POST/conformance/v3/auth-mock/token
The client proceeds with the code flow by calling the Token Endpoint with the required details. The client_assertion JWT must be signed using the client's private key, with the corresponding public key available through the jwks_uri parameter or included in the Client Metadata provided during the pre-registration step.
Request
- application/x-www-form-urlencoded
Body
- Token Request (Pre-Authorized code)
- Token Request (Authorization code, using client assertion)
- Token Request (Authorization code, using PKCE)
Possible values: [urn:ietf:params:oauth:grant-type:pre-authorized_code]
MUST have the value
urn:ietf:params:oauth:grant-type:pre-authorized_code
The code representing the authorization to obtain Credentials of a certain type. In WCT v3 Holder wallet tests, the code corresponds to the string concatenation of the last 4 bytes (modulo 10) of the sha256 hash of the user DID. Example: the code corresponding to the DID
did:key:z2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9KbsDbVZXdb3jzCagESyY4EE2x7Yjx3gNwctoEuRCKKDrdNP3HPFtG8RTvBiYStT5ghBHhHizH2Dy6xQtW3Pd2SecizL9b2jzDCMr7Ka5cRAWZFwvqwAtwTT7xet769y9ERh6
OPTIONAL. String value containing a user PIN. This value MUST be present if
user_pin_required
true
grant_type
urn:ietf:params:oauth:grant-type:pre-authorized_code
Possible values: [authorization_code]
MUST have the value
authorization_code
Client assertion as a JWT.
The format of the assertion as defined by the Authorisation Server.
OPTIONAL. The client identifier as described in Section 2.2 of OAuth 2.0. The "client_id" is unnecessary for client assertion authentication because the client is identified by the subject of the assertion. If present, the value of the "client_id" parameter MUST identify the same client as is identified by the client assertion.
An opaque value that can be used to redeem tokens from the token endpoint.
code
response_type
code
MUST match the "redirect_uri" parameter included in the authorization request.
Possible values: [authorization_code]
MUST have the value
authorization_code
OAuth 2.0 Client Identifier valid at the Authorisation Server.
Verifiable Accreditation Issuance: MUST be URL of the issuer requesting the accreditation that was registered with the Accreditation Issuer
An opaque value that can be used to redeem tokens from the token endpoint.
code
response_type
code
Wallet generated secure random token, used to validate the original
code_challenge
MUST match the "redirect_uri" parameter included in the authorization request.
Responses
- 200
- 400
- 401
- 500
OK
- application/json
- Schema
Schema
The access token issued by the Authorisation Server.
The Access Token MUST be signed by the Authorisation Server.
The ID token issued by the Authorisation Server.
Possible values: [bearer]
The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes).
The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
Lifetime must be 86400 seconds.
JSON string containing a nonce to be used to create a proof of possession of key material when requesting a Credential (see Section 7.2 of OpenID for VCI). When received, the Wallet MUST use this nonce value for its subsequent credential requests until the Credential Issuer provides a fresh nonce.
The lifetime in seconds of the c_nonce token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
Bad Request
- application/problem+json
- Schema
- Bad Request
- Token Expired
- Issuer Not Found
Schema
Default value: about:blank
An absolute URI that identifies the problem type. When dereferenced, it SHOULD provide human-readable documentation for the problem type.
A short summary of the problem type.
Possible values: >= 400 and <= 600
The HTTP status code generated by the origin server for this occurrence of the problem.
A human readable explanation specific to this occurrence of the problem.
An absolute URI that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced.
{
"title": "Bad Request",
"status": 400,
"detail": "Bad request."
}
{
"title": "Token Expired",
"status": 400,
"detail": "The token has expired."
}
{
"title": "Issuer Not Found",
"status": 400,
"detail": "Issuer not found in the trusted apps registry."
}
Unauthorised
- application/problem+json
- Schema
- Unauthorised
Schema
Default value: about:blank
An absolute URI that identifies the problem type. When dereferenced, it SHOULD provide human-readable documentation for the problem type.
A short summary of the problem type.
Possible values: >= 400 and <= 600
The HTTP status code generated by the origin server for this occurrence of the problem.
A human readable explanation specific to this occurrence of the problem.
An absolute URI that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced.
{
"title": "Unauthorized",
"status": 401,
"detail": "You are not authorized to access the resources."
}
Internal Error
- application/problem+json
- Schema
- Internal Server Error
Schema
Default value: about:blank
An absolute URI that identifies the problem type. When dereferenced, it SHOULD provide human-readable documentation for the problem type.
A short summary of the problem type.
Possible values: >= 400 and <= 600
The HTTP status code generated by the origin server for this occurrence of the problem.
A human readable explanation specific to this occurrence of the problem.
An absolute URI that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced.
{
"title": "Internal Server Error",
"status": 500,
"detail": "The server encountered an internal error and was unable to complete your request"
}