The endpoint for requesting access tokens by each client (in exchange for an authorization grant, e.g. code or refresh token)
Request
POST https://.../oauth/token
Header Attributes:
- Authorization: credentials of the client identified by the client_id. Basic scheme to be used, where the value is a Base64 encoded string consisting of: {client_id}:{client_secret}
- Content-Type: application/x-www-form-urlencoded
Body Parameters (note that parameters sent as query parameters are not accepted by the OA2 server):
- grant_type: Used grant type, e.g. authorization_code (for authorization code flow) or refresh_token (for refresh token flow)
- client_id: A unique identification of the client application (package key), which is assigned during application registration. The value must be equal to the one provided in the authorization request. (Not required for grant_type=refresh_token.)
- redirect_uri: A URI that will be called after the authentication and the authorization steps are done. The value must be equal to the one provided in the authorization request. (Not required for grant_type=refresh_token.)
- code: The authorization code as received from the Authorization Endpoint. (Not required for grant_type=refresh_token.)
- refresh_token: The refresh token as received from a previous token call. (Only required for grant_type=refresh_token.)
- code_verifier: the PKCE code verifier that corresponds to the code_challenge of the previous authorize call, according to RFC7636. (Not required for grant_type=refresh_token.)
Note: The "userLang" used to call the backend systems is taken from out of the client "Accept-Language"-Header.
Responses
| Code | Description | Content-Type | Schema |
| 200 |
The OAuth2 server accepted the request and generated an Access Token (and possibly a Refresh Token). |
application/json |
→ Token Response |
other
|
The OAuth2 server rejected the request and generated an Error Response. |
application/json |
→ Error Response |
Token Response
| Field | Description |
| access_token |
The access token to be used for further backend calls |
| token_type |
The token type e.g. bearer |
| refresh_token |
The refresh token to refresh the sessions |
| expires_in |
The time until the access_token expires (in seconds) |
| scope |
The scopes the access_token can be used for |
Error Response (Example)
Code snippet: Json
{
"error_description": "The grant type is not supported for the given client_id.",
"error": "unsupported_grant_type"
}
| Field | Description |
| error_description |
The description what the reason of the error was
|
| error |
The error code e.g. unsupported_grant_type |
| Error | Description |
| unsupported_grant_type |
If the grant type is not support for a client id |
| service_unavailable |
If the maintenance mode is active |
| invalid_request |
If parameter has not been applied correctly |
| invalid_grant |
If an error occurred during the mashery call |
| invalid_client |
If an error occurred during the mashery call |
Example
Request
Code snippet: Example request
POST https://oauth-test.lufthansa.com/lhcrew/oauth/token?grant_type=authorization_code
&code=f3cmqdkrukzwkd8vbsr4zcjd
&redirect_uri=myApp://callback/
&client_id=asdfasdfasdfasdf
&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Response
Code snippet: Example response
{
"access_token": "adsfasdfaddsfnbwert345124",
"token_type": "bearer",
"refresh_token": "1324jrasv0q143k5rjasd09q4",
"expires_in": 3599,
"scope": "https://cms.fra.dlh.de/publicCrewApi"
}