Benyttes for å hente et nytt access-token basert på authorization-code

Spesifikasjoner

OpenID Connect Core 1.0 - Token Request
The OAuth 2.0 Authorization Framework - Access Token Request
Assertion Framework JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (benyttes kun for confidential clients)
Proof Key for Code Exchange by OAuth Public Clients (påkrevd for både public og confidential clients)

Request

POST httpsPOST https://{miljø}/sts/oidcprov/v3/token

Content-Type: application/x-www-form-urlencoded

Mutual TLS kreves hvis klienten er satt opp til å kreve MTLS.

Plassering	Navn	Type

Confidential client

OpenID Connect Core 1.0 - Token Request

The OAuth 2.0 Authorization Framework - Access Token Request

Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants

Proof Key for Code Exchange by OAuth Public Clients

Beskrivelse
Body	client_id	string	Påkrevd for public clients, benyttes ikke for confidential clients
	client_assertion_type	string	Påkrevd for confidential clients, skal ha verdien

“urn%3Aietf%3Aparams%3Aoauth %3Aclient

“urn:ietf:params:oauth:client-assertion-

type%3Asaml2

type:jwt-bearer”
	client_assertion	string	Påkrevd for confidential clients, benyttes ikke for public clients.
	grant_type	string	Påkrevd, skal ha verdien "authorization_code"
	code	string	Authorization code mottatt fra /Authorize-endepunktet
	code_verifier	string

Samme

PKCE, samme verdi som ble sendt inn til /par eller /authorize-endepunktet men uten SHA-256 hash.
	redirect_uri	string	Samme verdi som ble sendt inn til /par-eller /authorize-endepunktet

Response - Vellykket

Plassering	Navn	Type	Beskrivelse
Body	access_token	string	AksessToken som må benyttes i eventuelle etterfølgende API-kall til Helsenorge.
	id_token	string	IdToken med informasjon om innlogget- og eventuelt representert innbygger. Se: ID token
	token_type	string	“`Bearer”`
	refresh_token	string	Er med dersom klienten har bedt om slikt (dvs. scope = “offline_access" i request til PAR-endepunktet OG at klienten er konfigurert på Helsenorge med at den kan få Refresh-token. NB! refresh_token har initielt samme levetid som access_token. Utvidelse av levetiden på refresh_token må gjøres gjennom endepunktet /extend.
	expires_in	int	Hvor lenge access_token og (initielt) refresh_token er gyldig. (Default gyldighetstid er 30 min).
	scope	string	Returnerer de samme scope som klienten ga inn som parametere til PAR-endepunktet.

Response - Feilet

Plassering	Navn	Verdi
Body	error
	error_description

Mulige feilkoder

...

HTTP-status kode
Feilkode
Beskrivelse
400
invalid_request
The request is missing a required parameter, includes an
unsupported parameter value (other than grant type),
repeats a parameter, includes multiple credentials,
utilizes more than one mechanism for authenticating the
client, or is otherwise malformed
400
invalid_client
Client authentication failed (e.g., unknown client, no
client authentication included, or unsupported
authentication method). The authorization server MAY
return an HTTP 401 (Unauthorized) status code to indicate
which HTTP authentication schemes are supported. If the
client attempted to authenticate via the "Authorization"
request header field, the authorization server MUST
respond with an HTTP 401 (Unauthorized) status code and
include the "WWW-Authenticate" response header field
matching the authentication scheme used by the client.
400
invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
400
unauthorized_client
The authenticated client is not authorized to use this
authorization grant type.
400
unsupported_grant_type
The authorization grant type is not supported by the
authorization server.
400
invalid_scope
The requested scope is invalid, unknown, malformed, or
exceeds the scope granted by the resource owner.
503

The authorization server is currently unable to handle
the request due to a temporary overloading or maintenance
of the server.

Versions Compared

Old Version 1

New Version Current

Key

Spesifikasjoner

Request

Response - Vellykket

Response - Feilet

Mulige feilkoder

HTTP-status kode	Feilkode	Beskrivelse
400	invalid_request	The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed
400	invalid_client	Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
400	invalid_grant	The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
400	unauthorized_client	The authenticated client is not authorized to use this authorization grant type.
400	unsupported_grant_type	The authorization grant type is not supported by the authorization server.
400	invalid_scope	The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
503		The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.

Page Comparison

Versions Compared

Old Version 1

New Version Current

Key

Spesifikasjoner

Request

Response - Vellykket

Response - Feilet

Mulige feilkoder