oauth2.dev

id_token token

OpenID_Foundation_Artifact_Binding_WG

Registry Context

id_token token is a registered composite authorization endpoint response type requesting an ID Token and an access token. The order of its space-delimited components does not matter when comparing response types.

Technical Summary

This registered extension value consists of response names separated by SP. RFC 6749 requires response type names to conform to its response-type ABNF and defines space-delimited combinations as order-independent. RFC 9700 classifies response types that issue access tokens in authorization responses as vulnerable to token leakage and replay and advises clients not to use them unless those risks are mitigated.

When Used

Used in an authorization request to request an ID Token and an access token in the authorization response.

Normative Requirements

Clients

REQUIRED
1
  1. RFC 6749 - Section 3.1.1

    include the response_type parameter.

    Condition: when making an authorization request

    response_type REQUIRED.

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    use response types that issue access tokens in the authorization response.

    Condition: unless access token injection is prevented and token leakage vectors are mitigated

    clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response

SHOULD
1
  1. RFC 9700 - Section 2.1.2

    use response type code or another response type that causes access tokens to be issued in the token response.

    Condition: instead of a response type that issues access tokens in the authorization response

    Clients SHOULD instead use the response type code ... or any other response type that causes the authorization server to issue access tokens in the token response.

Authorization servers

MUST
1
  1. RFC 6749 - Section 3.1.1

    return an error response.

    Condition: if the response_type parameter is missing or the response type is not understood

    the authorization server MUST return an error response as described in Section 4.1.2.1.

Responses

MUST
1
  1. RFC 6749 - Section 3.1.1

    be code, token, or a registered extension value.

    Condition: when used in an authorization request

    The value MUST be one of "code", "token", or a registered extension value.

Response types

MUST
1
  1. RFC 6749 - Section 8.4

    conform to the response-type ABNF.

    Condition: when defining a new authorization endpoint response type

    Response type names MUST conform to the response-type ABNF.

MAY
1
  1. RFC 6749 - Section 3.1.1

    contain a space-delimited list of values.

    Extension response types MAY contain a space-delimited (%x20) list of values.

Validation Guidance

error

Require the response_type parameter in authorization requests.

error

Accept id_token token only as a registered extension response_type value; reject a missing or unrecognized response type with an authorization error response.

error

Validate each response type name against the RFC 6749 response-type ABNF, which permits underscores, digits, and letters and separates component names with SP.

error

Compare composite response types as order-independent space-delimited lists, so id_token token and token id_token denote the same response type.

warning

Warn clients that id_token token issues an access token in the authorization response and should not be used unless access token injection and leakage risks are mitigated.

warning

Recommend an authorization-code-based response type or another response type that delivers access tokens from the token endpoint.

Security Notes

RFC 9700 - Section 2.1.2

Response types that issue access tokens in the authorization response are vulnerable to access token leakage and replay. Such tokens also cannot use a standardized sender-constraining method at issuance in the authorization response.

Reference

OAuth 2.0 Multiple Response Type Encoding Practices

Details

Entry Id
id_token token
Name
id_token token
Change Controller
OpenID_Foundation_Artifact_Binding_WG
Reference
OAuth 2.0 Multiple Response Type Encoding Practices