Use `code`, `token`, or a registered extension value as the `response_type` value..

Condition: When setting the authorization request's `response_type` parameter.

The value MUST be one of "code", "token", or a registered extension value.

Include the `response_type` authorization request parameter..

Condition: When making an authorization request using this response type.

response_type REQUIRED.

Use response types that issue access tokens in the authorization response..

Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.

clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response

Use `code` or another response type that causes access tokens to be issued in the token response..

Condition: Instead of using a response type that issues an access token in the authorization response.

Clients SHOULD instead use the response type code

Be the same as the `response_type` value passed to the authorization endpoint..

Condition: If the authorization endpoint is used by the grant type and RFC 7591 `response_types` metadata is used.

the value of this parameter MUST be the same as the value of the "response_type" parameter

Return an authorization error response..

Condition: If the authorization request omits `response_type` or the response type is not understood.

the authorization server MUST return an error response as described in Section 4.1.2.1.

Conform to the `response-type` ABNF..

Condition: When defining or registering the response type.

Response type names MUST conform to the response-type ABNF.

Contain a space-delimited list of values whose order does not matter..

Condition: When defining a composite response type.

Extension response types MAY contain a space-delimited (%x20) list of values.