Token Endpoint

Exchanging Grants for Tokens

In exchange for an OAuth 2.0 grant, clients obtain tokens (identity, access or refresh) at the token endpoint.

The token endpoint of the ActivID Appliance server accepts the following grant types:

Standard OAuth 2.0 grant types:
- Authorization code (authorization_code) – obtained from the authentication endpoint (see section 3.1.3 of the OpenID Connect Core specification)
- Resource owner password credentials (password) – see section 4.3 of the OAuth 2.0 specification
- Client credentials (client_credentials) – see section 4.4 of the OAuth 2.0 specification
- Refresh token (refresh_token) – the client uses a refresh token to renew an access token without end-user interaction (as defined in section 12 of the OpenID Connect Core specification).
  
  For further information, see Configuring Support for Refresh Tokens.

Proprietary grant types:
- Client secret PKI (urn:hid:oauth:grant-type:client-secret-pki) – the client authenticates itself via a mutual TLS (mTLS) authentication connection to the token endpoint with the client certificate which is registered as a ActivID Appliance PKI credential during manual client registration (using the ActivID Management Console) or dynamic client registration.
  For further information, see Configuring Client PKI Authentication.

The following standard OAuth 2.0 grant types are NOT supported:

Implicit (used only in the implicit flow which is not supported)

Copy

The endpoint is exposed at the following URL (and can be obtained from the server discovery endpoint):

https://[base-server-url]/{tenant}/authn/token [POST]

Token Request

Clients must authenticate to the server with their client_id and client_secret credentials obtained at registration in order to make a token request. The default authentication method is client secret basic. However, for security reasons, it is recommended to configure a stronger authentication method, such as client secret POST, private key JWT or the HID custom authentication method client_secret_pki.

Copy

Sample token request with an authorization code grant

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Authorization: Bearer RTp7HwAAAW3KhwwWbFmvt2o/66OFuV7HZ52X6scd
Content-Type: application/x-www-form-urlencoded
 
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Copy

Sample token request with a password grant

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Authorization: Bearer RTp7HwAAAW3KhwwWbFmvt2o/66OFuV7HZ52X6scd
Content-Type: application/x-www-form-urlencoded
 
grant_type=password&username=alice&password=secret

Copy

Sample token request with a client_credentials grant

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Authorization: Basic c3BsLWFwaTpwYXNzd29yZDAx
Content-Type: application/x-www-form-urlencoded
 
grant_type=client_credentials

Copy

Sample token request with a client_credentials grant with client credentials in the request-body (not recommended)

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
 
grant_type=client_credentials&client_id=client1&client_secret=password01

Copy

Sample token request with a client_credentials grant using a JWT signed with client private key (recommended)

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
 
grant_type=client_credentials&client_id=client1&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0.eyJpc3Mi[...omitted for brevity...].cC4hiUPo[...omitted for brevity...]

Note: The client must be configured to support PKI authentication and the private key used to generate the assertion must be the client’s authentication key, not the digital signature key if different.

For further information about the assertion content, go to https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12#section-3

Copy

Sample token request using OpenID’s ‘self_signed_tls_client_auth’ authentication method with client_credentials grant with client PKI authentication using a mTLS authentication connection to the token endpoint

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
                 
grant_type=client_credentials&client_id=client1&scope=openid

Note: The token endpoint accepting mTLS authentication connection might be using another port, such as 8443, and the root CA certificate of client’s certificate should be stored in the ActivID Appliance truststore.

Copy

Sample token request with a HID custom grant type client_secret_pki with client authentication certificate used in a mTLS authentication connection to the token endpoint

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
                 
grant_type=urn:hid:oauth:grant-type:client-secret-pki&client_id=client1

Copy

Sample token request with a refresh_token grant, with refresh token in the request-body

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
 
grant_type=refresh_token&refresh_token=31701300&scope=openid%20profile%20offline_access

HID Custom Token Request Parameters

Several HID custom parameters are supported to match the ActivID Appliance authentication features, although these custom parameters are all optional:

Parameter	Description
`device_id`	For the Transaction Signing use case, this parameter is added to proceed with authentication with device.
`device_externalid`	For the auto-bind use case, this parameter is added.
`mode`	The supported authentication mode values are: SYNCHRONOUS ASYNCHRONOUS SIGNING CHALLENGE SIGN_SYNCHRONOUS By default (parameter missing), the mode is SYNCHRONOUS.
`authType`	Added to override the default authentication type registered to the OpenID client. This parameter is useful when the OpenID client supports multiple authentication types.
`channel`	Added to override the default channel registered to the OpenID client. This parameter is useful when the OpenID client has multiple authentication channels. Note: When using the Resource owner password credentials grant type, the authType and channel custom parameters passed will be used as parameters for end user.
`noToken`	For the Transaction Signing, Push Authentication and RADIUS uses cases, it is necessary to authenticate without generating tokens. In these cases, the parameter should be set to 1 to prevent the generation of a token for the OpenID client or end user. The response will return an Access Token with a fake value (a base64-encoding of the character space ' ') as a placeholder that can be ignored: IA== By default, or if the parameter is missing, the value is 0 (token will be generated).
`deviceCentric`	For authentication with a device, set the parameter to deviceCentric=1, combined either a device_id or a device_externalid. Possible values: Integer 1 for true Any other value, or missing, will be false and therefore, not deviceCentric)
`client_id`	Required for client authentication.
`username`	For end user authentication, this can be a faked value (not null, empty, or blank) as a placeholder and it will be ignored.

Token Response

See section 3.1.3.3 of the OpenID Connect Core specification

Copy

Sample response with an access and ID Token

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json; charset=UTF-8
 
{
    "access_token": "pxMC9gAAAW3KmzjTLKRSqLeK4Em62cucIULOX/Y3",
    "id_token": "eyJraWQiOiIxNTI5MDcwMDQ5[...truncated for brevity...] cbAqXqCCrSiYsP-Jg",
    "token_type": "Bearer",
    "expires_in": 7200
}

Note: In ActivID Appliance, access tokens are session-bound and sessions possess two timeout attributes :

Session inactivity timeout
Session timeout

The "expires_in" claim in the sample above contains the value of the second attribute - meaning the token might expire before this maximum duration, due to inactivity (it might also have been revoked, see the revoke endpoint), which is why it is strongly recommended that applications using them to use the Introspect endpoint to get of the current status of the token before use.

Retrieve the Authentication Result and Access Token

Copy

Sample request with a CIBA grant using the authentication request ID

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAXk3vsD/zWlMvdnsYBjme0uXks0qQlT0
 
grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba&auth_req_id=a95c61e0-f604-4905-98b1-26b7b87fe073

Copy

Sample response with the id_token

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Content-Length: 84
 
{
   "access_token": "rYt9pwAAAXk3wN50Qm06NLzAbv0I/XKR/zknMhIY",
   "auth_req_id": "a95c61e0-f604-4905-98b1-26b7b87fe073",
   "id_token": "eyJhbGciOiJub25lIn0.eyJyZXN1bHQiOjEsInJlYXNvbiI6IlJlYXNvbiBub3QgZGVmaW5lZCIsImRvbWFpbiI6Ik9OTElORUJBTksiLCJKV1MiOiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpTVXpVeE1pSjkuZXlKamJHbGxiblJoY0hCeWIzWmhiSE4wWVhSMWN5STZJbUZqWTJWd2RDSXNJblJrY3lJNkludGhiVzkxYm5Rc0lEUXdNQzR3TUgwc2UzTnZjblJqYjJSbExESXdMVE13TFRrd2ZTd2dlMkZqWTI5MWJuUmZkRzhzTVRJek5DMDFOamM0ZlNJc0luUjRZMjkxYm5SbGNpSTZJamszSW4wPS5xMFlyRmRqTzJUdk1yczlBWWJqeFhwdUZuS1BpNkNLemNkMm1pcWUwVnQwZ0tSYzFTTDJ1OVZET3poNmNDNVROWWhQRERWYV9jZzJ0d29FMWppT2F1SFkxZ1BFTGRmV3RUcnh3bVZmSlVfUlNxWUpuUm9JSW04SUttYWg0TGpXanlabkxGNzd6RVpibWZqOUUyRWxfTDBhV1BtUnRwcjhaOVlGWHNGZF9TRXhyUENteFdyc2lvYjBaSWNaamp5bUFqSkQ4QWhOcndheGhRc2JYSnpEU1R5QTlCejB4UWVXNFprLU1YdC1CRE1lZkFEYVBJU04wc0N1QUVnRUM4Z3pSTGpsbENWaTJ4NWgwTVdfeW9OaTh4eXotYjM4bHhQejVoRWUtVHRMVFlpZ002OUVfV0xlRnpYdDh5VlVqTUVMd2RQamVVSnh4ZEFHckdsbGJNVlNPbGc9PSIsIlBVSyI6Ik1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBczVKQmxWVTk2aHFcL1R5QUZ6R3dwM252c1NxTXFNRUkybG1IbUJLdlJXSU9uVDlodUh6cm9Tdjh3eXVBWXB0UjV6SG5BV25YVWlcL0FHaVFBWWlIdWNYeGs5dmNHWnNOWUo5MWtacGJma25cL1RUZjlHV3RyWGphQTM0ckYyeG56QlhEVXNia3RhTlhQNXhBUTdcL1ArZnJRMEFMWGU1cXJtRlY2NFJrVmI2UG90eXdEVE5DMjNkRG50SUZyQnNjMFJBR0w4d2NXaEttcERhRkU3N0xYSGZlbEFqeWM5d2NjYkhwcmZPSmN5Nks0c29CRXg3UDJkQXFlTkVYVmd1TkVyQWpXNVhhMmxpQmpOVVliQytSQjVuVDNTbUNxczNmUFwvMkVGVE04SlZCWmNXV2YyS09EOFh0WU9jMk41UEdOR05wd3VBRThmYnBsaW9IWUo4clwvMGNHQXBRSURBUUFCIiwiY2xpZW50YXBwcm92YWxzdGF0dXMiOiJhY2NlcHQiLCJ1c2VyY29kZSI6ImJhbmt1c2VyMDEiLCJkZXZpY2VpZCI6MTEwNTh9.",
   "token_type": "Bearer",
   "expires_in": 86400
}

Copy

Sample request to delete a pending request

POST https://[base-server-url]/{tenant}/authn/token
Content-Type: application/json
Authorization: Bearer RTp7HwAAAV6kDLkStyOElco4/XqhuFOnqCHTypGu

grant_type=ciba_delete&auth_req_id=a95c61e0-f604-4905-98b1-26b7b87fe073

Error/Failure Responses

Code	Label	Possible Errors
400	BAD REQUEST	invalid_request invalid_grant unsupported_grant_type invalid_scope unauthorized_client expired_token authorization_pending hid_failure hid_error
401	UNAUTHORIZED	invalid_client
403	FORBIDDEN	access_denied
500	INTERNAL SERVER ERROR	server_error

ActivID Appliance server failure and error responses conform to the OpenID Connect Core specification - section 3.1.3.4 and OAuth 2. 0 specification - section 5.2, and also define the following claims:

For ‘failure’:

[ hid_failure ] – optional, only for password grant:
- reason – the failure reason code
- authType – the code of ActivID Appliance authentication type (for example, AT_OPCODE)

For ‘error’:

error – an error code which can take on of the following values:
- hid_error – the error is defined by the given code
hid_error – HID custom error, contains an HID error code:
- code – the error reason code

Copy

Sample error response - invalid request

HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
 
{
   "error_description": ":Missing or empty \"code\" parameter",
   "error": "invalid_request"
}

Copy

Sample error response - invalid authentication request ID

HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
 
{
   "error_description": "Invalid grant:CIBA Request Invalid",
   "error": "invalid_grant"
}

Copy

Sample response for failure (password grant)

HTTP/1.1 400 Bad Request
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json; charset=UTF-8
 
{
    "hid_failure":    {
        "reason": 13,
        "authType": "AT_EMPPWD"
    },
    "error_description": "Invalid grant: Resource owner username or password is invalid (Password does not match):Resource owner username or password is invalid",
    "error": "invalid_grant"
}

Copy

Sample error response - token expired

HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
 
{
   "error_description": "The auth_req_id has expired. The Client will need to make a new Authentication Request.",
   "error": "expired_token"
}

Copy

Sample error response - authorization pending

HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
 
{
   "error_description": "The authorization request is still pending as the end-user hasn't yet been authenticated.",
   "error": "authorization_pending"
}

Copy

Sample error response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json; charset=UTF-8
 
{
   "hid_error": {"code": "1200"},
   "error_description": "Exception occured: :Resource owner username or password is invalid",
   "error": "hid_error"
}

Copy

Sample response for failure (general)

HTTP/1.1 401 Unauthorized
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json; charset=UTF-8
 
{
   "error_description": "Client authentication failed: Password does not match: - Client id or secret is invalid",
   "error": "invalid_client"
}