OpenID Connect token request

An OpenID Connect relying party (client) uses the standard OAuth 2.0 token request to obtain the ID token for the logged in user.

Note that the obtained ID token must be validated before it can be trusted.

If the relying party also requested access to the UserInfo endpoint, and consent for that was given, access to it can be gained by means of the returned bearer access token.

Prerequisites

  1. The relying party must be registered with the OpenID provider and have a valid client ID.

  2. The client must have a valid grant to submit at the token endpoint. This is typically an authorisation code obtained when the user was redirected to the OpenID provider to be authenticated.

Example token request with a code grant

To make a token request with a code grant which was previously obtained from the authorisation endpoint.

For a confidential client (with a client_id and client_secret):

import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.oauth2.sdk.auth;
import com.nimbusds.oauth2.sdk.http;
import com.nimbusds.oauth2.sdk.id;
import com.nimbusds.oauth2.sdk.token;

// Construct the code grant from the code obtained from the authz endpoint
// and the original callback URI used at the authz endpoint
AuthorizationCode code = new AuthorizationCode("xyz...");
URI callback = new URI("https://client.com/callback");
AuthorizationGrant codeGrant = new AuthorizationCodeGrant(code, callback);

// The credentials to authenticate the client at the token endpoint
ClientID clientID = new ClientID("123");
Secret clientSecret = new Secret("secret");
ClientAuthentication clientAuth = new ClientSecretBasic(clientID, clientSecret);

// The token endpoint
URI tokenEndpoint = new URI("https://c2id.com/token");

// Make the token request
TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, codeGrant);

TokenResponse tokenResponse = OIDCTokenResponseParser.parse(request.toHTTPRequest().send());

if (! response.indicatesSuccess()) {
    // We got an error response...
    TokenErrorResponse errorResponse = response.toErrorResponse();
}

OIDCTokenResponse successResponse = (OIDCTokenResponse)response.toSuccessResponse();

// Get the ID and access token, the server may also return a refresh token
JWT idToken = successResponse.getOIDCTokens().getIDToken();
AccessToken accessToken = successResponse.getOIDCTokens().getAccessToken();
RefreshToken refreshToken = successResponse.getOIDCTokens().getRefreshToken();

For a public client (with client_id only):

import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.oauth2.sdk.auth;
import com.nimbusds.oauth2.sdk.http;
import com.nimbusds.oauth2.sdk.id;
import com.nimbusds.oauth2.sdk.token;

// Construct the code grant from the code obtained from the authz endpoint
// and the original callback URI used at the authz endpoint
AuthorizationCode code = new AuthorizationCode("xyz...");
URI callback = new URI("https://client.com/callback");
AuthorizationGrant codeGrant = new AuthorizationCodeGrant(code, callback);

// The client ID to identify the client at the token endpoint
ClientID clientID = new ClientID("123");

// The token endpoint
URI tokenEndpoint = new URI("https://c2id.com/token");

// Make the token request
TokenRequest request = new TokenRequest(tokenEndpoint, clientID, codeGrant);

TokenResponse tokenResponse = OIDCTokenResponseParser.parse(request.toHTTPRequest().send());

if (! response.indicatesSuccess()) {
    // We got an error response...
    TokenErrorResponse errorResponse = response.toErrorResponse();
}

OIDCTokenResponse successResponse = (OIDCTokenResponse)response.toSuccessResponse();

// Get the ID and access token, the server may also return a refresh token
JWT idToken = successResponse.getOIDCTokens().getIDToken();
AccessToken accessToken = successResponse.getOIDCTokens().getAccessToken();
RefreshToken refreshToken = successResponse.getOIDCTokens().getRefreshToken();

Example token request with a password grant

The Connect2id server also allows an ID token to be received in exchange for a (password grant). This is a non-standard feature that is readily supported by this SDK.

import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.oauth2.sdk.auth;
import com.nimbusds.oauth2.sdk.http;
import com.nimbusds.oauth2.sdk.id;
import com.nimbusds.oauth2.sdk.token;

// Construct the password grant from the username and password
String username = "[email protected]";
Secret password = new Secret("password");
AuthorizationGrant passwordGrant = new ResourceOwnerPasswordCredentialsGrant(username, password);

// The credentials to authenticate the client at the token endpoint
ClientID clientID = new ClientID("123");
Secret clientSecret = new Secret("secret");
ClientAuthentication clientAuth = new ClientSecretBasic(clientID, clientSecret);

// The request scope for the token
Scope scope = new Scope("openid", "email");

// The token endpoint
URI tokenEndpoint = new URI("https://c2id.com/token");

// Make the token request
TokenRequest request = new TokenRequest(tokenEndpoint, clientAuth, passwordGrant, scope);

TokenResponse tokenResponse = OIDCTokenResponseParser.parse(request.toHTTPRequest().send());

if (! response.indicatesSuccess()) {
    // We got an error response...
    TokenErrorResponse errorResponse = response.toErrorResponse();
}

OIDCTokenResponse successResponse = (OIDCTokenResponse)response.toSuccessResponse();

// Get the ID and access token, the server may also return a refresh token
JWT idToken = successResponse.getOIDCTokens().getIDToken();
AccessToken accessToken = successResponse.getOIDCTokens().getAccessToken();
RefreshToken refreshToken = successResponse.getOIDCTokens().getRefreshToken();