response_ types
Registry Context
`response_types` is optional dynamic client registration metadata listing the OAuth 2.0 response types that a client can use at the authorization endpoint. It must correspond to the response type defined by the grant type. Current OAuth security guidance discourages response types that return access tokens in the authorization response, including `token`.
Technical Summary
RFC 7591 defines `response_types` as an array of OAuth 2.0 response type strings. It defines `code` and `token`, defaults an omitted value to `code`, and relates the field to `grant_types`. Extensions introducing new grant-type or response-type values must document their correspondences. RFC 9700 recommends using `code` instead of the implicit grant or other response types that issue access tokens in authorization responses.
When Used
Use this entry when validating, generating, or documenting OAuth dynamic client registration metadata for clients using the authorization endpoint.
Normative Requirements
Clients
RFC 9700 - Section 2.1.2
use the implicit grant response type token or other response types that issue access tokens in the authorization response.
Condition: Unless access-token injection is prevented and the specified token-leakage vectors are mitigated
clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response
RFC 9700 - Section 2.1.2
use the code response type or another response type that causes access tokens to be issued in the token response.
Condition: Instead of response types that issue access tokens in the authorization response
Clients SHOULD instead use the response type code
Authorization servers
RFC 7591 - Section 2
allow response_types values defined through the OAuth 2.0 grant type extension process.
Authorization servers MAY allow for other values
Responses
RFC 7591 - Section 2.1
take steps to prevent a client from registering itself in an inconsistent state.
SHOULD take steps to ensure that a client cannot register itself into an inconsistent state
Unspecified actor
RFC 7591 - Section 2
set the response_types value to the value of the response_type parameter passed to the authorization endpoint as defined by the grant type.
Condition: If the authorization endpoint is used by the grant type
the value of this parameter MUST be the same as the value of the "response_type" parameter
RFC 7591 - Section 2
implement and use the response_types client metadata field.
Condition: Unless another provision states otherwise
The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.
extensions and profiles of RFC 7591
RFC 7591 - Section 2.1
document all correspondences between grant_types and response_types.
Condition: When introducing new values to either parameter
MUST document all correspondences between these two parameter types.
Validation Guidance
Verify that each registered response_types value corresponds to the response_type defined by the associated grant type.
Detect and prevent inconsistent grant_types and response_types combinations; RFC 7591 gives invalid_client_metadata as an example response.
For extension-defined grant_types or response_types values, verify that the defining extension or profile documents all correspondences.
Warn when response_types includes token or another response type that issues an access token in the authorization response unless the RFC 9700 exception conditions are satisfied.
Security Notes
RFC 9700 - Section 2.1.2
The implicit grant (`token`) and other response types that issue access tokens in authorization responses are vulnerable to access-token leakage and replay.
RFC 9700 - Section 2.1.2
Using `code` keeps access tokens out of authorization responses and URLs, reduces attack surface, and permits replay detection and sender-constrained tokens.
Reference
Details
- Entry Id
response_types - Client Metadata Name
response_types - Client Metadata Description
Array of the OAuth 2.0 response types that the client may use- Change Controller
IESG- Reference
RFC7591