Identity Cloud

/oauth2/access_token

The /oauth2/access_token endpoint is the OAuth 2.0 token endpoint (RFC 6749).

Use this endpoint to acquire an access or refresh token with the following flows:

Specify the realm in the request URL; for example:

https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token

The access_token endpoint supports the following parameters:

Parameter Description Required

actor_token

The token representing a delegate acting on behalf of another identity.

Yes, for Token exchange

actor_token_type

The type of actor token.

Yes, for Token exchange

auth_chain

A string naming the journey to authenticate the resource owner.

No, only for Resource owner password credentials grant

assertion

A string holding a base64-encoded then URL-encoded SAML 2.0 assertion

Yes, when grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer

client_assertion

A signed JSON Web Token (JWT) to use as client credentials.

Yes, for JWT profile authentication

client_assertion_type

The type of assertion, client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer.

Yes, for JWT profile authentication

client_id

Uniquely identifies the application making the request.

Yes

client_secret

The password for a confidential client; do not use with cnf_key.

Yes, when authenticating with Form parameters (HTTP POST)

cnf_key

A base64-encoded JSON Web Key (JWK); do not use with client_secret.

Yes, for JWK-based proof-of-possession

code

A string holding the authorization code for an authorization code grant.

Yes, when grant_type=authorization_code

code_verifier

A random string correlating a PKCE authorization request with the token request.

Yes, for flows with PKCE

device_code

A string holding the device code requested from the user for a device flow.

Yes, when grant_type=urn:ietf:params:oauth:grant-type:device_code

grant_type

A string specifying the type of grant to acquire an access token.

Yes

password

A string holding the resource owner password for the Resource owner password credentials grant.

Yes, when grant_type=password

redirect_uri

The URI to return the resource owner to after authorization is complete.

Yes, when grant_type=authorization_code and it was included earlier in the flow

refresh_token

The refresh to get a new access token.

Yes, for Refresh tokens

requested_token_type

The type of token requested in exchange.

No, but recommended for Token exchange

scope

The scopes linked to the permissions requested by the client from the resource owner.

No

subject_token

The original token to exchange.

Yes, for Token exchange

subject_token_type

The type of subject token.

Yes, for Token exchange

username

A string holding the resource owner username for the Resource owner password credentials grant.

Yes, when grant_type=password

Copyright © 2010-2024 ForgeRock, all rights reserved.