Token Endpoint
POST /mga/sps/oauth/oauth20/tokenThe Token Endpoint is used by the client to exchange an authorization code for tokens after the user successfully authenticates. This is a backchannel request made directly between the client and Corppass.
The tokens returned by Corpass are:
ID Token: A signed and encrypted JWE that includes user information in the
subclaim and is signed by Corppass. Relying Parties (RPs) can verify the JWT's signature using the public keys available at the Corppass JWKS endpoint.Access Token: A signed JWS intended for the Corppass resource server(s).
Supported Grant Types
Grant types define the method by which a client obtains tokens from the authorization server. For the Open ID Connect (OIDC) authentication flow, Corppass supports the following grant types:
authorization_code
Used to securely exchange an authorization code for an ID token and access token. Requires prior user authentication and is suitable for confidential clients. Refer to Section 3.1 of the OIDC Core Specification for more details on this grant.
Request
Request Example
POST /mga/sps/oauth/oauth20/token
Content-Type: application/x-www-form-urlencoded
DPoP: <signed-DPoP-JWT>
grant_type=authorization_code&
code=SplxlOBeZQQYbYS6WxSbIA&
redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb&
client_id=your-client-id&
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
client_assertion=<signed-client-JWT>&
code_verifier=ABC123xyz456...Request Headers
Content-Type
Yes
Must be set to application/x-www-form-urlencoded for POST requests. Indicates the encoding format of the request body.
DPoP
Yes
A signed proof-of-possession JWT for binding the access token. Refer to the Demonstrating Proof of Possession section for more details.
Request Body
redirect_uri
Yes
The redirect URI used in the current authentication session.
grant_type
Yes
The type of grant being requested. This must be set to authorization_code.
code
Yes
The authorization code issued during the /mga/sps/oauth/oauth20/authorize call.
client_assertion_type
Yes
Must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion
Yes
A JWT identifying the client. Refer to Client Assertion JWT section for more details about the JWT structure.
client_id
Yes
The client identifier assigned to the Relying Party during onboarding with Corppass.
code_verifier
Yes
A cryptographic random string generated and is used to compare with code_challenge sent during the /mga/sps/oauth/oauth20/authorize or /request call.
Response
Successful Response Example
{
"access_token": "eyJraWQiOiJueGlKSk5OVnh4blRrVTJ3TDY1VEkyUGtJTElKT1VSU1RRU0FCTHVIMmtFIiwiYWxnIjoiRVMyNTYifQ.eyJleHAiOjE2MjQwODQ4MjMsImlhdCI6MTYyNDA4NDIyMywiaXNzIjoiaHR0cHM6Ly9jb3JwcGFzc3JwMDMiLCJhdWQiOiJ2T0lsaldWckd5Qk1LNmYzMVFZcSIsInNjb3BlIjpbImF1dGhpbmZvIiwidHBhdXRoaW5mbyJdfQ.jzzTSQw5w3B_88KgqzThrP237wYWkuuzBdRpHnT4iNoqWAjV8KsXDqwBgOnECsFBeshJXahMDswyqw6xlgTO9g",
"scope": "openid",
"id_token": "eyJraWQiOiJueGlKSk5OVnh4blRrVTJ3TDY1VEkyUGtJTElKT1VSU1RRU0FCTHVIMmtFIiwiYWxnIjoiRVMyNTYifQ.eyJlbnRpdHlJbmZvIjp7IkNQRW50SUQiOiJWQlIwMDAwMDQiLCJDUEVudF9UWVBFIjoiVUVOIiwiQ1BFbnRfU3RhdHVzIjoiUmVnaXN0ZXJlZCIsIkNQTm9uVUVOX0NvdW50cnkiOiIiLCJDUE5vblVFTl9SZWdObyI6IiIsIkNQTm9uVUVOX05hbWUiOiIifSwiYW1yIjpbInB3ZCJdLCJpYXQiOjE2MjQwODQyMjIsImlzcyI6Imh0dHBzOi8vY29ycHBhc3NycDAzIiwic3ViIjoicz1udWxsLHU9YW1pdGVzaCxjPW51bGwiLCJhdF9oYXNoIjoiMncxWjlBNW9qZExic2hSLUIwbFV4QSIsImV4cCI6MTYyNDA4NzgyMiwiYXVkIjoidk9JbGpXVnJHeUJNSzZmMzFRWXEifQ.lwTieBCXxOHMtKFkpLZDarzGe5QsZiFnZoWxVoSPLEzPhTABMgStGknzlf9m1hZiw6rCP_4InngFNLeh8DeztA",
"token_type": "DPoP",
"expires_in": 599
}access_token
JWS
The access token containing standard claims in JWS format, signed by Corppass. Refer to the Access Token section for more details.
scope
String
The scopes granted for the issued tokens. This field may include openid along with other scopes requested during authorization.
id_token
JWE
The ID token containing relevant claims in JWT format, signed by Corppass. Refer to the ID Token Structure section for more details.
token_type
String
The type of token issued. Currently, only DPoP is supported.
expires_in
Numeric
The remaining lifetime of the access token in seconds.
The access token issued by the token endpoint has a validity period of 10 minutes. Clients should ensure that it is used within this timeframe to access the protected resources.
Error Response
An example of an error response
{
"error": "invalid_request",
"error_description": "Request is missing or malformed."
}invalid_request
400
The request is missing a required parameter, includes an unsupported or duplicated parameter, or is malformed.
invalid_client
400
Client authentication failed (e.g., bad client_assertion, unknown client, or missing credentials).
invalid_grant
400
The client is not authorized to use this grant type or endpoint.
unauthorized_client
401
The provided authorization_code is invalid, expired, revoked, or does not match the authenticated client.
unsupported_grant_type
400
The requested scope is invalid, unknown, malformed, or exceeds what the client is allowed.
invalid_scope
400
The grant_type is not supported by Corppass.
server_error
500
The authorization server encountered an unexpected internal error while processing the request.
temporarily_unavailable
503
The service is temporarily unavailable (e.g., due to maintenance or overload).
This is a backchannel endpoint. Corppass returns errors as JSON in the HTTP response body. No redirection to the client’s redirect_uri will occur.
Last updated