See openid-connect Menu

Create Session via Authorization Code


Use this API to start a new session using an authorization code that gets returned as part of the OpenId Connect Authentication Flow.

Note that the access token returned is different to the access token generated via the OAuth 2.0 Tokens API. Therefore it can not be used to authorize API calls against other endpoints such as Users or Events.

Resource URL

https://<subdomain>.onelogin.com/oidc/token

Header Parameter

Authorization

required

string

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');

Content-Type

required

string

application/x-www-form-urlencoded

Resource Parameter

subdomain

required

integer

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

grant_type

required

string

Set to “authorization_code”

code

required

string

The authorization code returned after a successful authentication via the Authentication Flow.

redirect_uri

required

string

The redirect uri that is registered with OneLogin for this OpenId Connect app.

Sample Request Body

grant_type=authorization_code&code=xxxxxx&redirect_uri=https://myapp.com/callback

Sample Response

{
    "access_token": "NWE4Nzg2ZDEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d....",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkpSY080bnhzNWpnYzhZZE43STJoTE80V...",
    "token_type": "Bearer",
    "refresh_token": "897987AGBEtNzQyMS00ZDViLThjMjctMGQwNjlmZjU5MWNkBGjFElT7CWzl0d...."
}

Probably an invalid client_id

{
    "error": "invalid_request",
    "error_description": "Resource not found"
}

The grant has been used or has expired

{
    "error": "invalid_grant",
    "error_description": "grant request is invalid"
}

Missing the redirect_uri

{
    "error": "invalid_request",
    "error_description": "missing required parameter(s). (redirect_uri)"
}

The authorization header is invalid

{
    "error": "invalid_request",
    "error_description": "invalid authorization header value format"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Response Elements

access_token The token that represents the session that has just been created for the user.
expires_in The number of seconds until the session expires
id_token A JWT containing user and scope information for this session
token_type The type of access token. Always set to “Bearer”
refresh_token Only returned if a Refresh Token Timeout period has specified in your OpenId Connect app settings via the OneLogin portal.

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<subdomain>.onelogin.com/oidc/token" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&code=<authorization code>&redirect_uri=<registered redirect uri>"


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.