response_ types_ supported
Registry Context
This field lists the OAuth 2.0 response types supported by the authorization server.
Technical Summary
Required OAuth authorization server metadata entry containing a JSON array of supported OAuth 2.0 response_type values. Its array values use the same values as the response_types client metadata parameter defined by RFC 7591.
When Used
When publishing OAuth 2.0 authorization server metadata.
Normative Requirements
Authorization servers
RFC 8414 - Section 3.2
Omit response_types_supported rather than returning it as an empty array..
Condition: If the claim would contain zero elements.
Claims with zero elements MUST be omitted from the response.
RFC 8414 - Section 2
Include response_types_supported as a JSON array listing the OAuth 2.0 response_type values the authorization server supports, using the same array values as the response_types parameter defined by RFC 7591..
Condition: When publishing authorization server metadata.
response_types_supported REQUIRED. JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports.
Validation Guidance
Verify that response_types_supported is present in the authorization server metadata document.
Verify that response_types_supported is a JSON array.
Verify that every array element is an OAuth 2.0 response_type value supported by the authorization server and uses the value format associated with the RFC 7591 response_types parameter.
Reject an empty response_types_supported array; a zero-element claim must be omitted, while this metadata entry is otherwise required.
Security Notes
RFC 9700 - Section 2.1.2
RFC 9700 advises clients not to use the implicit grant (response type token), or other response types that issue access tokens in the authorization response, unless access-token injection and leakage risks are mitigated. Advertising such response types therefore does not imply that their use follows current security best practice.
Reference
Details
- Entry Id
response_types_ supported - Metadata Name
response_types_ supported - Metadata Description
JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports - Change Controller
IESG- Reference
RFC8414 - Section 2