Token Exchange Endpoint

The Token Exchange endpoint allows your application to exchange an external application’s access token (for example, an Azure access token) for an EmpowerID access token. You can find this endpoint from the OAuth Discovery Endpoint.

OAuth Discovery Endpoint

https://<EID Server>/oauth/.well-known/openid-configuration

How to call the Token Exchange Endpoint

Initiate a request to the EmpowerID Token endpoint, https://<EID Server>/oauth/v2/token

POST /oauth/v2/token HTTP/1.1
Host: <EID Server>
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Authorization: Basic base64Encode(<ClientID>:<ClientSecret>)
 
subject_token={Your token}
&subject_token_type={Your token type}
&grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&scope=openid

Header Parameter	Required/Optional	Description
`Content-Type`	required	Must be `application/x-www-form-urlencoded`.
`Authorization`	required	Base64 encoded value of ClientID and Client Secret `base64Encode(<client_id>:<client_secret>)`

Post Body Parameter	Required/Optional	Description
`subject_token`	required	A security token that represents the identity of the party on behalf of whom the request is being made.
`subject_toke_type`	recommended	Specifies the type of the subject token. Please refer to allowed Token Type Identifiers
`grant_type`	required	Must be `urn:ietf:params:oauth:grant-type:token-exchange`
`scope`	required	A space-separated list of strings that the user consents to. Values include `openid` for OpenID Connect flow.

2. Returns token information in the response

{
    "access_token": "xxxxxxxxxxxxxxxxxxxxxx",
    "token_type": "Bearer",
    "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
    "expires_in": 3600,
    "refresh_token": "xxxxxxxxxxxxxxxxxxxxxx",
    "id_token": null,
    "id": "00000000-0000-0000-0000-000000000000"
}

IN THIS ARTICLE