Page created: 30 Sep 2020
|
Page updated: 30 Sep 2020
At this stage, the client has a SAML assertion that it needs to exchange for an OAuth 2.0 access token. The process in which the client received the assertion is out of scope (i.e. bootstrap assertion, STS token exchange), however the client would Base64 URL encode the assertion and include it in a HTTP POST to the token endpoint.
For the example below, the following SAML assertion (abbreviated for readability) was received by the client and is are used to request an access token:
PHNhbWw6QXNzZXJ0aW9uIElEPSJTdXdCSDdiQjM3cWVmT0tycmlaZkc3Y09H
...
Pjwvc2FtbDpBc3NlcnRpb24-
POST https://localhost:9031/as/token.oauth2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic c2FtbF9jbGllbnQ6MkZlZGVyYXRl
grant_type= urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=
PHNhbWw6QXNzZXJ0aW9uIElEPSJTdXdCSDdiQjM3cWVmT0tycmlaZkc3Y09H...Pjwvc2FtbDpBc3NlcnRpb24-&scope=edit
Note:
The client credentials can also be provided using the client_id and client_secret parameters in the contents of the POST.
The client will receive a response to this request. If successful, a 200 OK response will be received and the access token will be returned in a JSON structure. A refresh token will NOT be returned to the client.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token":"zzz...yyy",
"token_type":"Bearer",
"expires_in":14400
}