id_ token token
Registry Context
id_token token is a registered composite authorization endpoint response type requesting an ID Token and an access token. The order of its space-delimited components does not matter when comparing response types.
Technical Summary
This registered extension value consists of response names separated by SP. RFC 6749 requires response type names to conform to its response-type ABNF and defines space-delimited combinations as order-independent. RFC 9700 classifies response types that issue access tokens in authorization responses as vulnerable to token leakage and replay and advises clients not to use them unless those risks are mitigated.
When Used
Used in an authorization request to request an ID Token and an access token in the authorization response.
Normative Requirements
Clients
RFC 6749 - Section 3.1.1
include the response_type parameter.
Condition: when making an authorization request
response_type REQUIRED.
RFC 9700 - Section 2.1.2
use response types that issue access tokens in the authorization response.
Condition: unless access token injection is prevented and token leakage vectors are mitigated
clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response
RFC 9700 - Section 2.1.2
use response type code or another response type that causes access tokens to be issued in the token response.
Condition: instead of a response type that issues access tokens in the authorization response
Clients SHOULD instead use the response type code ... or any other response type that causes the authorization server to issue access tokens in the token response.
Authorization servers
RFC 6749 - Section 3.1.1
return an error response.
Condition: if the response_type parameter is missing or the response type is not understood
the authorization server MUST return an error response as described in Section 4.1.2.1.
Responses
RFC 6749 - Section 3.1.1
be code, token, or a registered extension value.
Condition: when used in an authorization request
The value MUST be one of "code", "token", or a registered extension value.
Response types
RFC 6749 - Section 8.4
conform to the response-type ABNF.
Condition: when defining a new authorization endpoint response type
Response type names MUST conform to the response-type ABNF.
RFC 6749 - Section 3.1.1
contain a space-delimited list of values.
Extension response types MAY contain a space-delimited (%x20) list of values.
Validation Guidance
Require the response_type parameter in authorization requests.
Accept id_token token only as a registered extension response_type value; reject a missing or unrecognized response type with an authorization error response.
Validate each response type name against the RFC 6749 response-type ABNF, which permits underscores, digits, and letters and separates component names with SP.
Compare composite response types as order-independent space-delimited lists, so id_token token and token id_token denote the same response type.
Warn clients that id_token token issues an access token in the authorization response and should not be used unless access token injection and leakage risks are mitigated.
Recommend an authorization-code-based response type or another response type that delivers access tokens from the token endpoint.
Security Notes
RFC 9700 - Section 2.1.2
Response types that issue access tokens in the authorization response are vulnerable to access token leakage and replay. Such tokens also cannot use a standardized sender-constraining method at issuance in the authorization response.
Reference
OAuth 2.0 Multiple Response Type Encoding Practices
Details
- Entry Id
id_token token - Name
id_token token - Change Controller
OpenID_Foundation_ Artifact_ Binding_ WG - Reference
OAuth 2.0 Multiple Response Type Encoding Practices