Token Endpoint
POST /mga/sps/oauth/oauth20/tokenThis endpoint allows the client to exchange an authorization code for an ID token and an access token.
The ID token is a JWT that includes user information in the
subclaim and is signed by Corppass. Relying Parties (RPs) can verify the JWT's signature using the public keys available at the Corppass JWKS endpoint.The Access Token is a signed JWS intended for the Corppass resource server (e.g.
/authorization-info).
Supported Grant Types
Grant types define the method by which a client obtains tokens from the authorization server. For the Open ID Connect (OIDC) authentication flow, Corppass supports the following grant types:
authorization_code
Used to securely exchange an authorization code for an ID token and access token. Requires prior user authentication and is suitable for confidential clients. Refer to Section 3.1 of the OIDC Core Specification for more details on this grant.
Authorization Code Grant
The authorization_code grant type allows the client to exchange an authorization code (provided to the client after the user is authenticated) for an ID token and an access token. This grant is restricted to confidential clients, which must authenticate themselves using Client Assertion JWT. The client must include a JSON Web Token (JWT) in the token request body. Corppass will verify the JWT's signature using the public key provided in the JSON Web Key Set (JWKS) during client onboarding.
Request
Request Headers
Content-Type
application/x-www-form-urlencoded; charset=utf-8
Request Body
redirect_uri
The redirect URI used in the current authentication session.
grant_type
The type of grant being requested. This must be set to authorization_code.
code
The authorization code issued during the /authorize call.
client_assertion_type
Must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion
A JWT identifying the client. Refer to Client Assertion JWT section for more details about the JWT structure.
client_id
The client identifier assigned to the Relying Party during onboarding with Corppass.
code_verifier
A cryptographic random string generated and is used to compare with code_challenge sent during the /authorize or /request call.
Response
Successful Response Example
{
"access_token": "eyJraWQiOiJueGlKSk5OVnh4blRrVTJ3TDY1VEkyUGtJTElKT1VSU1RRU0FCTHVIMmtFIiwiYWxnIjoiRVMyNTYifQ.eyJleHAiOjE2MjQwODQ4MjMsImlhdCI6MTYyNDA4NDIyMywiaXNzIjoiaHR0cHM6Ly9jb3JwcGFzc3JwMDMiLCJhdWQiOiJ2T0lsaldWckd5Qk1LNmYzMVFZcSIsInNjb3BlIjpbImF1dGhpbmZvIiwidHBhdXRoaW5mbyJdfQ.jzzTSQw5w3B_88KgqzThrP237wYWkuuzBdRpHnT4iNoqWAjV8KsXDqwBgOnECsFBeshJXahMDswyqw6xlgTO9g",
"scope": "openid",
"id_token": "eyJraWQiOiJueGlKSk5OVnh4blRrVTJ3TDY1VEkyUGtJTElKT1VSU1RRU0FCTHVIMmtFIiwiYWxnIjoiRVMyNTYifQ.eyJlbnRpdHlJbmZvIjp7IkNQRW50SUQiOiJWQlIwMDAwMDQiLCJDUEVudF9UWVBFIjoiVUVOIiwiQ1BFbnRfU3RhdHVzIjoiUmVnaXN0ZXJlZCIsIkNQTm9uVUVOX0NvdW50cnkiOiIiLCJDUE5vblVFTl9SZWdObyI6IiIsIkNQTm9uVUVOX05hbWUiOiIifSwiYW1yIjpbInB3ZCJdLCJpYXQiOjE2MjQwODQyMjIsImlzcyI6Imh0dHBzOi8vY29ycHBhc3NycDAzIiwic3ViIjoicz1udWxsLHU9YW1pdGVzaCxjPW51bGwiLCJhdF9oYXNoIjoiMncxWjlBNW9qZExic2hSLUIwbFV4QSIsImV4cCI6MTYyNDA4NzgyMiwiYXVkIjoidk9JbGpXVnJHeUJNSzZmMzFRWXEifQ.lwTieBCXxOHMtKFkpLZDarzGe5QsZiFnZoWxVoSPLEzPhTABMgStGknzlf9m1hZiw6rCP_4InngFNLeh8DeztA",
"token_type": "Bearer",
"expires_in": 599
}Response Body Fields
access_token
Yes
JWS
The access token containing standard claims in JWS format, signed by Corppass. Refer to the Access Token section for more details.
The access token issued by the token endpoint has a validity period of 10 minutes. Clients should ensure that it is used within this timeframe to access the protected resources.
scope
Yes
String
The scopes granted for the issued tokens. This field may include openid along with other scopes requested during authorization.
id_token
Yes
JWE
The ID token containing relevant claims in JWT format, signed by Corppass. Refer to the ID Token section for more details.
token_type
Yes
String
The type of token issued. Currently, only Bearer is supported.
expires_in
Yes
Numeric
The remaining lifetime of the access token in seconds.
Last updated