Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The token endpoint URL (RFC 6749#section-3.2) is normally obtained from the initial unauthenticated call described in the Bootstrap OAuth2 topic.
If the token endpoint URL cannot be determined before the end user has completed the sign-in process, an alternative token endpoint URL may be supplied.
This is done via a tk= URL parameter appended to the value of the Location header from the 302 Found response at the end of the sign-in flow.
Important
The tk= parameter name is case-sensitive and its contents must be URL encoded.
For example, to return the following information:
| Information | Value |
|---|---|
| Redirection URI | https://localhost |
| Authorization code (RFC 6749#section-4.1.2) | "abcdefg" |
| Token endpoint URL | https://contoso.com/api/token/?extra=stuff |
The Location header in the 302 Found response would be:
Location: https://localhost?code=abcdefg&tk=https%3A%2F%2Fcontoso.com%2Fapi%2Ftoken%2F%3Fextra%3Dstuff
As a result, all calls to the token endpoint for obtaining access token via authentication-code exchange (or refresh flows using the refresh token) will hit this URL instead of the one initially returned as described in the Bootstrap OAuth2 topic.