Token Exchange Endpoint

The Token Exchange endpoint allows your application to exchange an external application’s access token (for example, an Azure access token) for an EmpowerID access token. You can find this endpoint from the OAuth Discovery Endpoint.

OAuth Discovery Endpoint

https://<EID Server>/oauth/.well-known/openid-configuration

How to call the Token Exchange Endpoint

1. Initiate a request to the EmpowerID Token endpoint, https://<EID Server>/oauth/v2/token

   POST /oauth/v2/token HTTP/1.1
   Host: <EID Server>
   Content-Type: application/x-www-form-urlencoded
   Cache-Control: no-cache
   Authorization: Basic base64Encode(<ClientID>:<ClientSecret>)
   
   subject_token={Your token}
   &subject_token_type={Your token type}
   &grant_type=urn:ietf:params:oauth:grant-type:token-exchange
   &scope=openid

   Header Parameter	Required/Optional	Description
   Content-Type	required	Must be application/x-www-form-urlencoded.
   Authorization	required	Base64 encoded value of ClientID and Client Secret base64Encode(<client_id>:<client_secret>)

   Post Body Parameter	Required/Optional	Description
   subject_token	required	A security token that represents the identity of the party on behalf of whom the request is being made.
   subject_token_type	recommended	Specifies the type of the subject token. Please refer to allowed Token Type Identifiers.
   grant_type	required	Must be urn:ietf:params:oauth:grant-type:token-exchange
   scope	required	A space-separated list of strings that the user consents to. Values include openid for OpenID Connect flow.

2. Returns token information in the response

   {
     "access_token": "xxxxxxxxxxxxxxxxxxxxxx",
     "token_type": "Bearer",
     "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
     "expires_in": 3600,
     "refresh_token": "xxxxxxxxxxxxxxxxxxxxxx",
     "id_token": null,
     "id": "00000000-0000-0000-0000-000000000000"
   }