grant_ types
Registry Context
`grant_types` declares the OAuth 2.0 grant types a client can use at the token endpoint. If omitted, it defaults to only `authorization_code`. Servers should prevent inconsistent combinations with `response_types`. Current OAuth security guidance prohibits the password grant and generally discourages the implicit grant.
Technical Summary
`grant_types` is an array of OAuth 2.0 grant type strings. For grants using the token endpoint, each value must equal that grant's `grant_type` parameter value. RFC 7591 permits extension-defined values and recommends consistency with `response_types`. RFC 9700 updates deployment guidance for the `password` and `implicit` values.
When Used
When registering or processing OAuth dynamic client metadata that declares the grant types available to a client.
Normative Requirements
Clients
RFC 9700 - Section 2.1.2
use the implicit grant or another response type that issues access tokens in the authorization response.
Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.
clients SHOULD NOT use the implicit grant
RFC 9700 - Section 2.1.2
use the code response type or another response type that causes access tokens to be issued in the token response.
Condition: Instead of the implicit grant or other response types issuing access tokens in the authorization response.
Clients SHOULD instead use the response type code
Authorization servers
RFC 7591 - Section 2
allow additional grant_types values defined through the OAuth 2.0 grant type extension process.
Condition: For values beyond those listed by RFC 7591.
Authorization servers MAY allow for other values
Responses
RFC 7591 - Section 2.1
take steps to prevent a client from registering an inconsistent combination of grant_types and response_types.
Condition: When supporting both metadata fields.
SHOULD take steps to ensure that a client cannot register itself into an inconsistent state
authorization server and client
RFC 7591 - Section 2
implement and use the grant_types client metadata field.
Condition: Unless another applicable specification states otherwise.
The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.
client and authorization server deployment
RFC 9700 - Section 2.4
use the resource owner password credentials grant.
The resource owner password credentials grant [RFC6749] MUST NOT be used.
extensions and profiles of RFC 7591
RFC 7591 - Section 2.1
document every correspondence between grant_types and response_types.
Condition: When introducing a new value for either parameter.
MUST document all correspondences between these two parameter types
grant_types metadata value
RFC 7591 - Section 2
equal the grant_type parameter value defined for the grant.
Condition: When the grant uses the token endpoint.
the value of this parameter MUST be the same as the value of the "grant_type" parameter
Validation Guidance
When a registered grant uses the token endpoint, verify that its grant_types value exactly matches the grant definition's grant_type parameter value.
Recognize extension-defined grant type values only according to supported OAuth grant type extension definitions.
Detect inconsistent grant_types and response_types combinations, including authorization_code/code and implicit/token correspondence.
Verify that specifications introducing new grant_types values document their correspondence with response_types.
Warn when grant_types includes implicit unless the RFC 9700 exception conditions are demonstrably satisfied.
Reject or flag grant_types containing password because current OAuth security guidance prohibits that grant.
Security Notes
RFC 9700 - Section 2.1.2
The implicit grant exposes access tokens in authorization responses and is vulnerable to token leakage and replay; RFC 9700 generally recommends using authorization code flow instead.
RFC 9700 - Section 2.4
The password grant exposes resource-owner credentials to the client, increases credential-leakage risk, and is prohibited by current OAuth security guidance.
Reference
Details
- Entry Id
grant_types - Client Metadata Name
grant_types - Client Metadata Description
Array of OAuth 2.0 grant types that the client may use- Change Controller
IESG- Reference
RFC7591