3. Token Endpoint

The Token Endpoint is used by the client to exchange an authorization code for tokens after the user successfully authenticates. This is a secure back-channel request made directly between the client and Corppass.

Returned Tokens

  • ID Token: A signed and encrypted JWE that includes the entity and user information. Relying Parties (RPs) must decrypt it using their private encryption key, then verify the JWT's signature using Corppass' public keys, available at the Corppass JWKS endpoint.

  • Access Token: A signed JWS intended for the Corppass resource server(s).

Supported Grant Types

Grant types define the method by which a client obtains tokens from the authorization server.

For the Open ID Connect (OIDC) authentication flow, Corppass supports the following grant types:

Grant Type
Description

authorization_code

Used to securely exchange an authorization code for an ID token and Access Token. Requires prior user authentication and is suitable for confidential clients.

Refer to Section 3.1 of the OIDC Core Specification for more details.

Request

To obtain the Access Token and ID Token, send a POST request to the Token Endpoint URL obtained from the OpenID Discovery Endpoint (token_endpoint).

POST /mga/sps/oauth/oauth20/token

Request Headers

Field
Required
Description

Content-Type

Yes

Indicates the encoding format of the request body.

Must be set to application/x-www-form-urlencoded.

DPoP

Yes

The JWK Thumbprint of your proof-of-possession public key, for binding the access token. The JWK thumbprint should be computed using the SHA256 hash algorithm, and encoded using base64url.

Must be created using the same key as the DPoP proof presented in the Pushed Authorization Request (PAR). Refer to the Demonstrating Proof of Possession section for more details.

Request Body

Field
Required
Description

code

Yes

The authorization code issued during the callback step at Authorization Endpoint. Note: The code is valid for 60 seconds. Expired codes will result in an error.

redirect_uri

Yes

The URL that Corppass redirects the user to. This must match the redirect_uri used in the original PAR request.

grant_type

Yes

The type of grant being requested.

Must be set to authorization_code.

client_id

No

Optional. The client identifier assigned to the Relying Party during onboarding. If provided, this must match the sub claim in the client assertion JWT.

client_assertion_type

Yes

Must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer, as mandated by OIDC specifications.

client_assertion

Yes

A JWT identifying the client.

Refer to Client Assertion JWT section for more details.

code_verifier

Yes

The code verifier generated by the client.

This must be the same value used to generate the code_challenge provided at PAR.

Refer to Proof Key of Code Exchange for more details.

Sample Request

Success Response

If the request is valid, Corppass returns a JSON response containing the tokens.

Response Body

Field
Type
Description

access_token

JWS

The Access Token containing standard claims.

The token is valid for 10 minutes from time of issuance.

Refer to the Access Token section for more details.

id_token

JWE

The ID token containing relevant claims. It is encrypted and signed.

Refer to the ID Token section for more details.

token_type

String

The type of token issued.

Value is always DPoP.

expires_in

Numeric

The lifetime of the Access Token in seconds.

scope

String

The scopes granted for the issued tokens.

This field may include openid along with other scopes requested during authorization.

Sample Response

Error Response

If the token exchange fails, Corppass returns a JSON response containing an error code and description.

Response Body

Field
Type
Description

error

String

The error code identifying the type of error.

See Error Codes below.

error_description

String

A human-readable description of the error.

Error Codes

Error Code
HTTP Status
Description

invalid_request

400 / 401

The request is missing a required parameter, includes an unsupported or duplicated parameter, or is malformed.

invalid_client

400 / 401

Client authentication failed due to a missing, invalid, expired, or improperly formatted client credential or assertion.

invalid_grant

400 / 401

The provided authorization code is invalid, expired, revoked, or does not match the authenticated client.

invalid_dpop_proof

401

The DPoP proof is invalid, expired, malformed, or failed verification.

unsupported_grant_type

400

The grant type is not supported.

server_error

500

The authorization server encountered an unexpected internal error while processing the request. The error can potentially be due to the RP’s JWK endpoint being unreachable or returning a malformed JWK.

temporarily_unavailable

503

The server is temporarily unable to handle the request due to maintenance or high load.

Sample Response

Next Steps

1. Retrieve Entity & User Identity (ID Token)

The ID Token contains information about both the Entity and the Acting User performing the transaction.

Proceed to ID Token section for decryption steps and claim mapping.

2. Fetch Additional Data (Userinfo Endpoint)

If your application requires more detailed entity and user attributes not present in the ID Token, use the Access Token to query the Userinfo Endpoint for additional information.

Proceed to 4. Userinfo Endpoint to fetch additional data.

Previous2. Authorization EndpointNextID Token

Last updated