oauth2.dev

grant_types_supported

IESG

Registry Context

`grant_types_supported` is optional authorization server metadata listing supported OAuth 2.0 grant types. If omitted, its RFC 8414 default is `authorization_code` and `implicit`.

Technical Summary

The member is a JSON array whose values follow the grant type strings used by the RFC 7591 `grant_types` client metadata parameter. RFC 8414 defines the omission default as `["authorization_code", "implicit"]`.

When Used

Published in OAuth authorization server metadata to advertise the grant types supported by the authorization server.

Normative Requirements

Clients

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    Use the implicit grant or another response type that issues access tokens in the authorization response..

    Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.

    clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response

SHOULD
1
  1. RFC 9700 - Section 2.1.2

    Use the `code` response type or another response type that causes access tokens to be issued in the token response instead of the implicit grant..

    Clients SHOULD instead use the response type code (i.e., authorization code grant type)

Authorization servers

MUST
1
  1. RFC 8414 - Section 3.2

    Omit `grant_types_supported` when it would contain zero elements..

    Condition: When the metadata claim has zero values.

    Claims with zero elements MUST be omitted from the response.

OPTIONAL
1
  1. RFC 8414 - Section 2

    Include `grant_types_supported` as a JSON array containing the OAuth 2.0 grant type values the authorization server supports..

    OPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports.

Unspecified actor

MUST
1
  1. RFC 7591 - Section 2

    Use the same value as the `grant_type` parameter passed to the token endpoint..

    Condition: When the token endpoint is used by the grant type.

    the value of this parameter MUST be the same as the value of the "grant_type" parameter passed to the token endpoint

Validation Guidance

error

If `grant_types_supported` is present, verify that it is a JSON array of OAuth 2.0 grant type strings supported by the authorization server.

error

Reject `grant_types_supported: []`; a claim with zero elements must be omitted.

error

For grant types that use the token endpoint, verify that each advertised value matches the corresponding `grant_type` parameter value.

info

If `grant_types_supported` is omitted, interpret it using the RFC 8414 default `["authorization_code", "implicit"]`.

warning

When `implicit` is advertised, warn clients that current OAuth security guidance recommends against using it unless access-token injection and leakage risks are mitigated, and recommends code-based flows instead.

Security Notes

RFC 9700 - Section 2.1.2

The RFC 8414 omission default includes `implicit`, but RFC 9700 recommends that clients not use the implicit grant unless access-token injection and leakage risks are mitigated.

Reference

Details

Entry Id
grant_types_supported
Metadata Name
grant_types_supported
Metadata Description
JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports
Change Controller
IESG
Reference
RFC8414 - Section 2