response_ modes_ supported
Registry Context
An authorization server metadata field that advertises the OAuth 2.0 response modes supported by the server. When omitted, its default value is ["query", "fragment"].
Technical Summary
An optional authorization server metadata member defined by RFC 8414 Section 2. Its value is a JSON array of supported OAuth 2.0 response_mode values. The omission default is ["query", "fragment"].
When Used
Used in authorization server metadata to advertise the response modes supported by the authorization server.
Normative Requirements
Authorization servers
RFC 8414 - Section 2
include response_modes_supported as a JSON array listing the OAuth 2.0 response_mode values it supports.
Condition: when publishing authorization server metadata
response_modes_supported OPTIONAL. JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports
Validation Guidance
Verify that response_modes_supported, when present, is a JSON array rather than a string or object.
Verify that each array element identifies an OAuth 2.0 response_mode supported by the authorization server.
When response_modes_supported is omitted, interpret its value as ["query", "fragment"].
Security Notes
RFC 9700 - Section 4.1.2
RFC 9700 describes an access-token leakage attack affecting implicit grants and other grants that use response_mode=fragment. The RFC 8414 omission default does not imply that fragment mode is suitable for every flow.
Reference
Details
- Entry Id
response_modes_ supported - Metadata Name
response_modes_ supported - Metadata Description
JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports - Change Controller
IESG- Reference
RFC8414 - Section 2