oauth2.dev

code id_token

OpenID_Foundation_Artifact_Binding_WG

Registry Context

Requests a composite authorization response containing an authorization code and an ID Token.

Technical Summary

A registered extension response_type consisting of the space-delimited values code and id_token. RFC 6749 defines the syntax and order-insensitive comparison of composite response types but leaves their meaning to the specification defining the extension.

When Used

Used in OpenID Connect Hybrid Flow when the authorization response is to contain both an authorization code and an ID Token.

Normative Requirements

Clients

MUST
3
  1. RFC 6749 - Section 3.1.1

    use code, token, or a registered extension value as the response_type value.

    Condition: when making an authorization request

    The value MUST be one of "code", "token", or a registered extension value.

  2. RFC 9700 - Section 2.1.1

    prevent authorization code injection attacks and misuse of authorization codes.

    Condition: when using a response type that returns an authorization code

    Clients MUST prevent authorization code injection attacks and misuse of authorization codes.

  3. RFC 9700 - Section 2.1.1

    make the PKCE challenge or OpenID Connect nonce transaction-specific and securely bind it to the client and user agent.

    Condition: when using PKCE or an OpenID Connect nonce to protect the authorization-code flow

    the PKCE challenge or OpenID Connect nonce MUST be transaction-specific and securely bound to the client and the user agent.

REQUIRED
1
  1. RFC 6749 - Section 3.1.1

    include the response_type parameter.

    Condition: when making an authorization request

    response_type REQUIRED.

SHOULD
1
  1. RFC 9700 - Section 2.1.1

    use a PKCE code challenge method that does not expose the verifier in the authorization request.

    Condition: when using PKCE

    clients SHOULD use PKCE code challenge methods that do not expose the PKCE verifier in the authorization request.

Authorization servers

MUST
5
  1. RFC 6749 - Section 3.1.1

    return an error response as described in Section 4.1.2.1.

    Condition: if response_type is missing or not understood

    the authorization server MUST return an error response as described in Section 4.1.2.1.

  2. RFC 9700 - Section 2.1.1

    support PKCE.

    Condition: when supporting authorization-code flows

    Authorization servers MUST support PKCE.

  3. RFC 9700 - Section 2.1.1

    enforce correct use of code_verifier at the token endpoint.

    Condition: if the authorization request contained a valid PKCE code_challenge

    the authorization server MUST enforce the correct usage of code_verifier at the token endpoint.

  4. RFC 9700 - Section 2.1.1

    reject a token request containing code_verifier unless code_challenge was present in the authorization request.

    Condition: when mitigating PKCE downgrade attacks

    Authorization servers MUST mitigate PKCE downgrade attacks.

  5. RFC 9700 - Section 2.1.1

    provide a way to detect its support for PKCE.

    Authorization servers MUST provide a way to detect their support for PKCE.

Response types

MUST
1
  1. RFC 6749 - Section 8.4

    conform to the response-type ABNF.

    Condition: when defining a response type for the authorization endpoint

    Response type names MUST conform to the response-type ABNF.

MAY
1
  1. RFC 6749 - Section 3.1.1

    contain a space-delimited (%x20) list of values.

    Condition: when composed of multiple response values

    Extension response types MAY contain a space-delimited (%x20) list of values.

confidential client

RECOMMENDED
1
  1. RFC 9700 - Section 2.1.1

    use PKCE.

    Condition: when using a response type that returns an authorization code

    For confidential clients, the use of PKCE is RECOMMENDED.

confidential OpenID Connect client

MAY
1
  1. RFC 9700 - Section 2.1.1

    use the nonce parameter and corresponding ID Token claim instead of PKCE.

    Condition: when applying the additional precautions described in RFC 9700 Section 4.5.3.2

    confidential OpenID Connect clients MAY use the nonce parameter and the respective Claim in the ID Token instead.

public client

MUST
1
  1. RFC 9700 - Section 2.1.1

    use PKCE.

    Condition: when using a response type that returns an authorization code

    Public clients MUST use PKCE.

Validation Guidance

error

Require response_type in authorization requests and accept code id_token only when the registered extension response type is supported.

info

Parse composite response types as space-delimited values. Treat different orderings of the same values as the same response type; only one ordering can be registered.

error

Verify that code and id_token each satisfy the RFC 6749 response-name character grammar.

error

Return an OAuth authorization error response when response_type is missing or code id_token is not understood.

error

For the authorization-code portion of the flow, verify appropriate protection against code injection and misuse, including PKCE requirements for public clients.

error

Verify that the authorization server supports PKCE, enforces code_verifier when code_challenge was supplied, prevents PKCE downgrade, and exposes a way to detect PKCE support.

Security Notes

RFC 9700 - Section 2.1.1

Because this response type returns an authorization code, the authorization-code security requirements in the OAuth 2.0 Security Best Current Practice apply. Public clients must use PKCE; confidential clients are recommended to use it, although confidential OpenID Connect clients may use a securely bound, transaction-specific nonce under the specified additional precautions.

Reference

OAuth 2.0 Multiple Response Type Encoding Practices

Details

Entry Id
code id_token
Name
code id_token
Change Controller
OpenID_Foundation_Artifact_Binding_WG
Reference
OAuth 2.0 Multiple Response Type Encoding Practices