oauth2.dev

response_types

IESG

Registry Context

`response_types` is optional dynamic client registration metadata listing the OAuth 2.0 response types that a client can use at the authorization endpoint. It must correspond to the response type defined by the grant type. Current OAuth security guidance discourages response types that return access tokens in the authorization response, including `token`.

Technical Summary

RFC 7591 defines `response_types` as an array of OAuth 2.0 response type strings. It defines `code` and `token`, defaults an omitted value to `code`, and relates the field to `grant_types`. Extensions introducing new grant-type or response-type values must document their correspondences. RFC 9700 recommends using `code` instead of the implicit grant or other response types that issue access tokens in authorization responses.

When Used

Use this entry when validating, generating, or documenting OAuth dynamic client registration metadata for clients using the authorization endpoint.

Normative Requirements

Clients

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    use the implicit grant response type token or other response types that issue access tokens in the authorization response.

    Condition: Unless access-token injection is prevented and the specified token-leakage vectors are mitigated

    clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response

SHOULD
1
  1. RFC 9700 - Section 2.1.2

    use the code response type or another response type that causes access tokens to be issued in the token response.

    Condition: Instead of response types that issue access tokens in the authorization response

    Clients SHOULD instead use the response type code

Authorization servers

MAY
1
  1. RFC 7591 - Section 2

    allow response_types values defined through the OAuth 2.0 grant type extension process.

    Authorization servers MAY allow for other values

Responses

SHOULD
1
  1. RFC 7591 - Section 2.1

    take steps to prevent a client from registering itself in an inconsistent state.

    SHOULD take steps to ensure that a client cannot register itself into an inconsistent state

Unspecified actor

MUST
1
  1. RFC 7591 - Section 2

    set the response_types value to the value of the response_type parameter passed to the authorization endpoint as defined by the grant type.

    Condition: If the authorization endpoint is used by the grant type

    the value of this parameter MUST be the same as the value of the "response_type" parameter

OPTIONAL
1
  1. RFC 7591 - Section 2

    implement and use the response_types client metadata field.

    Condition: Unless another provision states otherwise

    The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.

extensions and profiles of RFC 7591

MUST
1
  1. RFC 7591 - Section 2.1

    document all correspondences between grant_types and response_types.

    Condition: When introducing new values to either parameter

    MUST document all correspondences between these two parameter types.

Validation Guidance

error

Verify that each registered response_types value corresponds to the response_type defined by the associated grant type.

warning

Detect and prevent inconsistent grant_types and response_types combinations; RFC 7591 gives invalid_client_metadata as an example response.

error

For extension-defined grant_types or response_types values, verify that the defining extension or profile documents all correspondences.

warning

Warn when response_types includes token or another response type that issues an access token in the authorization response unless the RFC 9700 exception conditions are satisfied.

Security Notes

RFC 9700 - Section 2.1.2

The implicit grant (`token`) and other response types that issue access tokens in authorization responses are vulnerable to access-token leakage and replay.

RFC 9700 - Section 2.1.2

Using `code` keeps access tokens out of authorization responses and URLs, reduces attack surface, and permits replay detection and sender-constrained tokens.

Reference

Details

Entry Id
response_types
Client Metadata Name
response_types
Client Metadata Description
Array of the OAuth 2.0 response types that the client may use
Change Controller
IESG
Reference
RFC7591