oauth2.dev

token_type

IETF

Registry Context

OAuth 2.0 uses `token_type` to tell the client what kind of access token was issued.

Technical Summary

RFC 6749 lists `token_type` in the OAuth Parameters registry for authorization responses and token responses. It is REQUIRED in successful token endpoint responses and in implicit-grant authorization responses, and its value is case insensitive. A client MUST NOT use an access token if it does not understand the token type.

When Used

Token endpoint success responses and, in RFC 6749, implicit-grant authorization response fragments. RFC 9700 discourages use of implicit grant except with specified mitigations.

Normative Requirements

Clients

MUST NOT
1
  1. RFC 6749 - Section 7.1

    Use an access token if it does not understand the token type..

    The client MUST NOT use an access token if it does not understand the token type.

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    Use the implicit grant or other response types that issue access tokens in the authorization response..

    Condition: Unless access token injection in the authorization response is prevented and the token leakage vectors are mitigated.

    clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.

Authorization servers

REQUIRED
2
  1. RFC 6749 - Section 4.2.2

    Include `token_type` in the implicit-grant access token response..

    Condition: When the resource owner grants the access request in the implicit grant flow.

    `token_type` REQUIRED. The type of the token issued as described in Section 7.1.

  2. RFC 6749 - Section 5.1

    Include `token_type` in a successful access token response..

    Condition: When constructing the HTTP 200 (OK) token endpoint response.

    `token_type` REQUIRED. The type of the token issued as described in Section 7.1.

Validation Guidance

error

Reject or flag successful token endpoint responses that omit `token_type`.

error

Reject or flag RFC 6749 implicit-grant authorization responses that omit `token_type`.

info

Compare `token_type` values case-insensitively.

error

Reject or flag client behavior that uses an access token with an unknown or unsupported `token_type`.

warning

Warn when validating implicit-grant usage unless the RFC 9700 mitigations for authorization-response access tokens are satisfied.

Security Notes

RFC 9700 - Section 2.1.2

RFC 9700 identifies implicit grant and other authorization-response access token flows as vulnerable to access token leakage and replay, and says clients should not use them unless access token injection is prevented and leakage vectors are mitigated.

Reference

Details

Entry Id
token_type
Name
token_type
Parameter Usage Location
authorization response, token response
Change Controller
IETF
Reference
RFC6749