Token Endpoint for OAuth2

To obtain a token from the token endpoint using OAuth 2.0, the correct method involves making a POST request. The body of the request should use the required grant_type along with other relevant parameters. Here are the details:

1. To use the password grant type (grant_type=password), the request body should typically include:
   • client_id: This is the client application identifier.
   • client_secret: The secret associated with the client application.
   • grant_type: This should be set to password.
   • username: The resource owner’s username.
   • password: The corresponding password.
   • scope: Optionally specify desired scope(s) delimited by spaces.

For example, the request body might look like this:

{
  "client_id": "clientid",
  "client_secret": "clientsecret",
  "grant_type": "password",
  "provision_key": "provisionkey",
  "authenticated_userid": "1"
}

This JSON would be part of a POST request to the /oauth2/token endpoint 1.

2. If you’re using the authorization code grant type (grant_type=authorization_code), then the body should contain:
   • grant_type: Set to authorization_code.
   • code: The authorization code obtained from the initial authorization step.
   • redirect_uri: The same redirect URI used when requesting the authorization code.
   • client_id and client_secret: Identifiers for your application.

Ensure the Content-Type header of the request is set to application/x-www-form-urlencoded as the body is usually URL-encoded 23.

Additionally, ensure that the authorization server configuration supports the requested grant type. Details such as provisioning keys or additional fields may depend on the specific implementation and need to be verified in your setup 1. If errors persist because of unknown grant types, confirm that the relevant settings in the authorization server are correct 2.

Sources: