REST API for OAuth in Oracle Access Manager

Create Access Token Flow

post

/oauth2/rest/token

Request

Supported Media Types

application/x-www-form-urlencoded

Query Parameters

identityDomain: string

Identity Domain under which the token is being requested. This is an optional parameter if 'x-oauth-identity-domain-name' header parameter is provided.

Header Parameters

authorization(required): string

Base64 encoded header of clientID:secret. This is an authentication mechanism for the Confidential Clients. Client Authentication can be specified through this header or ClientAssertionTokens. Either one of these mechanisms should be used.
x-oauth-identity-domain-name(required): string

Identity Domain under which the token is being requested.

Form Parameters

assertion: string

User Assertion token.Mandatory parameter in case GrantType is JWT_BEARER.
client_assertion: string

Client Assertion token. This is mandatory if the Client Authentication mechanism is via the ClientAssertionToken. If this is passed, then the authorization header is not required.
client_assertion_type: string

Type of client assertion. This is mandatory if the Client Authentication mechanism is via the ClientAssertionToken. If this is passed, then the authorization header is not required.

Allowed Values: [ "JWT_BEARER", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" ]
code: string

Authorization Code obtained.Mandatory parameter in case GrantType is AUTHORIZATION_CODE.
grant_type(required): string

Grant Type for the Access Token Request

Allowed Values: [ "CLIENT_CREDENTIALS", "AUTHORIZATION_CODE", "PASSWORD", "JWT_BEARER", "REFRESH_TOKEN" ]
password: string

Password of resource owner.Mandatory parameter in case GrantType is PASSWORD.
redirect_uri: string

Redirect URI.Mandatory parameter in case GrantType is AUTHORIZATION_CODE.
refresh_token: string

Refresh Token played to generate the new Access Token.Mandatory parameter in case GrantType is REFRESH_TOKEN.
scope: string

Scope requested in the Access Token. In case of REFRESH_TOKEN flows, defaulted to the values in the RefreshToken if not specified. In case JWT_BEARER flow access token requests UserInfo related scopes, supported scopes are UserInfo.me, UserInfo.email, UserInfo.profile, UserInfo.address or UserInfo.phone.

Default Value: DefaultScope defined for Client
username: string

Username of resource owner. Mandatory parameter in case GrantType is PASSWORD.

Response

Supported Media Types

application/json

200 Response

Access Token was generated successfully

Root Schema : AccessToken

Type: object

Show Source

access_token: string

Access Token Generated
expires_in: integer

Time before the Access Token expires
refresh_token: string

Refresh Token Generated if enabled. This is also generated only for GrantType - AUTHORIZATION_CODE and PASSWORD
token_type: string

Type of token generated. eg:- Bearer

{
    "type":"object",
    "properties":{
        "access_token":{
            "type":"string",
            "description":"Access Token Generated"
        },
        "token_type":{
            "type":"string",
            "description":"Type of token generated. eg:- Bearer"
        },
        "expires_in":{
            "type":"integer",
            "description":"Time before the Access Token expires"
        },
        "refresh_token":{
            "type":"string",
            "description":"Refresh Token Generated if enabled. This is also generated only for GrantType - AUTHORIZATION_CODE and PASSWORD"
        }
    }
}

400 Response

Bad Request

Root Schema : ErrorCode

Type: object

Show Source

errorCode: string

Error Code Generated
errorDesc: string

Translated Error Description
secErrorDesc: string

Secondary Error Message

{
    "type":"object",
    "properties":{
        "errorCode":{
            "type":"string",
            "description":"Error Code Generated"
        },
        "errorDesc":{
            "type":"string",
            "description":"Translated Error Description"
        },
        "secErrorDesc":{
            "type":"string",
            "description":"Secondary Error Message"
        }
    }
}

Examples

The following cURL command shows a sample request against the server for creating access tokens, with client_id=OAAClient and client_secret=xxx included in the request body.

Make sure to update the POST request URL, username, password, scope, client_id, and client_secret to match your specific setup.

Use Case 1: grant_type=PASSWORD

$ curl -i "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -H "X-OAUTH-IDENTITY-DOMAIN-NAME: OAADomain" --request POST http://oam01.example.com:xxxxx/oauth2/rest/token -d 'grant_type=PASSWORD&username=al.xxxx&password=xxx&scope=OAAResource.viewResource&client_id=OAAClient&client_secret=xxx'

Sample Response

{"access_token":"eyJrxxxxhHJc1GT4Q","token_type":"Bearer","expires_in":3600,"scope":"OAAResource.viewResource"}

Use Case 2: grant_type=CLIENT_CREDENTIALS

$ curl -i "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -H "X-OAUTH-IDENTITY-DOMAIN-NAME: OAADomain" --request POST http://oam01.example.com:xxxxx/oauth2/rest/token -d 'grant_type=CLIENT_CREDENTIALS&scope=OAAResource.viewResource&client_id=OAAClient&client_secret=xxx'

Sample Response

{"access_token":"eyJr<snip>eJNdLg1By-6LyuQ","token_type":"Bearer","expires_in":3600,"scope":"OAAResource.viewResource"}