oauth2.dev

code token

OpenID_Foundation_Artifact_Binding_WG

Registry Context

`code token` is a composite authorization endpoint response type consisting of the values `code` and `token`. Composite response types are space-delimited, and their order is not significant.

Technical Summary

RFC 6749 permits registered extension response types to contain space-delimited values. It defines the response-type syntax and requires equivalent composite values to be compared without regard to ordering. The meaning of `code token` is defined by its extension specification, not by RFC 6749.

When Used

Used when an extension-defined authorization request asks for a response combining an authorization code with an access token. Current OAuth security guidance discourages response types that issue access tokens in the authorization response unless injection and leakage risks are mitigated.

Normative Requirements

Clients

MUST
1
  1. RFC 6749 - Section 3.1.1

    Set `response_type` to `code`, `token`, or a registered extension value..

    Condition: When setting the authorization request's `response_type` parameter.

    The value MUST be one of "code", "token", or a registered extension value.

REQUIRED
1
  1. RFC 6749 - Section 3.1.1

    Include the `response_type` parameter in an authorization request..

    Condition: When making an authorization endpoint request.

    response_type REQUIRED.

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    Use response types that issue access tokens in the authorization response..

    Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.

    clients SHOULD NOT use the implicit grant or other response types issuing access tokens in the authorization response, unless access token injection is prevented and token leakage vectors are mitigated.

SHOULD
1
  1. RFC 9700 - Section 2.1.2

    Use response type `code` or another response type that causes access tokens to be issued in the token response..

    Condition: Instead of using a response type that issues access tokens in the authorization response.

    Clients SHOULD instead use the response type code or any other response type that causes the authorization server to issue access tokens in the token response.

Authorization servers

MUST
1
  1. RFC 6749 - Section 3.1.1

    Return an error response as described in RFC 6749 Section 4.1.2.1..

    Condition: If an authorization request omits `response_type` or the response type is not understood.

    the authorization server MUST return an error response as described in Section 4.1.2.1.

Response types

MUST
1
  1. RFC 6749 - Section 8.4

    Conform to the response-type ABNF..

    Condition: When defining a new authorization endpoint response type.

    Response type names MUST conform to the response-type ABNF.

MAY
1
  1. RFC 6749 - Section 3.1.1

    Contain a space-delimited list of values..

    Condition: When defined as a composite response type.

    Extension response types MAY contain a space-delimited (%x20) list of values.

Validation Guidance

error

Require `response_type` to be present in an authorization request.

error

Accept `code token` only when it is supported as a registered extension response type, rather than as a base response type defined by RFC 6749.

error

Parse `code token` as space-delimited response-name values and compare composite response types without regard to member ordering.

error

Return the RFC 6749 Section 4.1.2.1 error response when `response_type` is missing or `code token` is not understood.

error

Validate the response type against the ABNF `response-type = response-name *( SP response-name )`, where each response-name contains one or more underscores, digits, or letters.

warning

Flag use of `code token` unless access-token injection is prevented and applicable access-token leakage vectors are mitigated.

warning

Prefer an authorization-code-based response type that delivers access tokens from the token endpoint instead of `code token`.

Security Notes

RFC 9700 - Section 2.1.2

Response types such as `code token` that issue access tokens in the authorization response are vulnerable to access-token leakage and replay. RFC 9700 advises against their use unless injection and leakage risks are mitigated.

Reference

OAuth 2.0 Multiple Response Type Encoding Practices

Details

Entry Id
code token
Name
code token
Change Controller
OpenID_Foundation_Artifact_Binding_WG
Reference
OAuth 2.0 Multiple Response Type Encoding Practices