/oauth/token
OAuth 2.0 令牌端点。支持 authorization_code、refresh_token、client_credentials、urn:ietf:params:oauth:grant-type:device_code 四种授权类型。支持 private_key_jwt 客户端认证和 DPoP。返回扁平 JSON(无 code/message 信封)。参考:RFC 6749 §4.1.3 (Authorization Code Grant)、§4.3 (Resource Owner Password)、§4.4 (Client Credentials)、RFC 6749 §5.1-5.2、RFC 7636 (PKCE)、RFC 8628 §3.4 (Device Code)。
Request Parameters
| Name | In | Type | Required | Default | Example | Constraints | Description |
|---|---|---|---|---|---|---|---|
grant_type |
formData |
string |
Yes | 授权类型(authorization_code/refresh_token/client_credentials/urn:ietf:params:oauth:grant-type:device_code) | |||
code |
formData |
string |
No | 授权码(authorization_code 时必填) | |||
redirect_uri |
formData |
string |
No | 重定向URI(authorization_code 时必填) | |||
client_id |
formData |
string |
No | 客户端ID | |||
client_secret |
formData |
string |
No | 客户端密钥 | |||
refresh_token |
formData |
string |
No | 刷新令牌(refresh_token 时必填) | |||
code_verifier |
formData |
string |
No | PKCE Code Verifier(public client 时必填) | |||
device_code |
formData |
string |
No | 设备码(device_code 时必填) | |||
client_assertion_type |
formData |
string |
No | 客户端断言类型(private_key_jwt) | |||
client_assertion |
formData |
string |
No | 客户端断言 JWT(private_key_jwt) |
Responses
| Status | Description | Schema |
|---|---|---|
| 200 | 令牌响应(含 access_token, refresh_token, id_token 等) | dto.OAuthTokenResponse |
| 400 | unsupported_grant_type:不支持的授权类型。参考:RFC 6749 §5.2。 | dto.OAuthErrorResponse |
| 401 | invalid_client:客户端认证失败。参考:RFC 6749 §5.2。 | dto.OAuthErrorResponse |
| 429 | rate_limit_exceeded:请求频率过高,请稍后重试 | dto.OAuthErrorResponse |
| 500 | server_error:授权服务器内部错误。参考:RFC 6749 §5.2。 | dto.OAuthErrorResponse |
Referenced Schemas
dto.AuthorizationDetailDTO
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
actions |
array of string |
No | ['["list_accounts"', '"read_balances"]'] |
操作 | |
constraints |
object |
No | 扩展约束 | ||
data_types |
array of string |
No | ['["account_details"', '"balances"]'] |
数据类型 | |
identifier |
string |
No | account-12345 |
标识符 | |
locations |
array of string |
No | ['["https://example.com/accounts"]'] |
位置 | |
type |
string |
No | account_information |
授权类型 |
dto.OAuthErrorResponse
OAuth标准错误响应
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
error |
string |
No | invalid_request |
错误码 | |
error_description |
string |
No | Missing required parameter |
错误描述 | |
error_uri |
string |
No | https://docs.example.com/errors |
错误URI | |
state |
string |
No | state-123 |
状态 |
dto.OAuthTokenResponse
OAuth令牌响应
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
access_token |
string |
No | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... |
访问令牌 | |
authorization_details |
array of |
No | RAR授权详情 | ||
expires_in |
integer |
No | 3600 |
过期秒数 | |
id_token |
string |
No | eyJhbGci... |
OIDC ID令牌 | |
refresh_token |
string |
No | rt_abc123 |
刷新令牌 | |
scope |
string |
No | openid profile email |
范围 | |
token_type |
string |
No | Bearer |
令牌类型 |