At this stage, the client displays a login form to the user and collects the credentials (i.e. username/password) and defined scope if required from the resource owner (user) and makes a HTTP POST to the token endpoint.
For the example below, the following credentials were received by the client and are used to request an access token:
POST https://localhost:9031/as/token.oauth2 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic cm9fY2xpZW50OjJGZWRlcmF0ZQ==
grant_type=password&username=joe&password=2Federate&scope=edit
If successful, the client will receive a 200 OK response to this request and the access token (and optional refresh token) will be returned in a JSON structure:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token":"zzz...yyy",
"token_type":"Bearer",
"expires_in":14400,
"refresh_token":"123...789"
}
The application can now parse the access token and, if present, the refresh token to use for authorization to resources. If a refresh token was returned, it can be used to refresh access token once it expires.