/oauth2/access_token
The /oauth2/access_token
endpoint is the OAuth 2.0
token endpoint (RFC 6749).
Use this endpoint to acquire an access or refresh token with the following flows:
-
Authorization code grant (OAuth 2.0 and OIDC)
-
Authorization code grant with PKCE (OAuth 2.0 and OIDC)
-
Authorization code grant with PAR (OAuth 2.0)
-
Client credentials grant (OAuth 2.0)
-
Resource owner password credentials grant (OAuth 2.0)
-
Device flow (OAuth 2.0)
-
SAML v2.0 profile for authorization grant (OAuth 2.0)
-
Token exchange (OAuth 2.0 | OpenID Connect)
Specify the realm in the request URL; for example:
https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/access_token
The access_token
endpoint supports the following parameters:
Parameter | Description | Required |
---|---|---|
The token representing a delegate acting on behalf of another identity. |
Yes, for Token exchange |
|
The type of actor token. |
Yes, for Token exchange |
|
A string naming the journey to authenticate the resource owner. |
No, only for Resource owner password credentials grant |
|
|
A string holding a base64-encoded then URL-encoded SAML v2.0 assertion |
Yes, when |
A signed JSON Web Token (JWT) to use as client credentials. |
Yes, for JWT profile authentication |
|
The type of assertion, |
Yes, for JWT profile authentication |
|
Uniquely identifies the application making the request. |
Yes |
|
The password for a confidential client; do not use with |
Yes, when authenticating with Form parameters (HTTP POST) |
|
A base64-encoded JSON Web Key (JWK) or hash of the X.509 certificate; do not use with |
Yes, for Proof-of-possession. |
|
|
A string holding the authorization code for an authorization code grant. |
Yes, when |
A random string correlating a PKCE authorization request with the token request. |
Yes, for flows with PKCE |
|
|
A string holding the device code requested from the user for a device flow. |
Yes, when |
A string specifying the type of grant to acquire an access token. |
Yes |
|
|
A string holding the resource owner password for the Resource owner password credentials grant. |
Yes, when |
The URI to return the resource owner to after authorization is complete. |
Yes, when |
|
|
The refresh to get a new access token. |
Yes, for Refresh tokens |
The type of token requested in exchange. |
No, but recommended for Token exchange |
|
The scopes linked to the permissions requested by the client from the resource owner. |
No |
|
The original token to exchange. |
Yes, for Token exchange |
|
The type of subject token. |
Yes, for Token exchange |
|
|
A string holding the resource owner username for the Resource owner password credentials grant. |
Yes, when |