- Generated by
1.8.18
|
Authlete
|
Request to Authlete's /api/auth/token API.
More...
Properties | |
| string | Parameters [get, set] |
Token request parameters which the token endpoint implementation of your authorization server received from a client application. The value of this request parameter is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application. This request parameter is mandatory. More... | |
| string | ClientId [get, set] |
The client ID extracted from the Authorization header of the token request from the client application. More... | |
| string | ClientSecret [get, set] |
The client secret extracted from the Authorization header of the token request from the client application. More... | |
| string | ClientCertificate [get, set] |
| The client certificate from the MTLS of the token request from the client application. More... | |
| Property[] | Properties [get, set] |
| Extra properties to be associated with an access token which may be issued as a result of the token request. More... | |
| string[] | ClientCertificatePath [get, set] |
| The certificate path presented by the client during client authentication. More... | |
| string | Dpop [get, set] |
The DPoP header presented by the client during the request to the token endpoint. The header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT. More... | |
| string | Htm [get, set] |
The HTTP method of the token request. This property is used to validate the DPoP header. More... | |
| string | Htu [get, set] |
The URL of the token endpoint. This property is used to validate the DPoP header. More... | |
Request to Authlete's /api/auth/token API.
An entity body of a token request may contain the client ID (client_id) and the client secret (client_secret) along with other request parameters as described in 2.3.1. Client Password of RFC 6749. If client credentials are contained both in the Authorization header and in the entity body, they must be identical. If they do not match, Authlete's /api/auth/token API reports an error. It is not an error of your authorization server implementation but an error of the client application.
|
getset |
The client certificate from the MTLS of the token request from the client application.
Since version 1.0.8.
|
getset |
The certificate path presented by the client during client authentication.
These certificates are string in PEM format.
Since version 1.1.0.
|
getset |
The client ID extracted from the Authorization header of the token request from the client application.
If the token endpoint of the authorization server supports Basic Authentication as a means of client authentication, and if the request from the client application contained its client ID in the Authorization header, the value should be extracted from there and set as the value of this request parameter.
|
getset |
The client secret extracted from the Authorization header of the token request from the client application.
If the token endpoint of the authorization server supports Basic Authentication as a means of client authentication, and if the request from the client application contained its client secret in the Authorization header, the value should be extracted from there and set as the value of this request parameter.
|
getset |
The DPoP header presented by the client during the request to the token endpoint. The header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.
See "OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)" for details.
Since version 1.4.0.
|
getset |
The HTTP method of the token request. This property is used to validate the DPoP header.
In normal cases, the value is POST. When this parameter is omitted, POST is used as the default value.
See "OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)" for details.
Since version 1.4.0.
|
getset |
The URL of the token endpoint. This property is used to validate the DPoP header.
If this parameter is omitted, the tokenEndpoint property of the Service is used as the default value.
See "OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)" for details.
Since version 1.4.0.
|
getset |
Token request parameters which the token endpoint implementation of your authorization server received from a client application. The value of this request parameter is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application. This request parameter is mandatory.
|
getset |
Extra properties to be associated with an access token which may be issued as a result of the token request.
If the value of the "grant_type" parameter contained in the token request from the client application is "authorization_code", properties set by this request parameter will be added as the extra properties of a newly created access token. The extra properties specified when the authorization code was issued (using AuthorizationIssueRequest.Properties) will also be used, but their values will be overwritten if the extra properties set by this request parameter have the same keys. In other words, extra properties contained in this request will be merged into existing extra properties which are associated with the authorization code.
Otherwise, if the value of the "grant_type" parameter contained in the token request from the client application is "refresh_token", properties set by this request parameter will be added to the existing extra properties of the corresponding access token. Extra properties having the same keys will be overwritten in the same manner as the case of grant_type=authorization_code.
Otherwise, if the value of the "grant_type" parameter contained in the token request from the client application is "client_credentials", properties set by this request parameter will be used simply as extra properties of a newly created access token. Because Client Credentials flow does not have a preceding authorization request, merging extra properties will not be performed. This is different from the cases of grant_type=authorization_code and grant_type=refresh_token.
In other cases (grant_type=password), properties set by this request parameter will not be used. When you want to associate extra properties with an access token which is issued by Resource Owner Password Credentials flow, use TokenIssueRequest.Properties instead.
Keys of extra properties will be used as labels of top-level entries in a JSON response containing an access token which is returned from an authorization server. An example is example_parameter, which you can find in 5.1. Successful Response of RFC 6749. The following code snippet is an example to set one extra property having "example_parameter" as its key and "example_value" as its value.
Keys listed below should not be used and they would be ignored on Authlete side even if they were used. It's because they are reserved in RFC 6749 and OpenID OpenID Connect Core 1.0.
token_type expires_in refresh_token scope error error_description error_uri id_token Note that there is an upper limit on the total size of extra properties. On the server side, the properties will be (1) converted to a multidimensional string array, (2) converted to JSON, (3) encrypted by AES/CBC/PKCS5Padding, (4) encoded by base64url, and then stored into the database. The length of the resultant string must not exceed 65,535 in bytes. This is the upper limit, but we think it is big enough.
1.8.18