Token Exchange (Gateway Credential)
POST {{authPath}}/{{envID}}/as/token
The token endpoint can be used by the client to make a token exchange request to the PingOne authorization server by presenting its authorization grant, its token, and the token type. For a token exchange operation, the grant_type must be set to urn:ietf:params:oauth:grant-type:token-exchange.
The subject_token property value is the gateway credential returned by the PingOne gateway service. For more information, see Gateway Credentials.
The PingOne authorization server's token endpoint responds to a successful token exchange request by issuing an access token that allows the requesting client access to PingOne resources.
Note: Any valid gateway credential can be exchanged for an access token. The access token returned by the exchange will have a five-minute time to live.
Prerequisites
See OpenID Connect/OAuth 2 and Token for important overview information.
Run Create Gateway Credential to generate a
gatewayCredential. Run Read All Gateway Credentials to find an existing credential.
| Property | Type | Required? |
|---|---|---|
subject_token_type | String | Required |
subject_token | String | Required |
grant_type | String | Required |
See the OpenID Connect/OAuth2 data model for full property descriptions.
Request Body
[{"name"=>"grant_type", "value"=>"urn:ietf:params:oauth:grant-type:token-exchange", "datatype"=>"string"}, {"name"=>"subject_token_type", "value"=>"pingone_gateway_credential", "datatype"=>"string"}, {"name"=>"subject_token", "value"=>"{{gatewayCredential}}", "datatype"=>"string"}]
RESPONSES
status: OK
{"access_token":"eyJhbGciOiJSUz...","token_type":"Bearer","expires_in":3600}