oauth2.dev

response_modes_supported

IESG

Registry Context

An authorization server metadata field that advertises the OAuth 2.0 response modes supported by the server. When omitted, its default value is ["query", "fragment"].

Technical Summary

An optional authorization server metadata member defined by RFC 8414 Section 2. Its value is a JSON array of supported OAuth 2.0 response_mode values. The omission default is ["query", "fragment"].

When Used

Used in authorization server metadata to advertise the response modes supported by the authorization server.

Normative Requirements

Authorization servers

OPTIONAL
1
  1. RFC 8414 - Section 2

    include response_modes_supported as a JSON array listing the OAuth 2.0 response_mode values it supports.

    Condition: when publishing authorization server metadata

    response_modes_supported OPTIONAL. JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports

Validation Guidance

error

Verify that response_modes_supported, when present, is a JSON array rather than a string or object.

warning

Verify that each array element identifies an OAuth 2.0 response_mode supported by the authorization server.

error

When response_modes_supported is omitted, interpret its value as ["query", "fragment"].

Security Notes

RFC 9700 - Section 4.1.2

RFC 9700 describes an access-token leakage attack affecting implicit grants and other grants that use response_mode=fragment. The RFC 8414 omission default does not imply that fragment mode is suitable for every flow.

Reference

Details

Entry Id
response_modes_supported
Metadata Name
response_modes_supported
Metadata Description
JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports
Change Controller
IESG
Reference
RFC8414 - Section 2