The OAuth2 token endpoint in Edlink is essential for exchanging authorization codes for access tokens, refresh tokens, and ID tokens. This guide provides detailed instructions on how to use the token endpoint, assuming you have already obtained an authorization code. For information on obtaining the authorization code, please refer to the relevant section in the Edlink documentation.
Overview
The token endpoint is used to exchange an authorization code received from the authorization endpoint for tokens required for accessing protected resources. This process involves making a secure POST request to the token endpoint with the necessary parameters.
Exchanging the Authorization Code for Tokens
Once you have obtained the authorization code, follow these steps to exchange it for an access token and a refresh token.
Security Note
This exchange should never happen on the client side. Make this request on your server side or backend in a secure environment. The client's web browser should never see your
client_secret. This is crucial for maintaining security.
Sample Token Exchange Request
The request to the token endpoint should include the following parameters:
| Field | Description |
|---|---|
code | This should be set to the authorization code you received. |
client_id | This should be set to the Application ID listed in the Application Keys section of your application configuration. |
client_secret | This should be set to the Secret Key listed in the Application Keys section of your application configuration. |
redirect_uri | This should be set to the redirect_uri you used when requesting the authorization code. |
grant_type | This should be set to authorization_code. |
Sample Code for Token Exchange
Here is an example of how to implement the token exchange using axios in Node.js:
const axios = require('axios');
const qs = require('qs');
// Assume you have received the authorization code
const { code } = req.query;
const request = {
code: code,
client_id: 'YOUR_CLIENT_ID',
client_secret: 'YOUR_CLIENT_SECRET',
redirect_uri: 'YOUR_REDIRECT_URI',
grant_type: 'authorization_code'
};
const config = {
method: 'post',
url: 'https://ed.link/api/authentication/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
data: qs.stringify(request)
};
axios
.request(config)
.then((response) => {
console.log(JSON.stringify(response.data));
})
.catch((error) => {
console.log(error);
});
Replace 'YOUR_CLIENT_ID', 'YOUR_CLIENT_SECRET', 'YOUR_REDIRECT_URI', and code with the appropriate values.
Sample Token Exchange Response
A successful response will look something like this:
{
"$data": {
"access_token": "6j42gte2lk1n29nte2lqmkk42g1n28nf0lbl9q",
"refresh_token": "av439q8nlbl0l4309fp39q8nf0mkn43943f09f",
"expires_in": 3600
}
}
Handling Tokens
After receiving the tokens, you should securely store them on the server. The access token can be used to access protected resources, while the refresh token can be used to obtain new access tokens when the current one expires.
Refreshing Tokens
When the access token expires, you can use the refresh token to obtain a new access token without requiring the user to re-authenticate.
Sample Refresh Token Request
const refreshTokenRequest = {
refresh_token: 'YOUR_REFRESH_TOKEN',
client_id: 'YOUR_CLIENT_ID',
client_secret: 'YOUR_CLIENT_SECRET',
grant_type: 'refresh_token'
};
const refreshConfig = {
method: 'post',
url: 'https://ed.link/api/authentication/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
data: qs.stringify(refreshTokenRequest)
};
axios
.request(refreshConfig)
.then((response) => {
console.log(JSON.stringify(response.data));
})
.catch((error) => {
console.log(error);
});
Conclusion
The OAuth2 token endpoint is crucial for exchanging authorization codes for tokens, enabling secure access to protected resources. By following this guide, you can implement the token exchange process securely and effectively. Always ensure that sensitive information, such as the client secret, is handled securely and never exposed to the client side.