Generate Access Token (Authorization Code)
Generate Access Token (Authorization Code)
Endpoint:
POST /relid/authserver/oauth/token
Description:
Exchanges an authorization code (obtained from the authorization endpoint) for an access token and ID token. This is part of the standard OAuth 2.0 Authorization Code flow with optional OpenID Connect support.
🔐 Authentication
Type: Basic Auth
Header Format:
Authorization: Basic <base64(client_id:client_secret)>
📥 Request Headers
| Header | Value |
|---|---|
| Authorization | Basic authentication credentials |
| Content-Type | application/x-www-form-urlencoded |
| Accept | application/json |
📤 Request Body (Form URL Encoded)
| Field | Type | Required | Description |
|---|---|---|---|
grant_type | string | Yes | Must be authorization_code |
code | string | Yes | Authorization code received from /authorize |
redirect_uri | string | Yes | Must match the one used in the original /authorize request |
📥 Query Parameters
No query parameters.
📬 Response Fields
| Field | Type | Description |
|---|---|---|
access_token | string | OAuth2 access token |
token_type | string | Type of token (typically Bearer) |
expires_in | number | Token validity duration in seconds |
scope | string | Scopes assigned |
refresh_token | string | Token to refresh the access token |
id_token | string | JWT for OpenID Connect identity |
📘 Example Request (cURL)
curl 'https://auth.relid.com:8006/relid/authserver/oauth/token' \
-u '<client_id>:<client_secret>' \
-X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
-d 'grant_type=authorization_code&code=<auth_code>&redirect_uri=https://localhost:8080'📘 Example Response
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVC...",
"token_type": "Bearer",
"refresh_token": "ctFLT_4ZI5bcoHxPw8C2lKxMUTdYvsVTktv...",
"expires_in": 299,
"scope": "all openid",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVC..."
}📝 Notes
- This flow is used when the user logs in through a browser and grants permission.
- The
redirect_urimust exactly match the URI registered with the client. - The
id_tokencan be decoded to extract user identity claims when using OpenID Connect. - NOTE: Request parameters are expected in the request body only. Any parameters in the URL will be ignored.
Updated 3 months ago