Obtain PKCE Access Token
After the user successfully logs in, obtain the access token. The difference from OAuth2 in this step is that the client-generated code verifier, code_verifier, must be passed. The Token Endpoint will then return the corresponding token. In addition to the data specified by OAuth2, an id_token field will also be appended.
# Request Description
POST https://{your_domain}/api/v1/oauth2/token
# Request Headers
| Parameter | Chinese Name | Required | Example Value | Description |
|---|---|---|---|---|
| Content-Type | Data Type | Required | application/x-www-form-urlencoded | Submit parameters using form encoding. |
Note: Authorization Bearer token is not required to be passed here.
# Request Example
POST https://{your_domain}/api/v1/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&client_id=RqB2HJt9N676qA&code=stRWlW&code_verifier=lw22ZEI0JwNflL4sjEISwk8&redirect_uri=
http://oidcdemo.bccastle.com/demo/index.jsp
# Request Parameters
| Parameter | Chinese Name | Required | Example Value | Description |
|---|---|---|---|---|
| grant_type | Grant Type | Required | authorization_code | This value is fixed as authorization_code. |
| code | Authorization Code | Required | stRWlW | The authorization code returned in the previous step. If the user successfully logs in, they will be redirected to the specified callback address with the Authorization Code appended to the URL. Note that this code expires in 5 minutes. |
| redirect_uri | Callback Address | Optional | http://oidcdemo.bccastle.com /demo/index.jsp | Must be consistent with the redirect_uri passed in the previous step. |
| code_verifier | PKCE Code Verifier | Required | lw22ZEINflL4sjEISwk8 | The application randomly generates a string of 43-128 characters, performs URL-Safe Base64 encoding on it, and uses the result as the code_verifier. This string is then hashed using SHA256, and the result is URL-Safe Base64 encoded to be used as the code_challenge. |
| client_id | Application Client ID | Required | RqB2HJt9N676qA | The client_id passed by the application when requesting authorization. |
# Response Example
Successful Response Example
HTTP Status: 200 OK
{
"access_token": "Z43T3KWH9lecmy3H1IaCI...XRmsXaA",
"token_type": "Bearer",
"refresh_token": "WEAFOmOJ-A4LOhF_I39DvJuqxP0...XkFlFA",
"expires_in": 7199,
"scope": "openid"
}
Client ID Not Found
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_grant",
"error_description": "Client ID mismatch"
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Response Parameters
If the request is successful, the Access Token can be obtained from the response information.
| Parameter Name | Chinese Name | Required | Example Value | Description |
|---|---|---|---|---|
| access_token | Authorization Token | Required | cn8AWnZyIMkOvBgHIo8 | The authorization token returned by the authorization server to the third-party application. |
| expires_in | Validity Period of Authorization Token | Required | 7199 | The validity period of the access token returned by the authorization server to the application. Note: The validity period is in seconds. |
| refresh_token | Refresh Token | wuGzSMMTjb4YhRUOjXH | ||
| token_type | Token Type | Required | Bearer | |
| scope | Authorization Scope | Required | get_user_info |
I am ready to receive the Markdown content for translation. Please paste it.