oauth2.dev

subject_token_type

IESG

Registry Context

A required token-exchange request parameter that identifies what kind of security token is in `subject_token`.

Technical Summary

`subject_token_type` is an OAuth 2.0 token exchange request parameter whose value is a token type identifier, described in RFC 8693 Section 3, indicating the type of security token carried in `subject_token`.

When Used

Used in OAuth 2.0 token exchange requests to identify the type of the subject token.

Normative Requirements

Clients

REQUIRED
1
  1. RFC 8693 - Section 2.1

    Include `subject_token_type` as a request parameter; its value is an identifier, as described in Section 3, that indicates the type of security token in `subject_token`..

    Condition: When making a token exchange request.

    subject_token_type REQUIRED.

Authorization servers

MUST
1
  1. RFC 8693 - Section 2.1

    Perform the appropriate validation procedures for the indicated token type..

    Condition: When processing the token exchange request.

    the authorization server MUST perform the appropriate validation procedures for the indicated token type

Unspecified actor

MAY
1
  1. RFC 8693 - Section 3

    Use other URIs to indicate other token types..

    Condition: When defining or using token type identifiers other than those defined by RFC 8693.

    Other URIs MAY be used to indicate other token types.

Validation Guidance

error

Reject token exchange requests that omit `subject_token_type`.

error

Validate the `subject_token` according to the token type indicated by `subject_token_type`.

warning

Treat `subject_token_type` as a token type identifier URI. RFC 8693 states that token type identifiers are URIs, but does not express this with an uppercase BCP 14 keyword.

Security Notes

RFC 8693 - Section 2.1

RFC 8693 notes that omitting client authentication can allow a compromised token to be exchanged by anyone possessing it; client authentication enables additional authorization checks for impersonation and delegation decisions.

Reference

Details

Entry Id
subject_token_type
Name
subject_token_type
Parameter Usage Location
token request
Change Controller
IESG
Reference
RFC8693 - Section 2.1