when the current token becomes invalid or expires. For more information, see Call Identity Authentication Refresh Token.

The id_token is in the form of a JWT (JSON Web Token) and contains information about the user. The id_token is valid for 60 minutes.

400 Bad Request

Missing or wrong parameter.

Returns an information about the error.

401 Unauthorized

Wrong user ID or password parameters passed for the basic authentication. For more information, see Configure Secrets for API Authentication.

The authentication of the client (relying party) failed.

PASSWORD_CHANGE_REQUIRED

When the user must change his or her password before logon.

INITIAL_PASSWORD_EXPIRED

When the initial password of the user has expired. After the validity of the initial password expires, the user can't log on to the application and must contact the administrator.

Response Payload Example


{
 "access_token": "387qb8bc-7t78-4eb8-8a8c-cfbe31860811",
 "refresh_token": "d12a12abcd198765dd54r456e98321"
 "id_token": 
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIxMmEzNGI1Yy02ZDc4LTll
MWYtZzM0NS02N2g4OWlqa2wxMjMiLCJzdWIiOiJQMTIzNDU2IiwibWFpbCI6ImRvbmEubW
9vcmVAZXhhbXBsZS5jb20iLCJpc3MiOiJodHRwczovL215LXRlbmFudC5hY2NvdW50cy5v
bmRlbWFuZC5jb20iLCJsYXN0X25hbWUiOiJNb29yZSIsInNhcF91aWQiOiIxMjM0NTZhYmM
3ZGU4LWZnaGktOTEyMy1qNDU2LTc4OTEya2wzNG01NiIsImV4cCI6MTU4ODAxODkyNSwiaW
F0IjoxNTg4MDEzNzYwLCJmaXJzdF9uYW1lIjoiRG9uYSIsImp0aSI6IjM4ZTQyMzMwLWRlN
2EtNDEzMC1hM2ExLWI1ODJiNTI4ZGE5OCJ9.-LSwBN2WSqnnqSkzSbg9iRmtAMR4moU5TpE
40mX0Umwg",
 "token_type": "Bearer",
 "expires_in": 300
}

Note:

The format of the issuer depends on the configuration in the administration console for SAP Cloud Identity Services. For more information, see Tenant OpenID Connect Configurations.