code id_ token
Registry Context
Requests a composite authorization response containing an authorization code and an ID Token.
Technical Summary
A registered extension response_type consisting of the space-delimited values code and id_token. RFC 6749 defines the syntax and order-insensitive comparison of composite response types but leaves their meaning to the specification defining the extension.
When Used
Used in OpenID Connect Hybrid Flow when the authorization response is to contain both an authorization code and an ID Token.
Normative Requirements
Clients
RFC 6749 - Section 3.1.1
use code, token, or a registered extension value as the response_type value.
Condition: when making an authorization request
The value MUST be one of "code", "token", or a registered extension value.
RFC 9700 - Section 2.1.1
prevent authorization code injection attacks and misuse of authorization codes.
Condition: when using a response type that returns an authorization code
Clients MUST prevent authorization code injection attacks and misuse of authorization codes.
RFC 9700 - Section 2.1.1
make the PKCE challenge or OpenID Connect nonce transaction-specific and securely bind it to the client and user agent.
Condition: when using PKCE or an OpenID Connect nonce to protect the authorization-code flow
the PKCE challenge or OpenID Connect nonce MUST be transaction-specific and securely bound to the client and the user agent.
RFC 6749 - Section 3.1.1
include the response_type parameter.
Condition: when making an authorization request
response_type REQUIRED.
RFC 9700 - Section 2.1.1
use a PKCE code challenge method that does not expose the verifier in the authorization request.
Condition: when using PKCE
clients SHOULD use PKCE code challenge methods that do not expose the PKCE verifier in the authorization request.
Authorization servers
RFC 6749 - Section 3.1.1
return an error response as described in Section 4.1.2.1.
Condition: if response_type is missing or not understood
the authorization server MUST return an error response as described in Section 4.1.2.1.
RFC 9700 - Section 2.1.1
support PKCE.
Condition: when supporting authorization-code flows
Authorization servers MUST support PKCE.
RFC 9700 - Section 2.1.1
enforce correct use of code_verifier at the token endpoint.
Condition: if the authorization request contained a valid PKCE code_challenge
the authorization server MUST enforce the correct usage of code_verifier at the token endpoint.
RFC 9700 - Section 2.1.1
reject a token request containing code_verifier unless code_challenge was present in the authorization request.
Condition: when mitigating PKCE downgrade attacks
Authorization servers MUST mitigate PKCE downgrade attacks.
RFC 9700 - Section 2.1.1
provide a way to detect its support for PKCE.
Authorization servers MUST provide a way to detect their support for PKCE.
Response types
RFC 6749 - Section 8.4
conform to the response-type ABNF.
Condition: when defining a response type for the authorization endpoint
Response type names MUST conform to the response-type ABNF.
RFC 6749 - Section 3.1.1
contain a space-delimited (%x20) list of values.
Condition: when composed of multiple response values
Extension response types MAY contain a space-delimited (%x20) list of values.
confidential client
RFC 9700 - Section 2.1.1
use PKCE.
Condition: when using a response type that returns an authorization code
For confidential clients, the use of PKCE is RECOMMENDED.
confidential OpenID Connect client
RFC 9700 - Section 2.1.1
use the nonce parameter and corresponding ID Token claim instead of PKCE.
Condition: when applying the additional precautions described in RFC 9700 Section 4.5.3.2
confidential OpenID Connect clients MAY use the nonce parameter and the respective Claim in the ID Token instead.
public client
RFC 9700 - Section 2.1.1
use PKCE.
Condition: when using a response type that returns an authorization code
Public clients MUST use PKCE.
Validation Guidance
Require response_type in authorization requests and accept code id_token only when the registered extension response type is supported.
Parse composite response types as space-delimited values. Treat different orderings of the same values as the same response type; only one ordering can be registered.
Verify that code and id_token each satisfy the RFC 6749 response-name character grammar.
Return an OAuth authorization error response when response_type is missing or code id_token is not understood.
For the authorization-code portion of the flow, verify appropriate protection against code injection and misuse, including PKCE requirements for public clients.
Verify that the authorization server supports PKCE, enforces code_verifier when code_challenge was supplied, prevents PKCE downgrade, and exposes a way to detect PKCE support.
Security Notes
RFC 9700 - Section 2.1.1
Because this response type returns an authorization code, the authorization-code security requirements in the OAuth 2.0 Security Best Current Practice apply. Public clients must use PKCE; confidential clients are recommended to use it, although confidential OpenID Connect clients may use a securely bound, transaction-specific nonce under the specified additional precautions.
Reference
OAuth 2.0 Multiple Response Type Encoding Practices
Details
- Entry Id
code id_token - Name
code id_token - Change Controller
OpenID_Foundation_ Artifact_ Binding_ WG - Reference
OAuth 2.0 Multiple Response Type Encoding Practices