grant_ types_ supported
Registry Context
`grant_types_supported` is optional authorization server metadata listing supported OAuth 2.0 grant types. If omitted, its RFC 8414 default is `authorization_code` and `implicit`.
Technical Summary
The member is a JSON array whose values follow the grant type strings used by the RFC 7591 `grant_types` client metadata parameter. RFC 8414 defines the omission default as `["authorization_code", "implicit"]`.
When Used
Published in OAuth authorization server metadata to advertise the grant types supported by the authorization server.
Normative Requirements
Clients
RFC 9700 - Section 2.1.2
Use the implicit grant or another response type that issues access tokens in the authorization response..
Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.
clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response
RFC 9700 - Section 2.1.2
Use the `code` response type or another response type that causes access tokens to be issued in the token response instead of the implicit grant..
Clients SHOULD instead use the response type code (i.e., authorization code grant type)
Authorization servers
RFC 8414 - Section 3.2
Omit `grant_types_supported` when it would contain zero elements..
Condition: When the metadata claim has zero values.
Claims with zero elements MUST be omitted from the response.
RFC 8414 - Section 2
Include `grant_types_supported` as a JSON array containing the OAuth 2.0 grant type values the authorization server supports..
OPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports.
Unspecified actor
RFC 7591 - Section 2
Use the same value as the `grant_type` parameter passed to the token endpoint..
Condition: When the token endpoint is used by the grant type.
the value of this parameter MUST be the same as the value of the "grant_type" parameter passed to the token endpoint
Validation Guidance
If `grant_types_supported` is present, verify that it is a JSON array of OAuth 2.0 grant type strings supported by the authorization server.
Reject `grant_types_supported: []`; a claim with zero elements must be omitted.
For grant types that use the token endpoint, verify that each advertised value matches the corresponding `grant_type` parameter value.
If `grant_types_supported` is omitted, interpret it using the RFC 8414 default `["authorization_code", "implicit"]`.
When `implicit` is advertised, warn clients that current OAuth security guidance recommends against using it unless access-token injection and leakage risks are mitigated, and recommends code-based flows instead.
Security Notes
RFC 9700 - Section 2.1.2
The RFC 8414 omission default includes `implicit`, but RFC 9700 recommends that clients not use the implicit grant unless access-token injection and leakage risks are mitigated.
Reference
Details
- Entry Id
grant_types_ supported - Metadata Name
grant_types_ supported - Metadata Description
JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports- Change Controller
IESG- Reference
RFC8414 - Section 2