oauth2.dev

grant_types

IESG

Registry Context

`grant_types` declares the OAuth 2.0 grant types a client can use at the token endpoint. If omitted, it defaults to only `authorization_code`. Servers should prevent inconsistent combinations with `response_types`. Current OAuth security guidance prohibits the password grant and generally discourages the implicit grant.

Technical Summary

`grant_types` is an array of OAuth 2.0 grant type strings. For grants using the token endpoint, each value must equal that grant's `grant_type` parameter value. RFC 7591 permits extension-defined values and recommends consistency with `response_types`. RFC 9700 updates deployment guidance for the `password` and `implicit` values.

When Used

When registering or processing OAuth dynamic client metadata that declares the grant types available to a client.

Normative Requirements

Clients

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    use the implicit grant or another response type that issues access tokens in the authorization response.

    Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.

    clients SHOULD NOT use the implicit grant

SHOULD
1
  1. RFC 9700 - Section 2.1.2

    use the code response type or another response type that causes access tokens to be issued in the token response.

    Condition: Instead of the implicit grant or other response types issuing access tokens in the authorization response.

    Clients SHOULD instead use the response type code

Authorization servers

MAY
1
  1. RFC 7591 - Section 2

    allow additional grant_types values defined through the OAuth 2.0 grant type extension process.

    Condition: For values beyond those listed by RFC 7591.

    Authorization servers MAY allow for other values

Responses

SHOULD
1
  1. RFC 7591 - Section 2.1

    take steps to prevent a client from registering an inconsistent combination of grant_types and response_types.

    Condition: When supporting both metadata fields.

    SHOULD take steps to ensure that a client cannot register itself into an inconsistent state

authorization server and client

OPTIONAL
1
  1. RFC 7591 - Section 2

    implement and use the grant_types client metadata field.

    Condition: Unless another applicable specification states otherwise.

    The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.

client and authorization server deployment

MUST NOT
1
  1. RFC 9700 - Section 2.4

    use the resource owner password credentials grant.

    The resource owner password credentials grant [RFC6749] MUST NOT be used.

extensions and profiles of RFC 7591

MUST
1
  1. RFC 7591 - Section 2.1

    document every correspondence between grant_types and response_types.

    Condition: When introducing a new value for either parameter.

    MUST document all correspondences between these two parameter types

grant_types metadata value

MUST
1
  1. RFC 7591 - Section 2

    equal the grant_type parameter value defined for the grant.

    Condition: When the grant uses the token endpoint.

    the value of this parameter MUST be the same as the value of the "grant_type" parameter

Validation Guidance

error

When a registered grant uses the token endpoint, verify that its grant_types value exactly matches the grant definition's grant_type parameter value.

info

Recognize extension-defined grant type values only according to supported OAuth grant type extension definitions.

warning

Detect inconsistent grant_types and response_types combinations, including authorization_code/code and implicit/token correspondence.

error

Verify that specifications introducing new grant_types values document their correspondence with response_types.

warning

Warn when grant_types includes implicit unless the RFC 9700 exception conditions are demonstrably satisfied.

error

Reject or flag grant_types containing password because current OAuth security guidance prohibits that grant.

Security Notes

RFC 9700 - Section 2.1.2

The implicit grant exposes access tokens in authorization responses and is vulnerable to token leakage and replay; RFC 9700 generally recommends using authorization code flow instead.

RFC 9700 - Section 2.4

The password grant exposes resource-owner credentials to the client, increases credential-leakage risk, and is prohibited by current OAuth security guidance.

Reference

Details

Entry Id
grant_types
Client Metadata Name
grant_types
Client Metadata Description
Array of OAuth 2.0 grant types that the client may use
Change Controller
IESG
Reference
RFC7591