4.3 Obtain an Access Token

The following example shows a request from the broker client to the AD FS server for an access token (section 3.2.5.1.3.1) using the obtained primary refresh token (section 4.2) and the response from the AD FS server that contains the access token (section 3.2.5.1.3.2).

Request:

 POST https://server.example.com/adfs/oauth2/token/
 HTTP/1.1
 {
  Content-Type=application/x-www-form-urlencoded,
  Host=server.example.com,
  Content-Length=4630,
  Expect=[100-continue]
 }
 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
 &request=eyJhbGciOiJIUz...

As described in section 3.2.5.1.3.1, the content of the request parameter above is a signed JWT. An example of the raw JWT with header is given below.

 {
   "alg":"HS256",
   "ctx":"alusEDoF8fY+3p3EPnLFzBjl2DUty0Ov",
 }
 {
   "client_id":"s6BhdRkqt3",
   "scope":"aza openid",
   "resource":"https://resource_server1",
   "iat":1443739462,
   "exp":1443743062,
   "grant_type":"refresh_token",
   "refresh_token":"rghyF1xMq2YQTbE..."
 }

Response:

 HTTP/1.1 200 OK
 {
  Content-Length=8739,
  Content-Type=application/json;charset=UTF-8
 }
 eyJhbGciOiJka...

As described in section 3.2.5.1.3.2, the content of the response above is an encrypted JWT. An example of the decrypted JWT with header is given below.

 {
   "alg":"dir",
   "enc":"A256GCM",
   "ctx":"alusEDoF8fY+3p3EPnLFzBjl2DUty0Ov",
   "kid":"session"
 }
 {
   "access_token":"eyJ0eXAiOiJKV1QiL...",
   "token_type":"bearer",
   "expires_in":3600,
   "refresh_token":"xWsRetnGYw6T...",
   "refresh_token_expires_in":604800,
   "scope":"profile",
   "id_token":"eyJ0eXAiOiJKV1..."
 }