oauth2.dev

response_type

IETF

Registry Context

The `response_type` authorization request parameter tells the authorization server which response the client requests. RFC 6749 requires it and defines `code`, `token`, and registered extension values. Current security guidance advises against response types that return access tokens in the authorization response.

Technical Summary

RFC 6749 Section 3.1.1 requires `response_type`. Its value is `code`, `token`, or a registered extension value. Extension response types may be space-delimited composites whose ordering is insignificant. Missing or unrecognized values require an error response. RFC 9700 recommends using `code` instead of response types that issue access tokens in the authorization response.

When Used

Use on requests to the authorization endpoint. Prefer `code`; use `token` or another response type that returns access tokens in the authorization response only when the safeguards required by RFC 9700 are present.

Normative Requirements

Clients

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    use the implicit grant (`response_type=token`) or other response types that issue access tokens in the authorization response..

    Condition: Unless access-token injection is prevented and the identified token-leakage vectors are mitigated.

    clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response

SHOULD
1
  1. RFC 9700 - Section 2.1.2

    use `response_type=code` or another response type that causes access tokens to be issued in the token response..

    Condition: Instead of using a response type that issues access tokens in the authorization response.

    Clients SHOULD instead use the response type code ... or any other response type that causes the authorization server to issue access tokens in the token response

Authorization servers

MUST
1
  1. RFC 6749 - Section 3.1.1

    return an error response as described in Section 4.1.2.1..

    Condition: If the authorization request omits `response_type` or the response type is not understood.

    the authorization server MUST return an error response

Responses

MUST
1
  1. RFC 6749 - Section 3.1.1

    be `code`, `token`, or a registered extension value..

    Condition: When supplied in an authorization request.

    The value MUST be one of "code", "token", or a registered extension value.

REQUIRED
1
  1. RFC 6749 - Section 3.1.1

    be included in the authorization request..

    Condition: When the client requests authorization at the authorization endpoint.

    `response_type` REQUIRED.

Response types

MUST
1
  1. RFC 6749 - Section 8.4

    conform to the `response-type` ABNF..

    Condition: When defining new authorization endpoint response types.

    Response type names MUST conform to the response-type ABNF.

MAY
1
  1. RFC 6749 - Section 3.1.1

    contain a space-delimited list of values..

    Extension response types MAY contain a space-delimited (%x20) list of values.

Validation Guidance

error

Require `response_type` on authorization endpoint requests.

error

Accept only `code`, `token`, or a registered extension response type.

info

For a composite extension response type, parse values as space-delimited and treat their order as insignificant.

error

Return an authorization error response when `response_type` is missing or unrecognized.

error

Validate newly defined response type names against the RFC 6749 `response-type` ABNF.

warning

Flag response types that issue access tokens in the authorization response unless injection and leakage mitigations are documented and enforced.

warning

Prefer `response_type=code` or another response type that delivers access tokens through the token endpoint.

Security Notes

RFC 9700 - Section 2.1.2

The implicit grant and other response types that issue access tokens in the authorization response are vulnerable to access-token leakage and replay. RFC 9700 advises clients to avoid them unless access-token injection and the identified leakage vectors are mitigated.

RFC 9700 - Section 2.1.2

Using `response_type=code` reduces exposure because access tokens are not placed in URLs and permits replay detection and sender-constrained access tokens.

Reference

Details

Entry Id
response_type
Name
response_type
Parameter Usage Location
authorization request
Change Controller
IETF
Reference
RFC6749