Accueil > OpenID Connect OAuth Server dedicated > Develop > OpenID Connect > OpenID Connect : get access tokens

OpenID Connect : get access tokens

We are in the case of Authorization Code flow.

The client application must have an access token to obtain protected data from a resource server. The necessary code is entirely the responsibility of the author of the client application, in response to redirection on the URI of the redirection endpoint.

To obtain the access tokens, a client application addresses the token endpoint with the code obtained in the authorization phase.

Token Endpoint

https://oa.dnc.global/token

More details : API OpenID Connect : Point d’extrémité d’autorisation (Authorization Endpoint).

The token endpoint is the endpoint on the authorization server that the client application is addressing with the authorization code.

Access Token Request Form

The request must be made only by the POST method.

For authentication of the client application to the authorization server, OAuthSD imposes the client_secret_basic method. Authentication is therefore performed using HTTP Basic authentication (see section 2.3.1 of OAuth 2.0 [RFC6749]). The identifiers client_id and client_secret are those that were defined during the registration of the client application on the server.

The following parameters must be posted :
- grant_type : Authorization flow type, must be "authorization_code".
- code : the authorization code received.
- redirect_uri : the return address to the client application.

Server response

If successful, the server returns an HTTP 200 response. The body of the response contains :

index type valeur
page JSON array access_token : (string) OAuth 2.0 access token
expires_in : (long) lifetime in secondes
token_type : (string) "Bearer"
scope : (string) "openid ... "
id_token : (string) ID token (JWT)

The Header includes, as it should, the ’Cache-Control : no-cache, no-store’ directive.
 

If unsuccessful, the body of the response contains :

index type valeur
page JSON Array error : error title,
error_description : error description

La réponse HTTP ainsi que les valeurs de error et error_description sont décrites ici : API OpenID Connect : Point d’extrémité de jeton (Token Endpoint).

Request the refresh token

OpenID Connect only returns a Refresh Token, together with the access token, if the scope "offline_access" was included in the request and accepted, which will only happen with the authorization flow via a code (Authorization Code Grant).

Code examples

Query data :
- $authcode is the authorization code obtained in the previous step and sent to the CallBack page
- $client_id, $client_secret : As indicated when registering the client application on the authorization server.

PHP

  1. // Request an access token for the application
  2.  
  3.     $url = 'http://oa.dnc.global/token';
  4.  
  5.     $datas =  array(
  6.         'grant_type' => 'authorization_code',
  7.         'code' => $authcode,
  8.         'redirect_uri' => 'http://chemindeleau.com/callback_openid.php',
  9.         'client_id' => 'chemin_openid',
  10.         'client_secret' => '01fc458',    
  11.     );        
  12.  
  13.     $ch = curl_init();
  14.  
  15.     curl_setopt($ch, CURLOPT_URL, $url);
  16.     curl_setopt($ch, CURLOPT_POST, true);
  17.     curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
  18.     curl_setopt($ch, CURLOPT_POSTFIELDS,  http_build_query($datas));
  19.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  20.     curl_setopt($ch, CURLOPT_HEADER, false);
  21.     curl_setopt($ch, CURLOPT_TIMEOUT, 30);
  22.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  23.  
  24.     $result_json = curl_exec($ch);
  25.     curl_close($ch);
  26.  
  27.     $result = json_decode($result_json, true);
  28.     $access_token = $result['access_token'];  // Access Token
  29.     $id_token = $result['id_token'];                    // ID Token (JWT)

Télécharger

Authentication can also be passed in the Header like this :

  1.     $datas =  array(
  2.         'grant_type' => 'authorization_code',
  3.         'code' => $sanitized_authcode,
  4.         'redirect_uri' => 'http://chemindeleau.com/callback_openid.php',
  5.     );
  6.    
  7.     $client_id = 'chemin_openid';
  8.     $client_secret = '01fc458';  
  9.  
  10.     $ch = curl_init();
  11.     curl_setopt($ch, CURLOPT_URL, $url);      
  12.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  13.     curl_setopt($ch, CURLOPT_TIMEOUT, 30);
  14.     curl_setopt($ch, CURLOPT_USERPWD, "{$client_id}:{$client_secret}");
  15.     curl_setopt($ch, CURLOPT_POST, true);
  16.     curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
  17.     curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($datas));
  18.     curl_setopt($ch, CURLOPT_HEADER, false);
  19.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

Télécharger

SPIP

  1.         $url = 'http://oa.dnc.global/oauth/token.php';
  2.         $options = array(
  3.             'method' => 'POST',
  4.             'datas' =>  array(
  5.                  'grant_type' => 'authorization_code',
  6.                  'code' => $authcode,
  7.                  'redirect_uri' => 'http://chemindeleau.com/callback_openid.php',
  8.                  'client_id' => 'chemin_openid',
  9.                  'client_secret' => '01fc458',  
  10.             )        
  11.         );
  12.  
  13.         $res = recuperer_url($url, $options);
  14.  
  15.         $page = json_decode($res['page'], true);
  16.  
  17.         $token = $page['access_token'];
  18.         $id_token = $page['id_token'];

Télécharger