subject_ token_ type
Registry Context
A required token-exchange request parameter that identifies what kind of security token is in `subject_token`.
Technical Summary
`subject_token_type` is an OAuth 2.0 token exchange request parameter whose value is a token type identifier, described in RFC 8693 Section 3, indicating the type of security token carried in `subject_token`.
When Used
Used in OAuth 2.0 token exchange requests to identify the type of the subject token.
Normative Requirements
Clients
RFC 8693 - Section 2.1
Include `subject_token_type` as a request parameter; its value is an identifier, as described in Section 3, that indicates the type of security token in `subject_token`..
Condition: When making a token exchange request.
subject_token_type REQUIRED.
Authorization servers
RFC 8693 - Section 2.1
Perform the appropriate validation procedures for the indicated token type..
Condition: When processing the token exchange request.
the authorization server MUST perform the appropriate validation procedures for the indicated token type
Unspecified actor
RFC 8693 - Section 3
Use other URIs to indicate other token types..
Condition: When defining or using token type identifiers other than those defined by RFC 8693.
Other URIs MAY be used to indicate other token types.
Validation Guidance
Reject token exchange requests that omit `subject_token_type`.
Validate the `subject_token` according to the token type indicated by `subject_token_type`.
Treat `subject_token_type` as a token type identifier URI. RFC 8693 states that token type identifiers are URIs, but does not express this with an uppercase BCP 14 keyword.
Security Notes
RFC 8693 - Section 2.1
RFC 8693 notes that omitting client authentication can allow a compromised token to be exchanged by anyone possessing it; client authentication enables additional authorization checks for impersonation and delegation decisions.
Reference
Details
- Entry Id
subject_token_ type - Name
subject_token_ type - Parameter Usage Location
token request- Change Controller
IESG- Reference
RFC8693 - Section 2.1