Contents

POST /token#

This is the token endpoint of the OAuth 2.0 specification. This endpoint is used by the client to provide its authorization code, demonstrating that it has the right to learn a particular user’s validated address. In return, the challenger service returns the access token. Renewal is not supported.

Request:

The request must include an application/www-form-urlencoded body specifying the client_id, redirect_uri, client_secret, code and grant_type. The grant_type must be set to authorization_code. The redirect_uri must match the URI from /authorize. The code must be the authorization code that /solve returned to the user. The client_id and client_secret must match the usual client credentials. Since protocol v3, code_verifier can also be included.

Response:

Error responses follow RFC 6749, section 5.2 with an “error” field in JSON, as well as also returning GNU Taler style error messages.

200 OK:

The body will be a ChallengerAuthResponse.

400 Bad Request:

A required POST field (grant_type, client_id, client_secret, code or redirect_uri) is missing or malformed, or grant_type is not authorization_code. Usually returned with TALER_EC_GENERIC_PARAMETER_MISSING or TALER_EC_GENERIC_PARAMETER_MALFORMED.

401 Unauthorized:

Authentication of the client failed. Returned (per RFC 6749, section 5.2) when the client credentials are invalid, when the supplied code is malformed or does not match the validation, when the redirect_uri does not match the one registered with the client, or when the code_verifier does not match the saved code_challenge. Returned with TALER_EC_CHALLENGER_GENERIC_CLIENT_FORBIDDEN_BAD_REDIRECT_URI, TALER_EC_CHALLENGER_CLIENT_FORBIDDEN_BAD_CODE, TALER_EC_CHALLENGER_GENERIC_VALIDATION_UNKNOWN or TALER_EC_CHALLENGER_GRANT_UNKNOWN. PKCE-related rejections are since protocol v3.

404 Not found:

The service is unaware of a matching login process or client. Returned with error codes of TALER_EC_CHALLENGER_GENERIC_CLIENT_UNKNOWN

409 Conflict:

A code was presented for a validation process for which the user has not (yet) submitted any address, so the token cannot be issued. Returned with TALER_EC_CHALLENGER_MISSING_ADDRESS.

500 Internal Server Error:

The challenger service encountered an internal error, for example a database failure or a failure of the SHA-256 or Base64 helpers used for PKCE verification. Error codes used are: * TALER_EC_CHALLENGER_GENERIC_DB_FETCH_FAILED * TALER_EC_CHALLENGER_GENERIC_DB_STORE_FAILED

Details::

interface ChallengerAuthResponse {
  // Token used to authenticate access in /info.
  access_token: string;

  // Type of the access token.
  token_type: "Bearer";

  // Amount of time that an access token is valid (in seconds).
  expires_in: Integer;

}
Contents