See openid-connect Menu

Auth Code Flow pt. 2

Deprecation Notice

There is a more recent version of this OpenId Connect API available. Learn more.

This endpoint will be deprecated on November 2nd 2020.

This is the second of two requests that need to be made to complete the Authorization Code Flow.

In this step the Authorization Code that was returned in step 1 will be exchanged for a token set containing Access, Refresh and ID Tokens.

Note that the access token returned is different to the access token generated via the OAuth 2.0 Tokens API. Therefore it can not be used to authorize API calls against other endpoints such as Users or Events.

Resource URL


Header Parameter



Required if Token Endpoint Authentication Method is set to Basic

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');





Resource Parameter




Set to the region of your OneLogin instance.

  • openid-connect
  • openid-connect-eu
e.g. If your OneLogin instance is located in Europe then use

Request Parameter




Set to “authorization_code”




The authorization code returned after a successful authentication via the Authorization Flow.




The redirect uri that is registered with OneLogin for this OpenId Connect app.



The OneLogin generated Client ID for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST or none (PKCE).



The OneLogin generated Client Secret for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.



The plain text string that was sent as the code_challenge in step 1 of the Auth Flow.

Required when Token Endpoint Authentication Method is set to none (PKCE).

Sample Request Body


Sample Response

    "access_token": "NWE4Nzg2ZDEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d....",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80V...",
    "token_type": "Bearer",
    "refresh_token": "897987AGBEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d...."

Probably an invalid client_id

    "error": "invalid_request",
    "error_description": "Resource not found"

The grant has been used or has expired

    "error": "invalid_grant",
    "error_description": "grant request is invalid"

Missing the redirect_uri

    "error": "invalid_request",
    "error_description": "missing required parameter(s). (redirect_uri)"

The authorization header is invalid

    "error": "invalid_request",
    "error_description": "invalid authorization header value format"
    "error": "invalid_request",
    "error_description": "Authentication Failed"
    "error": "invalid_request",
    "error_description": "Access is unauthorized"

Response Elements

access_token The token that represents the session that has just been created for the user. Default expiration time is 3600 seconds / 1 hour.
expires_in The number of seconds until the session expires. Defaults to 3600.
id_token A JWT containing user and scope information for this session
token_type The type of access token. Always set to “Bearer”
refresh_token Only returned if a Refresh Token Timeout period has specified in your OpenId Connect app settings via the OneLogin portal.

Sample Code


Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<region>" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&code=<authorization code>&redirect_uri=<registered redirect uri>"

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OpenId Connect API

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "[onelogin] openid connect"

  • 6

    A: SAML for Native Mobile Apps(Android and IOS)

    Answered Apr 02 2018

    session you've established with an SSO provider) between native apps that also support SAML the same way. Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …

  • 5

    Q: How to use onelogin SSO with AngularJS?

    Asked Jun 20 2016

    questions: 1> Onelogin is using SAML instead of OpenID Connect. I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? I don't see any documentation for onelogin API with AngularJS & Node See Here … I was looking into Onelogin for SSO. We have applications written in .NET, AngularJS + Node. None of these applications are mobile applications. After going through their documentation I have few …

  • 3

    A: Does OneLogin support client session management via OIDC?

    Answered Nov 16 2018 2.1. OpenID Provider Discovery Metadata These OpenID Provider Metadata parameters MUST be included in the Server's discovery … responses when Session Management and Discovery are supported: check_session_iframe ... end_session_endpoint ... I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …

  • 2

    A: How to Validate an Access Token for OAuth2 + PCKE flow

    Answered Apr 25 2019

    returned from the auth code flow worked, and the access_token only returned {"active":false} after it expired. Make sure you are not setting the Authorization header, and only set your client_id in the payload. … I'm using OIDC with PKCE, and I managed to call the endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …

  • 2

    Q: Python/Django library for registering multiple SSO Identity Providers(OpenID Connect)

    Asked Nov 08 2019

    I'm working on a project written in Python(Django) and i recently added an SSO option for logging in with OneLogin accounts. There's already support for Microsofts Azure SSO from an earlier feature … . I'm looking for a library which can somehow register different identity providers(Microsoft, OneLogin, Facebook, etc...) and then wrap the similar login logic into a single class, which would handle …