code token
Registry Context
`code token` is a composite authorization endpoint response type consisting of the values `code` and `token`. Composite response types are space-delimited, and their order is not significant.
Technical Summary
RFC 6749 permits registered extension response types to contain space-delimited values. It defines the response-type syntax and requires equivalent composite values to be compared without regard to ordering. The meaning of `code token` is defined by its extension specification, not by RFC 6749.
When Used
Used when an extension-defined authorization request asks for a response combining an authorization code with an access token. Current OAuth security guidance discourages response types that issue access tokens in the authorization response unless injection and leakage risks are mitigated.
Normative Requirements
Clients
RFC 6749 - Section 3.1.1
Set `response_type` to `code`, `token`, or a registered extension value..
Condition: When setting the authorization request's `response_type` parameter.
The value MUST be one of "code", "token", or a registered extension value.
RFC 6749 - Section 3.1.1
Include the `response_type` parameter in an authorization request..
Condition: When making an authorization endpoint request.
response_type REQUIRED.
RFC 9700 - Section 2.1.2
Use response types that issue access tokens in the authorization response..
Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.
clients SHOULD NOT use the implicit grant or other response types issuing access tokens in the authorization response, unless access token injection is prevented and token leakage vectors are mitigated.
RFC 9700 - Section 2.1.2
Use response type `code` or another response type that causes access tokens to be issued in the token response..
Condition: Instead of using a response type that issues access tokens in the authorization response.
Clients SHOULD instead use the response type code or any other response type that causes the authorization server to issue access tokens in the token response.
Authorization servers
RFC 6749 - Section 3.1.1
Return an error response as described in RFC 6749 Section 4.1.2.1..
Condition: If an authorization request omits `response_type` or the response type is not understood.
the authorization server MUST return an error response as described in Section 4.1.2.1.
Response types
RFC 6749 - Section 8.4
Conform to the response-type ABNF..
Condition: When defining a new authorization endpoint response type.
Response type names MUST conform to the response-type ABNF.
RFC 6749 - Section 3.1.1
Contain a space-delimited list of values..
Condition: When defined as a composite response type.
Extension response types MAY contain a space-delimited (%x20) list of values.
Validation Guidance
Require `response_type` to be present in an authorization request.
Accept `code token` only when it is supported as a registered extension response type, rather than as a base response type defined by RFC 6749.
Parse `code token` as space-delimited response-name values and compare composite response types without regard to member ordering.
Return the RFC 6749 Section 4.1.2.1 error response when `response_type` is missing or `code token` is not understood.
Validate the response type against the ABNF `response-type = response-name *( SP response-name )`, where each response-name contains one or more underscores, digits, or letters.
Flag use of `code token` unless access-token injection is prevented and applicable access-token leakage vectors are mitigated.
Prefer an authorization-code-based response type that delivers access tokens from the token endpoint instead of `code token`.
Security Notes
RFC 9700 - Section 2.1.2
Response types such as `code token` that issue access tokens in the authorization response are vulnerable to access-token leakage and replay. RFC 9700 advises against their use unless injection and leakage risks are mitigated.
Reference
OAuth 2.0 Multiple Response Type Encoding Practices
Details
- Entry Id
code token- Name
code token- Change Controller
OpenID_Foundation_ Artifact_ Binding_ WG - Reference
OAuth 2.0 Multiple Response Type Encoding Practices