OIDC/OAuth 2 Compliant
This endpoint is compliant with the OIDC Token Endpoint (Authorization Code Flow) specification and supports the
authorization_code
andrefresh_token
grant types. In addition, this endpoint also support authenticating machines using the OAuth 2client_credentials
grant type.
Client Authentication
Confidential clients (i.e.,
BACKEND_SERVER
andMACHINE_TO_MACHINE
client types) must supply their client ID and secret in theAuthorization
header using the Basic Authentication scheme. For example,Authorization: Basic base64Encode(<client_id>:<client_secret>)
. Public clients that don't have a client secret can omit theAuthorization
header but must provide their client ID in the request body.
Creates tokens for the specified grant type. The fields that are required to be sent in the request differ depending on the provided grant type.
Supported Grant Types:
authorization_code
: The client uses the authorization code sent in the callback request, to retrieve tokens on behalf of a user.client_credentials
: The client can request an access token for itself using only its client credentials.refresh_token
: If theoffline_access
scope was specified in the authorization request, refresh tokens are issued to the client in the token response and can be used to obtain a new access token when the current access token becomes invalid or expires.