access_ token
Registry Context
`access_token` is the access token value issued by an OAuth 2.0 authorization server. RFC 6749 requires it in successful token responses and in implicit-grant authorization responses, although current security guidance discourages the implicit grant.
Technical Summary
RFC 6749 defines `access_token` as a REQUIRED response parameter in the URI fragment of a successful implicit-grant authorization response and in the JSON entity-body of a successful token endpoint response.
When Used
implicit-grant authorization response; successful token endpoint response
Normative Requirements
Clients
RFC 9700 - Section 2.1.2
use the implicit grant or another response type that issues an access token in the authorization response..
Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.
"clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response"
Authorization servers
RFC 6749 - Section 4.2.2
include the `access_token` parameter in the fragment component of the redirection URI using `application/x-www-form-urlencoded` encoding..
Condition: When the resource owner grants an implicit-grant access request.
`access_token` — "REQUIRED. The access token issued by the authorization server."
RFC 6749 - Section 5.1
include the `access_token` parameter in the entity-body of the HTTP 200 (OK) response..
Condition: When constructing a successful token response.
`access_token` — "REQUIRED. The access token issued by the authorization server."
Validation Guidance
For an implicit-grant success response, verify that `access_token` is present in the URI fragment.
For a successful token endpoint response, verify that `access_token` is present in the HTTP 200 response entity-body.
Verify that successful token-response parameters are serialized as a top-level JSON object using the `application/json` media type.
Warn when a client uses the implicit grant or another response type that returns an access token in the authorization response unless the RFC 9700 exception is demonstrably satisfied.
Security Notes
RFC 9700 - Section 2.1.2
Access tokens issued in authorization responses are vulnerable to leakage and replay, and no standardized sender-constraining method binds such tokens to a specific client. RFC 9700 therefore discourages the implicit grant except where injection and leakage risks are mitigated.
Reference
Details
- Entry Id
access_token - Name
access_token - Parameter Usage Location
authorization response, token response- Change Controller
IETF- Reference
RFC6749