• Overview
    • The big Picture
    • Terminology
    • Supported Specifications
    • Packaging and Builds
    • Support and Issues
    • Demo Server
  • Fundamentals
    • Hosting
    • Resources
      • Identity Resources
      • API Scopes
      • API Resources
      • Resource Isolation
    • Clients
    • Users and Logging In
    • Claims
    • Key Management
    • License Key
  • Quickstarts
    • Overview
    • Protecting an API using Client Credentials
    • Interactive Applications with ASP.NET Core
    • ASP.NET Core and API access
    • Using EntityFramework Core for configuration and operational data
    • Building JavaScript client applications
      • JavaScript applications with a backend
      • JavaScript applications without a backend
    • Using ASP.NET Core Identity
  • User Interaction
    • Login
      • Authentication Session
      • Redirecting back to the client
      • Login Context
      • Accepting Local Credentials
      • Integrating with External Providers
      • Dynamic Providers
      • Windows Authentication
    • Logout
      • Logout Context
      • Ending the Session
      • Client Notifications
      • Returning to the Client
      • External Logout
      • External Logout Notification
    • Error
    • Consent
    • Custom Pages
    • Federation Gateway
  • Requesting Tokens
    • Overview
    • Requesting a Token
    • Refreshing a Token
    • Issuing Tokens based on User Passwords
    • Extension Grants
      • Token Exchange
    • Dynamic Request Validation and Customization
    • Issuing internal Tokens
    • Proof-of-Possession Access Tokens
    • Reference Tokens
    • Client Authentication
      • Overview
      • Shared Secrets
      • Private Key JWTs
      • TLS Client Certificates
    • Signed Authorize Requests
    • Calling Endpoints from JavaScript
  • Protecting APIs
    • Protecting APIs using ASP.NET Core
      • Using JWTs
      • Using Reference Tokens
      • Authorization based on Scopes and other Claims
      • Validating Proof-of-Possession
    • Adding API Endpoints to your IdentityServer
  • Data Stores and Persistence
    • Configuration Data
    • Operational Data
      • Grants
      • Keys
    • Entity Framework Integration
  • Diagnostics
    • Logging
    • Events
  • ASP.NET Identity Integration
  • BFF Security Framework
    • Overview
    • Architecture
    • Authentication & Session Management
      • ASP.NET Core Authentication System
      • Session Management Endpoints
      • Server-side Sessions
    • API Endpoints
      • Local APIs
      • Remote APIs
    • Token Management
    • Configuration Options
    • Extensibility
      • Management Endpoints
      • Session Management
      • Token Management
      • Reverse Proxy
  • Deployment
    • Proxy Servers and Load Balancers
    • ASP.NET Core Data Protection
    • IdentityServer Data Stores
    • Distributed Caching
  • Upgrading
    • Duende IdentityServer v5.1 to v5.2
    • Duende IdentityServer v5.0 to v5.1
    • IdentityServer4 v4.1 to Duende IdentityServer v5
    • IdentityServer4 v3.1 to Duende IdentityServer v5
  • Samples
    • Basics
    • User Interaction
    • ASP.NET Identity Integration
    • Windows Authentication
    • Backend for Frontend Pattern
    • Extension Grants and Token Exchange
    • Personal Access Tokens (PAT)
    • Miscellaneous
  • Reference
    • IdentityServer Options
    • DI Extension Methods
    • Endpoints
      • Discovery Endpoint
      • Authorize Endpoint
      • Token Endpoint
      • UserInfo Endpoint
      • Introspection Endpoint
      • Revocation Endpoint
      • End Session Endpoint
      • Device Authorization Endpoint
    • Models
      • Identity Resource
      • API Scope
      • API Resource
      • Client
      • Identity Provider
      • Grant Validation Result
      • Secrets
    • Services
      • Profile Service
      • Persisted Grant Service
      • Refresh Token Service
      • IdentityServer Interaction Service
      • Device Flow Interaction Service
    • Response Generators
      • Authorize Interaction Response Generator
    • Stores
      • Resource Store
      • Client Store
      • CORS Policy Service
      • Identity Provider Store
      • Persisted Grant Store
      • Device Flow Store
      • Signing Key Store
    • Validators
      • Extension Grant Validator
      • Custom Token Request Validator
Edit this page
Home > Requesting Tokens

Requesting Tokens

At its very heart, Duende IdentityServer is a so-called Security Token Service (STS).

    Overview

    Requesting a Token

    Refreshing a Token

    Issuing Tokens based on User Passwords

    Extension Grants

    Dynamic Request Validation and Customization

    Issuing internal Tokens

    Proof-of-Possession Access Tokens

    Reference Tokens

    Client Authentication

    Signed Authorize Requests

    Calling Endpoints from JavaScript