oauth2.dev

response_types_supported

IESG

Registry Context

This field lists the OAuth 2.0 response types supported by the authorization server.

Technical Summary

Required OAuth authorization server metadata entry containing a JSON array of supported OAuth 2.0 response_type values. Its array values use the same values as the response_types client metadata parameter defined by RFC 7591.

When Used

When publishing OAuth 2.0 authorization server metadata.

Normative Requirements

Authorization servers

MUST
1
  1. RFC 8414 - Section 3.2

    Omit response_types_supported rather than returning it as an empty array..

    Condition: If the claim would contain zero elements.

    Claims with zero elements MUST be omitted from the response.

REQUIRED
1
  1. RFC 8414 - Section 2

    Include response_types_supported as a JSON array listing the OAuth 2.0 response_type values the authorization server supports, using the same array values as the response_types parameter defined by RFC 7591..

    Condition: When publishing authorization server metadata.

    response_types_supported REQUIRED. JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports.

Validation Guidance

error

Verify that response_types_supported is present in the authorization server metadata document.

error

Verify that response_types_supported is a JSON array.

error

Verify that every array element is an OAuth 2.0 response_type value supported by the authorization server and uses the value format associated with the RFC 7591 response_types parameter.

error

Reject an empty response_types_supported array; a zero-element claim must be omitted, while this metadata entry is otherwise required.

Security Notes

RFC 9700 - Section 2.1.2

RFC 9700 advises clients not to use the implicit grant (response type token), or other response types that issue access tokens in the authorization response, unless access-token injection and leakage risks are mitigated. Advertising such response types therefore does not imply that their use follows current security best practice.

Reference

Details

Entry Id
response_types_supported
Metadata Name
response_types_supported
Metadata Description
JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports
Change Controller
IESG
Reference
RFC8414 - Section 2