Skip to main content

Exchange an OAuth Token

POST 

/sts/v1/oauth2/token

General Availability

Use this operation to exchange an access token (JWT) issued by an external identity provider for an access token (JWT) issued by Confluent.This enables the use of external identities to access Confluent Cloud APIs.

Request

Responses

access token used to access public control plane api

OpenAPI definition (YAML)
paths:
  /sts/v1/oauth2/token:
    post:
      description: '[![General Availability](https://img.shields.io/badge/Lifecycle%20Stage-General%20Availability-%2345c6e8)](#section/Versioning/API-Lifecycle-Policy)


        Use this operation to exchange an access token (JWT) issued by an external identity provider for

        an access token (JWT) issued by Confluent.This enables the use of external identities

        to access Confluent Cloud APIs.

        '
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              allOf:
              - type: object
                description: token exchange request parameters
                properties:
                  api_version:
                    type: string
                    enum:
                    - sts/v1
                    description: APIVersion defines the schema version of this representation of a resource.
                    readOnly: true
                  kind:
                    type: string
                    description: Kind defines the object this REST resource represents.
                    readOnly: true
                    enum:
                    - TokenExchangeRequest
                  id:
                    description: ID is the "natural identifier" for an object within its scope/namespace;
                      it is normally unique across time but not space. That is, you can assume that the
                      ID will not be reclaimed and reused after an object is deleted ("time"); however,
                      it may collide with IDs for other object `kinds` or objects of the same `kind` within
                      a different scope/namespace ("space").
                    type: string
                    maxLength: 255
                    readOnly: true
                    example: dlz-f3a90de
                  metadata:
                    allOf:
                    - description: ObjectMeta is metadata that all persisted resources must have, which
                        includes all objects users must create.
                      required:
                      - self
                      properties:
                        self:
                          description: Self is a Uniform Resource Locator (URL) at which an object can
                            be addressed. This URL encodes the service location, API version, and other
                            particulars necessary to locate the resource at a point in time
                          type: string
                          format: uri
                          readOnly: true
                          example: https://api.confluent.cloud/v2/kafka-clusters/lkc-f3a90de
                        resource_name:
                          description: Resource Name is a Uniform Resource Identifier (URI) that is globally
                            unique across space and time. It is represented as a Confluent Resource Name
                          type: string
                          format: uri
                          readOnly: true
                          example: crn://confluent.cloud/kafka=lkc-f3a90de
                        created_at:
                          type: string
                          format: date-time
                          example: '2006-01-02T15:04:05-07:00'
                          readOnly: true
                          description: The date and time at which this object was created. It is represented
                            in RFC3339 format and is in UTC.
                        updated_at:
                          type: string
                          format: date-time
                          example: '2006-01-02T15:04:05-07:00'
                          readOnly: true
                          description: The date and time at which this object was last updated. It is
                            represented in RFC3339 format and is in UTC.
                        deleted_at:
                          type: string
                          format: date-time
                          example: '2006-01-02T15:04:05-07:00'
                          readOnly: true
                          description: The date and time at which this object was (or will be) deleted.
                            It is represented in RFC3339 format and is in UTC.
                      readOnly: true
                      title: ObjectMeta
                    - properties:
                        self:
                          example: https://api.confluent.cloud/sts/v1/token-exchange-requests/ter-12345
                        resource_name:
                          example: crn://confluent.cloud/organization=9bb441c4-edef-46ac-8a41-c49e44a3fd9a/token-exchange-request=ter-12345
                  grant_type:
                    type: string
                    description: 'The grant type. Must be urn:ietf:params:oauth:grant-type:token-exchange,
                      which indicates a token exchange.

                      '
                    example: urn:ietf:params:oauth:grant-type:token-exchange
                    enum:
                    - urn:ietf:params:oauth:grant-type:token-exchange
                  subject_token:
                    type: string
                    description: Confluent Cloud only accepts JSON Web Token (JWT) access tokens from
                      customer identity provider
                    example: test_jwt_token
                  identity_pool_id:
                    type: string
                    description: 'Identity pool is a group of external identities that are assigned a
                      certain level of access based on policy

                      '
                    example: pool_1
                  subject_token_type:
                    type: string
                    description: 'An identifier for the type of requested security token. Supported values

                      is urn:ietf:params:oauth:token-type:jwt.

                      '
                    example: urn:ietf:params:oauth:token-type:jwt
                    enum:
                    - urn:ietf:params:oauth:token-type:jwt
                  requested_token_type:
                    type: string
                    description: 'An identifier for the type of requested security token.

                      Supported values is urn:ietf:params:oauth:token-type:access_token.

                      '
                    example: urn:ietf:params:oauth:token-type:access_token
                    enum:
                    - urn:ietf:params:oauth:token-type:access_token
                  expires_in:
                    type: integer
                    format: int32
                    description: 'The amount of time, in seconds, between the time when the access token
                      was issued

                      and the time when the access token will expire

                      '
                    default: 900
                    maximum: 900
                title: sts.v1.TokenExchangeRequest
              - type: object
                required:
                - subject_token
                - grant_type
                - identity_pool_id
                - subject_token_type
                - requested_token_type
      x-lifecycle-stage: General Availability
      x-self-access: true
      x-name: sts.v1.OauthToken
      operationId: exchangeStsV1OauthToken
      tags:
      - OAuth Tokens (sts/v1)
      responses:
        '200':
          description: 'access token used to access public control plane api

            '
          content:
            application/json:
              schema:
                type: object
                description: token exchange response
                required:
                - access_token
                - issued_token_type
                - token_type
                - expires_in
                properties:
                  access_token:
                    type: string
                    description: 'An JWT access token, issued by Confluent, in response to the token exchange
                      request.

                      Client application could use the access token to access confluent public api

                      '
                  issued_token_type:
                    type: string
                    description: The token type. Always matches the value of requested_token_type from
                      the request.
                    example: urn:ietf:params:oauth:token-type:access_token
                    enum:
                    - urn:ietf:params:oauth:token-type:access_token
                  token_type:
                    type: string
                    description: Indicates the token type value. The only type that Confluent supports
                      is Bearer
                    example: Bearer
                    enum:
                    - Bearer
                  expires_in:
                    type: integer
                    format: int32
                    description: The length of time, in seconds, that the access token is valid.
                    example: 3600
                title: sts.v1.TokenExchangeReply
        '400':
          description: Bad Request
          headers:
            X-Request-Id:
              schema:
                type: string
              description: The unique identifier for the API request.
          content:
            application/json:
              schema:
                type: object
                description: Provides information about problems encountered while performing an operation.
                required:
                - errors
                properties:
                  errors:
                    description: List of errors which caused this operation to fail
                    type: array
                    items:
                      type: object
                      description: Describes a particular error encountered while performing an operation.
                      properties:
                        id:
                          description: A unique identifier for this particular occurrence of the problem.
                          type: string
                          maxLength: 255
                        status:
                          description: The HTTP status code applicable to this problem, expressed as a
                            string value.
                          type: string
                        code:
                          description: An application-specific error code, expressed as a string value.
                          type: string
                        title:
                          description: A short, human-readable summary of the problem. It **SHOULD NOT**
                            change from occurrence to occurrence of the problem, except for purposes of
                            localization.
                          type: string
                        detail:
                          description: A human-readable explanation specific to this occurrence of the
                            problem.
                          type: string
                        source:
                          type: object
                          description: If this error was caused by a particular part of the API request,
                            the source will point to the query string parameter or request body property
                            that caused it.
                          properties:
                            pointer:
                              description: A JSON Pointer [RFC6901] to the associated entity in the request
                                document [e.g. "/spec" for a spec object, or "/spec/title" for a specific
                                field].
                              type: string
                            parameter:
                              description: A string indicating which query parameter caused the error.
                              type: string
                        error_code:
                          type: integer
                          format: int32
                        message:
                          type: string
                          nullable: true
                      additionalProperties: false
                      title: Error
                    uniqueItems: true
                title: Failure
              example:
                errors:
                - id: ed42afdc-f0d5-4c0d-b428-9fc6ed6e279d
                  status: '400'
                  code: invalid_filter
                  title: Invalid Filter
                  detail: The 'delorean' resource can't be filtered by 'num_doors'
                  source:
                    parameter: num_doors
        '429':
          description: Rate Limit Exceeded
          headers:
            X-Request-Id:
              schema:
                type: string
              description: The unique identifier for the API request.
            X-RateLimit-Limit:
              schema:
                type: integer
              description: The maximum number of requests you're permitted to make per time period.
            X-RateLimit-Remaining:
              schema:
                type: integer
              description: The number of requests remaining in the current rate limit window.
            X-RateLimit-Reset:
              schema:
                type: integer
              description: "The relative time in seconds until the current rate-limit window resets. \
                \ \n  \n**Important:** This differs from Github and Twitter's same-named header which\
                \ uses UTC epoch seconds. We use relative time to avoid client/server time synchronization\
                \ issues."
            Retry-After:
              schema:
                type: integer
              description: The number of seconds to wait until the rate limit window resets. Only sent
                when the rate limit is reached.
        '500':
          description: Oops, something went wrong!
          headers:
            X-Request-Id:
              schema:
                type: string
              description: The unique identifier for the API request.
          content:
            application/json:
              schema:
                type: object
                description: Provides information about problems encountered while performing an operation.
                required:
                - errors
                properties:
                  errors:
                    description: List of errors which caused this operation to fail
                    type: array
                    items:
                      type: object
                      description: Describes a particular error encountered while performing an operation.
                      properties:
                        id:
                          description: A unique identifier for this particular occurrence of the problem.
                          type: string
                          maxLength: 255
                        status:
                          description: The HTTP status code applicable to this problem, expressed as a
                            string value.
                          type: string
                        code:
                          description: An application-specific error code, expressed as a string value.
                          type: string
                        title:
                          description: A short, human-readable summary of the problem. It **SHOULD NOT**
                            change from occurrence to occurrence of the problem, except for purposes of
                            localization.
                          type: string
                        detail:
                          description: A human-readable explanation specific to this occurrence of the
                            problem.
                          type: string
                        source:
                          type: object
                          description: If this error was caused by a particular part of the API request,
                            the source will point to the query string parameter or request body property
                            that caused it.
                          properties:
                            pointer:
                              description: A JSON Pointer [RFC6901] to the associated entity in the request
                                document [e.g. "/spec" for a spec object, or "/spec/title" for a specific
                                field].
                              type: string
                            parameter:
                              description: A string indicating which query parameter caused the error.
                              type: string
                        error_code:
                          type: integer
                          format: int32
                        message:
                          type: string
                          nullable: true
                      additionalProperties: false
                      title: Error
                    uniqueItems: true
                title: Failure
              example:
                errors:
                - id: ed42afdc-f0d5-4c0d-b428-9fc6ed6e279d
                  status: '500'
                  code: out_of_gas
                  title: DeLorean Out Of Gas
                  detail: The DeLorean has run out of gas, but Doc Brown will fill 'er up for you asap
      servers:
      - url: https://api.confluent.cloud
        description: Confluent Cloud API