2. Successful Response
The authorization server validates the authentication process and issues an
access token and optionally a refresh token by making a response with the
following parameters:
access_token (REQUIRED)
token_type (REQUIRED) Bearer, MAC, … [case insensitive]
expires_in (RECOMMENDED) the lifetime in seconds
refresh_token (OPTIONAL)
scope (OPTIONAL)
3. Successful Response - continued
The parameters are included in the body of the HTTP Response using
“application/json” media type.
The parameters are serialized into JSON by adding each parameter at the
highest structure level.
Parameter names and string values are represented as JSON strings
Numerical values are represented as JSON numbers
The order of parameters does not matter
The Authorization Sever must include the HTTP “Cache-Control” response
header field with the value “no-store” in any response containing tokens,
credentials, or any other sensitive information
The Authorization Server must also include “Pragma” in the response header
field with a value of “no-cache”
5. Successful Response - continued
The client must ignore the unknown values / parameters in the response.
The client should avoid making assumptions about the value sizes
6. Error Response
The Authorization Server responds with a HTTP 400 (Bad Request) status code
and includes the following parameters:
error (REQUIRED) A single ASCII error code from the following:
invalid_request, unauthorized_client, access_denied, access_denied,
unsupported_response_type, invalid_scope, server_error, temporarily_unavailable
error_description (OPTIONAL) human readable ASCII error message with
additional information
error_uri (OPTIONAL) URI of an error web page
7. Error Response - continued
The parameters are included in the HTTP response using “application/json” media
type
Example:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error":"invalid_request"
}