token_ endpoint
Registry Context
The URL of the authorization server's token endpoint. This metadata value is required unless the server supports only the implicit grant type.
Technical Summary
RFC 8414 defines token_endpoint as the URL of the token endpoint specified by RFC 6749. It is REQUIRED unless only the implicit grant is supported. RFC 9700 advises clients against using the implicit grant except where its identified injection and leakage risks are mitigated.
When Used
Clients use this metadata value to locate the endpoint for exchanging authorization grants or refresh tokens for access tokens.
Normative Requirements
Clients
RFC 9700 - Section 2.1.2
use the implicit grant or another response type that issues access tokens in the authorization response.
Condition: unless access-token injection is prevented and the identified token-leakage vectors are mitigated
Clients SHOULD NOT use the implicit grant or other response types issuing access tokens in the authorization response, unless the specified mitigations are applied.
Authorization servers
RFC 6749 - Section 3.2
require TLS for requests to the token endpoint.
Condition: when sending requests to the token endpoint
The authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the token endpoint.
Authorization server metadata publishers
RFC 8414 - Section 2
include the token_endpoint URL.
Condition: unless only the implicit grant type is supported
This is REQUIRED unless only the implicit grant type is supported.
Requests
RFC 6749 - Section 3.2
retain the token endpoint URI's existing query component when adding query parameters.
Condition: when the endpoint URI contains a query component
The query component MUST be retained when adding additional query parameters.
token endpoint URI
RFC 6749 - Section 3.2
include a fragment component.
The endpoint URI MUST NOT include a fragment component.
RFC 6749 - Section 3.2
include an application/x-www-form-urlencoded query component.
The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted query component.
Validation Guidance
If token_endpoint is omitted, verify that the authorization server supports only the implicit grant type.
Accept a token endpoint URI containing a query component, and ensure that the existing query component is retained when additional parameters are added.
Reject a token endpoint URI containing a fragment component.
Verify that token endpoint requests are required to use TLS.
Warn when token_endpoint is omitted because the server is implicit-only; current OAuth security best practice advises clients not to use the implicit grant unless its injection and leakage risks are mitigated.
Security Notes
RFC 9700 - Section 2.1.2
The implicit grant and other flows that issue access tokens in authorization responses are vulnerable to access-token leakage and replay. RFC 9700 advises clients to use authorization-code-based flows instead unless the identified risks are mitigated.
RFC 6749 - Section 3.2
Token endpoint requests transmit credentials in requests and responses, so RFC 6749 requires the authorization server to require TLS.
Reference
Details
- Entry Id
token_endpoint - Metadata Name
token_endpoint - Metadata Description
URL of the authorization server's token endpoint- Change Controller
IESG- Reference
RFC8414 - Section 2