Generate tokens for organization applications¶
After you authorize applications to API resources and assign users to the appropriate roles, you can generate tokens to access the protected resources. Organization applications support the following OAuth 2.0 grant types to generate tokens and issue scopes.
Authorization code grant¶
Use the following steps to generate an authorization code and exchange it for an access token.
After executing the authorization request, Asgardeo prompts the user to sign in to the corresponding organization. After the user successfully signs in, the redirect URL of the application receives an authorization code. The application can exchange the authorization code for a token using the token endpoint.
curl --user 7wYeybBGCVfLxPmS0z66WNMffyMa:WYfwHUsbsEvwtqmDLuaxF_VCQJwa -k
-d "grant_type=authorization_code&code=111c6b23-e395-4263-8792-87dc5db3c8a9&redirect_uri=https://bestcarmart.com/login"
-H "Content-Type: application/x-www-form-urlencoded"
https://api.asgardeo.io/t/{root-organization-name}/o/7e98b86f-63c7-41a1-8c56-c909a21a2615/oauth2/token
Note
-
To obtain the
refresh_tokenin the response, go to the Protocol tab of the application and enable the refresh token grant type. -
The
scopeparameter returns only the scopes authorized to both the application and the user who requests authorization.
Password grant¶
Use the following steps to use the user's credentials to get an access token.
Note
If you need scopes in the response, add the scope parameter to the token request with the required scopes.
Client credentials grant¶
Use the following steps to use the client credentials to get an access token.
Token exchange grant¶
Use the following request to exchange a subject token for an access token.
curl --user <OAUTH_CLIENT_KEY>:<OAUTH_CLIENT_SECRET> -k
-d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"
-d "requested_token_type=urn:ietf:params:oauth:token-type:access_token"
-d "subject_token_type=urn:ietf:params:oauth:token-type:jwt"
-d "subject_token=<jwt_issued_from_a_trusted_token_issuer>"
-d "scope=<desired scopes>"
-H "Content-Type: application/x-www-form-urlencoded"
https://api.asgardeo.io/t/{root-organization-name}/o/<ORG_ID>/oauth2/token
curl --user fhErtAT2YF_M0Ek3AAYHLI8L25oa:JirxvtfoecnrS8vBjM7ygOtSIXuCS_uK_9WEC7d1zPEa -k
-d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange"
-d "requested_token_type=urn:ietf:params:oauth:token-type:access_token"
-d "subject_token_type=urn:ietf:params:oauth:token-type:jwt"
-d "subject_token=<jwt_issued_from_a_trusted_token_issuer>"
-d "scope=openid internal_org_user_mgt_list read_stores"
-H "Content-Type: application/x-www-form-urlencoded"
https://api.asgardeo.io/t/{root-organization-name}/o/12d1c4d2-2bb1-443b-aa4a-68f98a40d7c6/oauth2/token
Note
If you need scopes in the response, add the scope parameter to the token request with the required scopes.
Introspect tokens¶
You can use the token introspection endpoint to validate access tokens issued for organization applications. The following example demonstrates how to introspect an access token.
{
"aut": "APPLICATION_USER",
"aud": "fhErtAT2YF_M0Ek3AAYHLI8L25oa",
"nbf": 1739253383,
"org_id": "12d1c4d2-2bb1-443b-aa4a-68f98a40d7c6",
"active": true,
"token_type": "Bearer",
"exp": 1739256983,
"iat": 1739253383,
"client_id": "fhErtAT2YF_M0Ek3AAYHLI8L25oa",
"username": "Charlie@12d1c4d2-2bb1-443b-aa4a-68f98a40d7c6"
}
Revoke tokens¶
The following example demonstrates how to revoke tokens issued for organization applications.
curl --user fhErtAT2YF_M0Ek3AAYHLI8L25oa:JirxvtfoecnrS8vBjM7ygOtSIXuCS_uK_9WEC7d1zPEa -k
-d "token=ef757efc-6ec3-3e12-83f6-cb2849d67f7b&token_type_hint=access_token"
-H "Content-Type: application/x-www-form-urlencoded"
https://api.asgardeo.io/t/{root-organization-name}/o/12d1c4d2-2bb1-443b-aa4a-68f98a40d7c6/oauth2/revoke