This specification aims to provide guidance on proper encoding of responses to OAuth 2.0 Authorization requests, where the request specifies a response type that includes space characters.
This specification also serves as the registration document for several specific new response types, in accordance with the stipulations of the OAuth Parameters Registry.
1.1. Requirements Notation and Conventions
2. Encoding Multiple-Valued Response Types
3. ID Token Response Type
4. None Response Type
5. Registration of Some Multiple-Valued Response Type Combinations
6. IANA Considerations
6.1. Registry Contents
7. Normative References
Appendix A. Acknowledgements
Appendix B. Notices
Appendix C. Document History
§ Authors' Addresses
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) .
Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value.
This specification uses the terms "Access Token", "Refresh Token", "Authorization Code", "Authorization Grant", "Authorization Server", "Authorization Endpoint", "Client", "Client Identifier", "Client Secret", "Protected Resource", "Resource Owner", "Resource Server", and "Token Endpoint" defined by OAuth 2.0 (Hardt, D., “The OAuth 2.0 Authorization Framework,” October 2012.) [RFC6749]. This specification also defines the following terms:
- Client and Server
- In the traditional client-server authentication model, the client requests an access restricted resource (Protected Resource) on the server by authenticating with the server using the Resource Owner's credentials.
- Response Type
- The Client informs the Authorization Server of the desired authorization processing flow using the parameter response_type.
- Authorization Endpoint Response Type Registry
- Process established by the OAuth 2.0 specification for the registration of new response_type parameters.
- Multiple-Valued Response Types
- The OAuth 2.0 specification allows for registration of space-separated response_type values. If a response type contains one of more space characters (%20), it is compared as a space-delimited list of values in which the order of values does not matter.
This specification does not provide guidance if, in a request, response_type includes a value that requires the server to return data partially encoded in the query string and partially encoded in the fragment.
Otherwise, if a multiple-valued response type is defined, then it is RECOMMENDED that the following encoding rules be applied for the issued response.
If, in a request, response_type includes only values that require the server to return data fully encoded within the query string then the returned data in the response for this multiple-valued response_type MUST be fully encoded within the query string. This recommendation applies to both success and error responses.
If, in a request, response_type includes any value that requires the server to return data fully encoded within the fragment then the returned data in the response for this multiple-valued response_type MUST be fully encoded within the fragment. This recommendation applies to both success and error responses.
Rationale: Whenever response_type values include fragment-encoded parts, a User-Agent Client component must be involved to complete processing of the response. If a new query parameter is added to the Client URI, it will cause the User-Agent to re-fetch the Client URI, causing discontinuity of operation of the User-Agent based Client components. If only fragment encoding is used, the User-Agent will simply reactivate the Client component, which can then process the fragment and also convey any parameters to a Client host as necessary, e.g., via XmlHttpRequest. Therefore, full fragment encoding always results in lower latency for response processing.
This section registers a new response type, the id_token, in accordance with the stipulations in the OAuth 2.0 specification, Section 8.4. The intended purpose of the id_token is that it MUST provide an assertion of the identity of the Resource Owner as understood by the server. The assertion MUST specify a targeted audience, e.g. the requesting Client. However, the specific semantics of the assertion and how it can be validated are not specified in this document.
- If supplied as the response_type parameter in an OAuth 2.0 Authorization Request, a successful response should include the parameter id_token encoded in the fragment of the response URI.
Returning the id_token in a fragment reduces the likelihood that the id_token leaks during transport and mitigates the associated risks to the privacy of the user (Resource Owner).
This section registers the response type none, in accordance with the stipulations in the OAuth 2.0 specification, Section 8.4. The intended purpose is to enable use cases where a party requests the server to register a grant of access to a Protected Resource on behalf of a Client but requires no access credentials to be returned to the Client at that time. The means by which the Client eventually obtains the access credentials is left unspecified here.
One scenario is where a user wishes to purchase an application from a market, and desires to authorize application installation and grant the application access to Protected Resources in a single step. However, since the user is not presently interacting with the (not yet active) application, it is not appropriate to return access credentials simultaneously in the authorization step.
- When supplied as the response_type parameter in an OAuth 2.0 authorization request, the Authorization Server SHOULD NOT return an OAuth 2.0 code nor a token in a successful response to the grant request. If a redirect_uri is supplied, the User-Agent SHOULD be redirected there after granting or denying access. The request MAY include a state parameter, and if so the server MUST echo its value by adding it to the redirect_uri when issuing a successful response. Any parameters added to the redirect_uri should be query encoded. This applies to both successful responses and error responses.
The response type none SHOULD NOT be combined with other response types.
This section registers combinations of the values code, token, and id_token, which are each individually registered response types.
- code token
- When supplied as the value for the response_type parameter, a successful response MUST include both an Access Token and an Authorization Code as defined in the OAuth 2.0 specification. Both successful and error responses SHOULD be fragment-encoded.
- code id_token
- When supplied as the value for the response_type parameter, a successful response MUST include both an Authorization Code as well as an id_token. Both success and error responses SHOULD be fragment-encoded.
- id_token token
- When supplied as the value for the response_type parameter, a successful response MUST include both an Access Token as well as an id_token. Both success and error responses SHOULD be fragment-encoded.
- code id_token token
- When supplied as the value for the response_type parameter, a successful response MUST include an Authorization Code, an id_token, and an Access Token. Both success and error responses SHOULD be fragment-encoded.
A non-normative request/response example as issued/received by the User-Agent (with extra line breaks for display purposes only) is:
GET /authorize? response_type=token%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &state=af0ifjsldkj HTTP/1.1 Host: server.example.com
HTTP/1.1 302 Found Location: https://client.example.org/cb# access_token=SlAV32hkKG &token_type=bearer &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso &expires_in=3600 &state=af0ifjsldkj
This specification registers the response_type values defined by this specification in the IANA OAuth Authorization Endpoint Response Types registry [RFC6749] (Hardt, D., “The OAuth 2.0 Authorization Framework,” October 2012.).
|[RFC2119]||Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).|
|[RFC6749]||Hardt, D., “The OAuth 2.0 Authorization Framework,” RFC 6749, October 2012 (TXT).|
The OpenID Community would like to thank the following people for the work they've done in the drafting and editing of this specification.
Naveen Agarwal (firstname.lastname@example.org), Google
John Bradley (email@example.com), Ping Identity
Michael B. Jones (firstname.lastname@example.org), Microsoft
Breno de Medeiros (email@example.com), Google
Nat Sakimura (firstname.lastname@example.org), Nomura Research Institute, Ltd.
David Recordon (email@example.com), Facebook
Marius Scurtescu (firstname.lastname@example.org), Google
Paul Tarjan (email@example.com), Facebook
Copyright (c) 2013 The OpenID Foundation.
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.
[[ To be removed from the final specification ]]