token_ type
Registry Context
OAuth 2.0 uses `token_type` to tell the client what kind of access token was issued.
Technical Summary
RFC 6749 lists `token_type` in the OAuth Parameters registry for authorization responses and token responses. It is REQUIRED in successful token endpoint responses and in implicit-grant authorization responses, and its value is case insensitive. A client MUST NOT use an access token if it does not understand the token type.
When Used
Token endpoint success responses and, in RFC 6749, implicit-grant authorization response fragments. RFC 9700 discourages use of implicit grant except with specified mitigations.
Normative Requirements
Clients
RFC 6749 - Section 7.1
Use an access token if it does not understand the token type..
The client MUST NOT use an access token if it does not understand the token type.
RFC 9700 - Section 2.1.2
Use the implicit grant or other response types that issue access tokens in the authorization response..
Condition: Unless access token injection in the authorization response is prevented and the token leakage vectors are mitigated.
clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.
Authorization servers
RFC 6749 - Section 4.2.2
Include `token_type` in the implicit-grant access token response..
Condition: When the resource owner grants the access request in the implicit grant flow.
`token_type` REQUIRED. The type of the token issued as described in Section 7.1.
RFC 6749 - Section 5.1
Include `token_type` in a successful access token response..
Condition: When constructing the HTTP 200 (OK) token endpoint response.
`token_type` REQUIRED. The type of the token issued as described in Section 7.1.
Validation Guidance
Reject or flag successful token endpoint responses that omit `token_type`.
Reject or flag RFC 6749 implicit-grant authorization responses that omit `token_type`.
Compare `token_type` values case-insensitively.
Reject or flag client behavior that uses an access token with an unknown or unsupported `token_type`.
Warn when validating implicit-grant usage unless the RFC 9700 mitigations for authorization-response access tokens are satisfied.
Security Notes
RFC 9700 - Section 2.1.2
RFC 9700 identifies implicit grant and other authorization-response access token flows as vulnerable to access token leakage and replay, and says clients should not use them unless access token injection is prevented and leakage vectors are mitigated.
Reference
Details
- Entry Id
token_type - Name
token_type - Parameter Usage Location
authorization response, token response- Change Controller
IETF- Reference
RFC6749