For the authorization code flow, calling the token endpoint is the second step of the flow. HTTP POST is used for the token endpoint.
These parameters must be posted as a part of the URL-encoded form values.
Note: Mandatory request parameters can be configured on each OIDC provider. Mandatory values below are the default behaviour.
| Parameter | Description | Mandatory |
|---|---|---|
Parameter: token_endpoint_auth_methods_supported
in discovery_meta configuration section.
FortifiedID Integrity supports the following methods:
| Method | Description |
|---|---|
code
The value that was returned from the authorization endpoint.
client_id
Identifies the client and must match the value configured in FortifiedID Integrity.
client_secret
Authenticates the client and must match the value configured in FortifiedID Integrity.
grant_type
Supported value is authorization_code.
redirect_uri
Specifies the redirect location. It must match the value configured in FortifiedID Integrity.
code_verifier
Required if code_challenge was used in the authorization endpoint request.
client_secret_basic
Provide 'clientid' and 'client_secret' in the Authorization header. (Basic auth)
client_secret_post
Provide 'clientid' and 'client_secret' as parameters in the POST request body.
none
For PKCE use. Provide the 'code_verifier' as a parameter in the POST request body.
