oauth2.dev

id_token

OpenID_Foundation_Artifact_Binding_WG

Registry Context

The id_token value is an extension authorization endpoint response type. RFC 6749 requires authorization requests to include response_type, requires its value to be code, token, or a registered extension value, and requires an error response when the value is not understood.

Technical Summary

The name id_token conforms to the RFC 6749 response-type ABNF. RFC 6749 does not define the response semantics of id_token; those are defined by its extension specification.

When Used

Used when an authorization request invokes an extension specification that defines the id_token response type.

Normative Requirements

Clients

MUST
1
  1. RFC 6749 - Section 3.1.1

    Use code, token, or a registered extension value as the response_type value..

    Condition: When setting response_type in an authorization request; id_token therefore has to be a registered extension value.

    The value MUST be one of "code", "token", or a registered extension value.

REQUIRED
1
  1. RFC 6749 - Section 3.1.1

    Include the response_type parameter in the authorization request..

    Condition: When sending an authorization request using the id_token response type.

    response_type REQUIRED.

Authorization servers

MUST
1
  1. RFC 6749 - Section 3.1.1

    Return an error response when the id_token response type is not understood..

    Condition: When an authorization request uses response_type=id_token and the authorization server does not understand it.

    the authorization server MUST return an error response as described in Section 4.1.2.1.

Extension specifications and registry submitters

MUST
1
  1. RFC 6749 - Section 8.4

    Ensure the id_token response type name conforms to the response-type ABNF..

    Condition: When defining and registering the response type.

    Response type names MUST conform to the response-type ABNF.

Validation Guidance

error

Verify that an authorization request using id_token includes the response_type parameter.

error

Verify that id_token is handled as a registered extension response_type value rather than as a response type defined by RFC 6749 itself.

error

Validate id_token against the RFC 6749 response-type ABNF: response-name = 1*response-char; response-char = "_" / DIGIT / ALPHA.

error

Return an OAuth authorization error response when response_type=id_token is not understood.

Reference

OAuth 2.0 Multiple Response Type Encoding Practices

Details

Entry Id
id_token
Name
id_token
Change Controller
OpenID_Foundation_Artifact_Binding_WG
Reference
OAuth 2.0 Multiple Response Type Encoding Practices