The token endpoint in OpenID Connect (OIDC) is used to obtain tokens needed for accessing protected resources. It is specifically used in flows where an authorization code is exchanged for tokens. Below are the details on how to use the token endpoint given the supported response types that involve the code endpoint.
Supported Response Types
The following response types that use the token endpoint are:
codecode tokencode id_tokencode id_token token
Response Types Explained
- Authorization Code Flow (
code):- The
coderesponse type is used in the authorization code flow. It involves obtaining an authorization code from the authorization endpoint and then exchanging it for tokens at the token endpoint.
- The
- Hybrid Flow (
code token,code id_token,code id_token token):- The hybrid flow combines elements of both the authorization code flow and the implicit flow, allowing clients to obtain some tokens directly from the authorization endpoint and others via the token endpoint.
Example Implementations
1. Authorization Code Flow (code)
In the authorization code flow, the client first obtains an authorization code from the authorization endpoint. This code is then exchanged for tokens at the token endpoint.
Step 1: Redirect to Authorization Endpoint
const authorizationUrl = `https://ed.link/api/authentication/oidc/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=openid%20profile%20email&state=RANDOM_STATE`;
window.location.href = authorizationUrl;
Step 2: Exchange Authorization Code for Tokens
const axios = require('axios');
const qs = require('qs');
const data = qs.stringify({
grant_type: 'authorization_code',
code: 'AUTHORIZATION_CODE',
redirect_uri: 'YOUR_REDIRECT_URI',
client_id: 'YOUR_CLIENT_ID',
client_secret: 'YOUR_CLIENT_SECRET'
});
const config = {
method: 'post',
url: 'https://ed.link/api/authentication/oidc/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
data: data
};
axios
.request(config)
.then((response) => {
console.log(JSON.stringify(response.data));
})
.catch((error) => {
console.log(error);
});
2. Hybrid Flow (code token, code id_token, code id_token token)
In the hybrid flow, clients can receive some tokens directly from the authorization endpoint and others via the token endpoint.
Step 1: Redirect to Authorization Endpoint
const authorizationUrl = `https://ed.link/api/authentication/oidc/authorize?response_type=code%20id_token%20token&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=openid%20profile%20email&state=RANDOM_STATE`;
window.location.href = authorizationUrl;
Step 2: Parse Tokens from URL Fragment
After user authorization, the URL will contain tokens in the fragment. You need to parse these tokens:
function getTokensFromUrlFragment() {
const hash = window.location.hash.substring(1);
const params = new URLSearchParams(hash);
return {
code: params.get('code'),
id_token: params.get('id_token'),
access_token: params.get('access_token')
};
}
const tokens = getTokensFromUrlFragment();
console.log(tokens);
Step 3: Exchange Authorization Code for Tokens
const axios = require('axios');
const qs = require('qs');
const data = qs.stringify({
grant_type: 'authorization_code',
code: tokens.code,
redirect_uri: 'YOUR_REDIRECT_URI',
client_id: 'YOUR_CLIENT_ID',
client_secret: 'YOUR_CLIENT_SECRET'
});
const config = {
method: 'post',
url: 'https://ed.link/api/authentication/oidc/token',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
data: data
};
axios
.request(config)
.then((response) => {
console.log(JSON.stringify(response.data));
})
.catch((error) => {
console.log(error);
});
Conclusion
The token endpoint in OIDC is crucial for exchanging authorization codes for tokens required to access protected resources. By understanding the different response types and how to use them, you can implement secure and efficient authentication flows in your application.