oauth2.dev

token_endpoint

IESG

Registry Context

The URL of the authorization server's token endpoint. This metadata value is required unless the server supports only the implicit grant type.

Technical Summary

RFC 8414 defines token_endpoint as the URL of the token endpoint specified by RFC 6749. It is REQUIRED unless only the implicit grant is supported. RFC 9700 advises clients against using the implicit grant except where its identified injection and leakage risks are mitigated.

When Used

Clients use this metadata value to locate the endpoint for exchanging authorization grants or refresh tokens for access tokens.

Normative Requirements

Clients

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    use the implicit grant or another response type that issues access tokens in the authorization response.

    Condition: unless access-token injection is prevented and the identified token-leakage vectors are mitigated

    Clients SHOULD NOT use the implicit grant or other response types issuing access tokens in the authorization response, unless the specified mitigations are applied.

Authorization servers

MUST
1
  1. RFC 6749 - Section 3.2

    require TLS for requests to the token endpoint.

    Condition: when sending requests to the token endpoint

    The authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the token endpoint.

Authorization server metadata publishers

REQUIRED
1
  1. RFC 8414 - Section 2

    include the token_endpoint URL.

    Condition: unless only the implicit grant type is supported

    This is REQUIRED unless only the implicit grant type is supported.

Requests

MUST
1
  1. RFC 6749 - Section 3.2

    retain the token endpoint URI's existing query component when adding query parameters.

    Condition: when the endpoint URI contains a query component

    The query component MUST be retained when adding additional query parameters.

token endpoint URI

MUST NOT
1
  1. RFC 6749 - Section 3.2

    include a fragment component.

    The endpoint URI MUST NOT include a fragment component.

MAY
1
  1. RFC 6749 - Section 3.2

    include an application/x-www-form-urlencoded query component.

    The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted query component.

Validation Guidance

error

If token_endpoint is omitted, verify that the authorization server supports only the implicit grant type.

error

Accept a token endpoint URI containing a query component, and ensure that the existing query component is retained when additional parameters are added.

error

Reject a token endpoint URI containing a fragment component.

error

Verify that token endpoint requests are required to use TLS.

warning

Warn when token_endpoint is omitted because the server is implicit-only; current OAuth security best practice advises clients not to use the implicit grant unless its injection and leakage risks are mitigated.

Security Notes

RFC 9700 - Section 2.1.2

The implicit grant and other flows that issue access tokens in authorization responses are vulnerable to access-token leakage and replay. RFC 9700 advises clients to use authorization-code-based flows instead unless the identified risks are mitigated.

RFC 6749 - Section 3.2

Token endpoint requests transmit credentials in requests and responses, so RFC 6749 requires the authorization server to require TLS.

Reference

Details

Entry Id
token_endpoint
Metadata Name
token_endpoint
Metadata Description
URL of the authorization server's token endpoint
Change Controller
IESG
Reference
RFC8414 - Section 2