Auth Code Flow pt. 2
Deprecation Notice
There is a more recent version of this OpenId Connect API available. Learn more.
This endpoint will be removed from service on April 20th 2021.
This is the second of two requests that need to be made to complete the Authorization Code Flow.
In this step the Authorization Code that was returned in step 1 will be exchanged for a token set containing Access, Refresh and ID Tokens.
Note that the access token returned is different to the access token generated via the OAuth 2.0 Tokens API. Therefore it can not be used to authorize API calls against other endpoints such as Users or Events.
Resource URL
https://<region>.onelogin.com/oidc/token
Header Parameter
Authorization string |
Required if Token Endpoint Authentication Method is set to Basic Set to The e.g. Using Node.js this would be
|
Content-Type required string | application/x-www-form-urlencoded |
Resource Parameter
region required string |
Set to the
https://openid-connect-eu.onelogin.com/oidc
|
Request Parameter
grant_type required string |
Set to “authorization_code” |
code required string |
The authorization code returned after a successful authentication via the Authorization Flow. |
redirect_uri required string |
The redirect uri that is registered with OneLogin for this OpenId Connect app. |
client_id string |
The OneLogin generated Client ID for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST or none (PKCE). |
client_secret string |
The OneLogin generated Client Secret for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
code_verifier string |
The plain text string that was sent as the code_challenge in step 1 of the Auth Flow. Required when Token Endpoint Authentication Method is set to none (PKCE). |
Sample Request Body
grant_type=authorization_code&code=xxxxxx&redirect_uri=https://myapp.com/callback
Sample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
{
"access_token": "NWE4Nzg2ZDEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d....",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80V...",
"token_type": "Bearer",
"refresh_token": "897987AGBEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d...."
}
Probably an invalid client_id
{
"error": "invalid_request",
"error_description": "Resource not found"
}
The grant has been used or has expired
{
"error": "invalid_grant",
"error_description": "grant request is invalid"
}
Missing the redirect_uri
{
"error": "invalid_request",
"error_description": "missing required parameter(s). (redirect_uri)"
}
The authorization header is invalid
{
"error": "invalid_request",
"error_description": "invalid authorization header value format"
}
{
"error": "invalid_request",
"error_description": "Authentication Failed"
}
{
"error": "invalid_request",
"error_description": "Access is unauthorized"
}
Response Elements
access_token |
The token that represents the session that has just been created for the user. Default expiration time is 3600 seconds / 1 hour. |
expires_in |
The number of seconds until the session expires. Defaults to 3600. |
id_token |
A JWT containing user and scope information for this session |
token_type |
The type of access token. Always set to “Bearer” |
refresh_token |
Only returned if a Refresh Token Timeout period has specified in your OpenId Connect app settings via the OneLogin portal. |
Sample Code
cURL
Replace sample values indicated by < >
with your actual values.
curl -XPOST "https://<region>.onelogin.com/oidc/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&code=<authorization code>&redirect_uri=<registered redirect uri>"
Postman Collection
- Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.