Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 5 Next »

The token endpoint can be used to programmatically request tokens. It supports the authorization_codeclient_credentialsrefresh_token and token_exchange grant types).

client_id client identifier (required)

client_assertion_type The type of the client assertion. Should always be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.

client_assertion A base64 encoded JWT signed with your private key, and constructed as specified in https://datatracker.ietf.org/doc/html/rfc7523#section-2.2.

client_secret client secret either in the post body, or as a basic authentication header. Optional. NOT SUPPORTED IN PRODUCTION. client_assertion and client_assertion_type should be used in all normal cases.

grant_type

authorization_codeclient_credentialsrefresh_token or urn:ietf:params:oauth:grant-type:token-exchange

scope one or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued.

resource an API resource. Will return an access token with the audience claim set to this API. For retrieving multiple access tokens in a authorization code flow, the first request is made with the code, while subsequent requests must be made with the refresh token.

redirect_uri required for the authorization_code grant type

code the authorization code (required for authorization_code grant type)

code_verifier PKCE proof key

refresh_tokenthe refresh token (required for refresh_token grant type)

subject_token_type used for the token_exchange grant type.
Must be set to urn:ietf:params:oauth:token-type:access_token

subject_token used for the token_exchange grant type. A base64-encoded access token to be exchanged

Return values

In the case of a successful request HelseID will return the following parameters:

identity_token the Identity Token, as a Base64 encoded JWT, that corresponds to the current user session. This is only returned when using the authorization_code flow.

access_token the Access Token as a Base64 encoded JWT.

token_type the type of token returned. For HelseID this will always be bearer, indicating that the token should be used as a bearer token.

expires_in the number of seconds until the access token expires.

refresh_token the Refresh Token. This is only returned when the user requests a Refresh Token using the offline_access scope or when using the refresh_token flow.

rt_expires_in the number of seconds until the refresh token expires. This value is not part of the standard Token Endpoint flow, but has been added as a convenience for consumers of HelseID.

  • No labels