Internet Assigned Numbers Authority OAuth Parameters Created 2012-07-27 Last Updated 2023-09-11 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries included below • OAuth Access Token Types • OAuth Authorization Endpoint Response Types • OAuth Extensions Error Registry • OAuth Parameters • OAuth Token Type Hints • OAuth URI • OAuth Dynamic Client Registration Metadata • OAuth Token Endpoint Authentication Methods • PKCE Code Challenge Methods • OAuth Token Introspection Response • OAuth Authorization Server Metadata OAuth Access Token Types Registration Procedure(s) Specification Required Expert(s) Hannes Tschofenig Reference [RFC6749][RFC8414] Note Registration requests should be sent to the mailing list described in [RFC8414]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Name Additional Token Endpoint Response Parameters HTTP Authentication Scheme(s) Change Controller Reference Bearer Bearer IETF [RFC6750] N_A IESG [RFC8693, Section 2.2.1] PoP cnf, rs_cnf (see section 3.1 of [RFC8747] and section 3.2 of N/A IETF [RFC9200] [RFC9201]). DPoP DPoP IETF [RFC9449] OAuth Authorization Endpoint Response Types Registration Procedure(s) Specification Required Expert(s) Hannes Tschofenig Reference [RFC6749] Note Registration requests should be sent to the mailing list described in [RFC6749]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Name Change Controller Reference code IETF [RFC6749] code id_token [OpenID_Foundation_Artifact_Binding_Working_Group] [OAuth 2.0 Multiple Response Type Encoding Practices] code id_token token [OpenID_Foundation_Artifact_Binding_Working_Group] [OAuth 2.0 Multiple Response Type Encoding Practices] code token [OpenID_Foundation_Artifact_Binding_Working_Group] [OAuth 2.0 Multiple Response Type Encoding Practices] id_token [OpenID_Foundation_Artifact_Binding_Working_Group] [OAuth 2.0 Multiple Response Type Encoding Practices] id_token token [OpenID_Foundation_Artifact_Binding_Working_Group] [OAuth 2.0 Multiple Response Type Encoding Practices] none [OpenID_Foundation_Artifact_Binding_Working_Group] [OAuth 2.0 Multiple Response Type Encoding Practices] token IETF [RFC6749] OAuth Extensions Error Registry Registration Procedure(s) Specification Required Expert(s) Hannes Tschofenig Reference [RFC6749] Note Registration requests should be sent to the mailing list described in [RFC6749]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Name Usage Location Protocol Extension Change Controller Reference invalid_request resource access bearer access IETF [RFC6750] error response token type invalid_token resource access bearer access IETF [RFC6750] error response token type insufficient_scope resource access bearer access IETF [RFC6750] error response token type revocation token revocation unsupported_token_type endpoint error endpoint IETF [RFC7009] response [OpenID Connect interaction_required authorization OpenID Connect [OpenID_Foundation_Artifact_Binding_Working_Group] Core 1.0 endpoint incorporating errata set 1] [OpenID Connect login_required authorization OpenID Connect [OpenID_Foundation_Artifact_Binding_Working_Group] Core 1.0 endpoint incorporating errata set 1] [OpenID Connect account_selection_required authorization OpenID Connect [OpenID_Foundation_Artifact_Binding_Working_Group] Core 1.0 endpoint incorporating errata set 1] [OpenID Connect consent_required authorization OpenID Connect [OpenID_Foundation_Artifact_Binding_Working_Group] Core 1.0 endpoint incorporating errata set 1] [OpenID Connect invalid_request_uri authorization OpenID Connect [OpenID_Foundation_Artifact_Binding_Working_Group] Core 1.0 endpoint incorporating errata set 1] [OpenID Connect invalid_request_object authorization OpenID Connect [OpenID_Foundation_Artifact_Binding_Working_Group] Core 1.0 endpoint incorporating errata set 1] [OpenID Connect request_not_supported authorization OpenID Connect [OpenID_Foundation_Artifact_Binding_Working_Group] Core 1.0 endpoint incorporating errata set 1] [OpenID Connect request_uri_not_supported authorization OpenID Connect [OpenID_Foundation_Artifact_Binding_Working_Group] Core 1.0 endpoint incorporating errata set 1] [OpenID Connect registration_not_supported authorization OpenID Connect [OpenID_Foundation_Artifact_Binding_Working_Group] Core 1.0 endpoint incorporating errata set 1] need_info (and its subsidiary authorization [UMA 2.0 Grant parameters) server response, Kantara UMA [Kantara_UMA_WG] for OAuth 2.0, token endpoint Section 3.3.6] authorization [UMA 2.0 Grant request_denied server response, Kantara UMA [Kantara_UMA_WG] for OAuth 2.0, token endpoint Section 3.3.6] request_submitted (and its subsidiary authorization [UMA 2.0 Grant parameters) server response, Kantara UMA [Kantara_UMA_WG] for OAuth 2.0, token endpoint Section 3.3.6] authorization_pending Token endpoint [RFC8628] IETF [RFC8628, Section response 3.5] access_denied Token endpoint [RFC8628] IETF [RFC8628, Section response 3.5] slow_down Token endpoint [RFC8628] IETF [RFC8628, Section response 3.5] expired_token Token endpoint [RFC8628] IETF [RFC8628, Section response 3.5] implicit grant invalid_target error response, resource parameter IESG [RFC8707] token error response unsupported_pop_key token error [RFC9200] IETF [RFC9200, Section response 5.8.3] incompatible_ace_profiles token error [RFC9200] IETF [RFC9200, Section response 5.8.3] token endpoint, OAuth 2.0 Rich [RFC9396, Section invalid_authorization_details authorization Authorization IETF 5] endpoint Requests token error Demonstrating invalid_dpop_proof response, resource Proof of IETF [RFC9449] access error Possession (DPoP) response token error Demonstrating use_dpop_nonce response, resource Proof of IETF [RFC9449] access error Possession (DPoP) response resource access OAuth 2.0 Step Up [RFC9470, Section insufficient_user_authentication error response Authentication IETF 3] Challenge Protocol OAuth Parameters Registration Procedure(s) Specification Required Expert(s) Hannes Tschofenig Reference [RFC6749] Note Registration requests should be sent to the mailing list described in [RFC6749]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Name Parameter Usage Location Change Controller Reference client_id authorization request, token IETF [RFC6749] request client_secret token request IETF [RFC6749] response_type authorization request IETF [RFC6749] redirect_uri authorization request, token IETF [RFC6749] request authorization request, scope authorization response, token IETF [RFC6749] request, token response state authorization request, IETF [RFC6749] authorization response code authorization response, token IETF [RFC6749] request error authorization response, token IETF [RFC6749] response error_description authorization response, token IETF [RFC6749] response error_uri authorization response, token IETF [RFC6749] response grant_type token request IETF [RFC6749] access_token authorization response, token IETF [RFC6749] response token_type authorization response, token IETF [RFC6749] response expires_in authorization response, token IETF [RFC6749] response username token request IETF [RFC6749] password token request IETF [RFC6749] refresh_token token request, token response IETF [RFC6749] nonce authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] display authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] prompt authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] max_age authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] ui_locales authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] claims_locales authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] id_token_hint authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] login_hint authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] acr_values authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] claims authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] registration authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] request authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] request_uri authorization request [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] id_token authorization response, access [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 token response incorporating errata set 1] session_state authorization response, access [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Session Management token response 1.0, Section 2] assertion token request IESG [RFC7521] client_assertion token request IESG [RFC7521] client_assertion_type token request IESG [RFC7521] code_verifier token request IESG [RFC7636] code_challenge authorization request IESG [RFC7636] code_challenge_method authorization request IESG [RFC7636] claim_token client request, token endpoint [Kantara_UMA_WG] [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] pct client request, token endpoint [Kantara_UMA_WG] [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] pct authorization server response, [Kantara_UMA_WG] [UMA 2.0 Grant for OAuth 2.0, token endpoint Section 3.3.5] rpt client request, token endpoint [Kantara_UMA_WG] [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] ticket client request, token endpoint [Kantara_UMA_WG] [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] upgraded authorization server response, [Kantara_UMA_WG] [UMA 2.0 Grant for OAuth 2.0, token endpoint Section 3.3.5] vtr authorization request, token IESG [RFC8485] request device_code token request IESG [RFC8628, Section 3.1] resource authorization request, token IESG [RFC8707] request audience token request IESG [RFC8693, Section 2.1] requested_token_type token request IESG [RFC8693, Section 2.1] subject_token token request IESG [RFC8693, Section 2.1] subject_token_type token request IESG [RFC8693, Section 2.1] actor_token token request IESG [RFC8693, Section 2.1] actor_token_type token request IESG [RFC8693, Section 2.1] issued_token_type token response IESG [RFC8693, Section 2.2.1] response_mode Authorization Request [OpenID_Foundation_Artifact_Binding_Working_Group] [OAuth 2.0 Multiple Response Type Encoding Practices] nfv_token Access Token Response [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] iss authorization request, IETF [RFC9207, Section authorization response 2][RFC9101][RFC7519, Section 4.1.1] sub authorization request IETF [RFC7519, Section 4.1.2][RFC9101] aud authorization request IETF [RFC7519, Section 4.1.3][RFC9101] exp authorization request IETF [RFC7519, Section 4.1.4][RFC9101] nbf authorization request IETF [RFC7519, Section 4.1.5][RFC9101] iat authorization request IETF [RFC7519, Section 4.1.6][RFC9101] jti authorization request IETF [RFC7519, Section 4.1.7][RFC9101] ace_profile token response IETF [RFC9200, Sections 5.8.2, 5.8.4.3] nonce1 client-rs request IETF [RFC9203] nonce2 rs-client response IETF [RFC9203] ace_client_recipientid client-rs request IETF [RFC9203] ace_server_recipientid rs-client response IETF [RFC9203] req_cnf token request IETF [RFC9201, Section 5] rs_cnf token response IETF [RFC9201, Section 5] cnf token response IETF [RFC9201, Section 5] authorization_details authorization request, token IETF [RFC9396] request, token response dpop_jkt authorization request IETF [RFC9449, Section 10] OAuth Token Type Hints Registration Procedure(s) Specification Required Expert(s) Torsten Lodderstedt Reference [RFC7009] Note Registration requests must be sent to the mailing list described in [RFC7009]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Hint Value Change Controller Reference access_token IETF [RFC7009] refresh_token IETF [RFC7009] pct [Kantara_UMA_WG] [UMA 2.0 Grant for OAuth 2.0, Section 3.7] OAuth URI Registration Procedure(s) Specification Required Expert(s) Hannes Tschofenig Reference [RFC6755] Note Prefix: urn:ietf:params:oauth Available Formats [IMG] CSV URN Common Name Change Controller Reference urn:ietf:params:oauth:grant-type:jwt-bearer JWT Bearer Token Grant Type Profile for OAuth IESG [RFC7523] 2.0 urn:ietf:params:oauth:client-assertion-type:jwt-bearer JWT Bearer Token Profile for OAuth 2.0 Client IESG [RFC7523] Authentication urn:ietf:params:oauth:grant-type:saml2-bearer SAML 2.0 Bearer Assertion Grant Type Profile IESG [RFC7522] for OAuth 2.0 urn:ietf:params:oauth:client-assertion-type:saml2-bearer SAML 2.0 Bearer Assertion Profile for OAuth IESG [RFC7522] 2.0 Client Authentication urn:ietf:params:oauth:token-type:jwt JSON Web Token (JWT) Token Type IESG [RFC7519] urn:ietf:params:oauth:grant-type:device_code Device flow grant type for OAuth 2.0 IESG [RFC8628, Section 3.1] urn:ietf:params:oauth:grant-type:token-exchange Token exchange grant type for OAuth 2.0 IESG [RFC8693, Section 2.1] urn:ietf:params:oauth:token-type:access_token Token type URI for an OAuth 2.0 access token IESG [RFC8693, Section 3] urn:ietf:params:oauth:token-type:refresh_token Token type URI for an OAuth 2.0 refresh token IESG [RFC8693, Section 3] urn:ietf:params:oauth:token-type:id_token Token type URI for an ID Token IESG [RFC8693, Section 3] urn:ietf:params:oauth:token-type:saml1 Token type URI for a base64url-encoded SAML IESG [RFC8693, Section 3] 1.1 assertion urn:ietf:params:oauth:token-type:saml2 Token type URI for a base64url-encoded SAML IESG [RFC8693, Section 3] 2.0 assertion urn:ietf:params:oauth:request_uri A URN Sub-Namespace for OAuth Request URIs. IESG [RFC9126, Section 2.2] urn:ietf:params:oauth:jwk-thumbprint JWK Thumbprint URI IESG [RFC9278] OAuth Dynamic Client Registration Metadata Registration Procedure(s) Specification Required Expert(s) Justin Richer Reference [RFC7591] Note Registration requests should be sent to the mailing list described in [RFC7591]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Client Metadata Name Client Metadata Change Controller Reference Description Array of redirection URIs redirect_uris for use in redirect-based IESG [RFC7591] flows Requested authentication token_endpoint_auth_method method for the token IESG [RFC7591] endpoint Array of OAuth 2.0 grant grant_types types that the client may IESG [RFC7591] use Array of the OAuth 2.0 response_types response types that the IESG [RFC7591] client may use Human-readable name of client_name the client to be IESG [RFC7591] presented to the user URL of a web page client_uri providing information IESG [RFC7591] about the client logo_uri URL that references a IESG [RFC7591] logo for the client scope Space-separated list of IESG [RFC7591] OAuth 2.0 scope values Array of strings representing ways to contacts contact people IESG [RFC7591] responsible for this client, typically email addresses URL that points to a tos_uri human-readable terms of IESG [RFC7591] service document for the client URL that points to a policy_uri human-readable policy IESG [RFC7591] document for the client URL referencing the client's JSON Web Key Set jwks_uri [RFC7517] document IESG [RFC7591] representing the client's public keys Client's JSON Web Key Set jwks [RFC7517] document IESG [RFC7591] representing the client's public keys Identifier for the software_id software that comprises a IESG [RFC7591] client Version identifier for software_version the software that IESG [RFC7591] comprises a client client_id Client identifier IESG [RFC7591] client_secret Client secret IESG [RFC7591] client_id_issued_at Time at which the client IESG [RFC7591] identifier was issued client_secret_expires_at Time at which the client IESG [RFC7591] secret will expire OAuth 2.0 Bearer Token registration_access_token used to access the client IESG [RFC7592] configuration endpoint Fully qualified URI of registration_client_uri the client registration IESG [RFC7592] endpoint application_type Kind of the application [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration -- "native" or "web" 1.0 incorporating errata set 2] URL using the https sector_identifier_uri scheme to be used in [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration calculating Pseudonymous 1.0 incorporating errata set 2] Identifiers by the OP subject_type requested subject_type for responses to this [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration Client -- "pairwise" or 1.0 incorporating errata set 2] "public" JWS alg algorithm id_token_signed_response_alg REQUIRED for signing the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration ID Token issued to this 1.0 incorporating errata set 2] Client JWE alg algorithm id_token_encrypted_response_alg REQUIRED for encrypting [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration the ID Token issued to 1.0 incorporating errata set 2] this Client JWE enc algorithm id_token_encrypted_response_enc REQUIRED for encrypting [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration the ID Token issued to 1.0 incorporating errata set 2] this Client JWS alg algorithm [OpenID Connect Dynamic Client Registration userinfo_signed_response_alg REQUIRED for signing [OpenID_Foundation_Artifact_Binding_Working_Group] 1.0 incorporating errata set 2] UserInfo Responses JWE alg algorithm [OpenID Connect Dynamic Client Registration userinfo_encrypted_response_alg REQUIRED for encrypting [OpenID_Foundation_Artifact_Binding_Working_Group] 1.0 incorporating errata set 2] UserInfo Responses JWE enc algorithm [OpenID Connect Dynamic Client Registration userinfo_encrypted_response_enc REQUIRED for encrypting [OpenID_Foundation_Artifact_Binding_Working_Group] 1.0 incorporating errata set 2] UserInfo Responses JWS alg algorithm that request_object_signing_alg MUST be used for signing [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration Request Objects sent to 1.0 incorporating errata set 2] the OP JWE alg algorithm the RP is declaring that it may [OpenID Connect Dynamic Client Registration request_object_encryption_alg use for encrypting [OpenID_Foundation_Artifact_Binding_Working_Group] 1.0 incorporating errata set 2] Request Objects sent to the OP JWE enc algorithm the RP is declaring that it may [OpenID Connect Dynamic Client Registration request_object_encryption_enc use for encrypting [OpenID_Foundation_Artifact_Binding_Working_Group] 1.0 incorporating errata set 2] Request Objects sent to the OP JWS alg algorithm that MUST be used for signing the JWT used to token_endpoint_auth_signing_alg authenticate the Client [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration at the Token Endpoint for 1.0 incorporating errata set 2] the private_key_jwt and client_secret_jwt authentication methods default_max_age Default Maximum [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration Authentication Age 1.0 incorporating errata set 2] Boolean value specifying require_auth_time whether the auth_time [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration Claim in the ID Token is 1.0 incorporating errata set 2] REQUIRED Default requested [OpenID Connect Dynamic Client Registration default_acr_values Authentication Context [OpenID_Foundation_Artifact_Binding_Working_Group] 1.0 incorporating errata set 2] Class Reference values URI using the https initiate_login_uri scheme that a third party [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration can use to initiate a 1.0 incorporating errata set 2] login by the RP Array of request_uri request_uris values that are [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Dynamic Client Registration pre-registered by the RP 1.0 incorporating errata set 2] for use at the OP claims_redirect_uris claims redirection [Kantara_UMA_WG] [UMA 2.0 Grant for OAuth 2.0, Section 2] endpoints JWS alg algorithm nfv_token_signed_response_alg required for signing the [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] nfv Token issued to this Client JWE alg algorithm nfv_token_encrypted_response_alg required for encrypting [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] the nfv Token issued to this Client JWE enc algorithm nfv_token_encrypted_response_enc required for encrypting [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] the nfv Token issued to this Client Indicates the client's intention to use tls_client_certificate_bound_access_tokens mutual-TLS client [IESG] [RFC8705, Section 3.4] certificate-bound access tokens. String value specifying tls_client_auth_subject_dn the expected subject DN [IESG] [RFC8705, Section 2.1.2] of the client certificate. String value specifying tls_client_auth_san_dns the expected dNSName SAN [IESG] [RFC8705, Section 2.1.2] entry in the client certificate. String value specifying the expected tls_client_auth_san_uri uniformResourceIdentifier [IESG] [RFC8705, Section 2.1.2] SAN entry in the client certificate. String value specifying tls_client_auth_san_ip the expected iPAddress [IESG] [RFC8705, Section 2.1.2] SAN entry in the client certificate. String value specifying tls_client_auth_san_email the expected rfc822Name [IESG] [RFC8705, Section 2.1.2] SAN entry in the client certificate. Indicates where authorization request needs to be protected as require_signed_request_object Request Object and [IETF] [RFC9101, Section 10.5] provided through either request or request_uri parameter. Indicates whether the require_pushed_authorization_requests client is required to use [IESG] [RFC9126, Section 6] PAR to initiate authorization requests. String value indicating introspection_signed_response_alg the client's desired [IETF] [RFC-ietf-oauth-jwt-introspection-response-12, introspection response Section 6] signing algorithm. String value specifying the desired introspection [RFC-ietf-oauth-jwt-introspection-response-12, introspection_encrypted_response_alg response content key [IETF] Section 6] encryption algorithm (alg value). String value specifying the desired introspection [RFC-ietf-oauth-jwt-introspection-response-12, introspection_encrypted_response_enc response content [IETF] Section 6] encryption algorithm (enc value). RP URL that will cause frontchannel_logout_uri the RP to log itself out [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, when rendered in an Section 2] iframe by the OP Boolean value specifying whether the RP requires that a sid (session ID) query parameter be [OpenID Connect Front-Channel Logout 1.0, frontchannel_logout_session_required included to identify the [OpenID_Foundation_Artifact_Binding_Working_Group] Section 2] RP session with the OP when the frontchannel_logout_uri is used RP URL that will cause backchannel_logout_uri the RP to log itself out [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Back-Channel Logout 1.0, when sent a Logout Token Section 2.2] by the OP Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the [OpenID Connect Back-Channel Logout 1.0, backchannel_logout_session_required Logout Token to identify [OpenID_Foundation_Artifact_Binding_Working_Group] Section 2.2] the RP session with the OP when the backchannel_logout_uri is used Array of URLs supplied by the RP to which it MAY request that the post_logout_redirect_uris End-User's User Agent be [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect RP-Initiated Logout 1.0, redirected using the Section 3.1] post_logout_redirect_uri parameter after a logout has been performed Indicates what authorization_details_types authorization details [IETF] [RFC9396, Section 10] types the client uses. Boolean value specifying dpop_bound_access_tokens whether the client always [IETF] [RFC9449, Section 5.2] uses DPoP for token requests OAuth Token Endpoint Authentication Methods Registration Procedure(s) Specification Required Expert(s) Justin Richer Reference [RFC7591][RFC8414] Note Registration requests should be sent to the mailing list described in [RFC7591]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Token Endpoint Authentication Method Name Change Controller Reference none IESG [RFC7591] client_secret_post IESG [RFC7591] client_secret_basic IESG [RFC7591] client_secret_jwt [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] private_key_jwt [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Core 1.0 incorporating errata set 1] tls_client_auth IESG [RFC8705, Section 2.1.1] self_signed_tls_client_auth IESG [RFC8705, Section 2.2.1] PKCE Code Challenge Methods Registration Procedure(s) Specification Required Expert(s) John Bradley, Mike Jones Reference [RFC7636] Note Registration requests should be sent to the mailing list described in [RFC7636]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Code Challenge Method Parameter Name Change Controller Reference plain IESG [Section 4.2 of RFC7636] S256 IESG [Section 4.2 of RFC7636] OAuth Token Introspection Response Registration Procedure(s) Specification Required Expert(s) Justin Richer Reference [RFC7662] Note Registration requests should be sent to the mailing list described in [RFC7662]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Name Description Change Controller Reference active Token active status IESG [RFC7662, Section 2.2] username User identifier of the resource owner IESG [RFC7662, Section 2.2] client_id Client identifier of the client IESG [RFC7662, Section 2.2] scope Authorized scopes of the token IESG [RFC7662, Section 2.2] token_type Type of the token IESG [RFC7662, Section 2.2] exp Expiration timestamp of the token IESG [RFC7662, Section 2.2] iat Issuance timestamp of the token IESG [RFC7662, Section 2.2] nbf Timestamp which the token is not valid before IESG [RFC7662, Section 2.2] sub Subject of the token IESG [RFC7662, Section 2.2] aud Audience of the token IESG [RFC7662, Section 2.2] iss Issuer of the token IESG [RFC7662, Section 2.2] jti Unique identifier of the token IESG [RFC7662, Section 2.2] permissions array of objects, each describing a scoped, time-limitable [Kantara_UMA_WG] [Federated Authorization for UMA 2.0, permission for a resource Section 5.1.1] vot Vector of Trust value IESG [RFC8485] vtm Vector of Trust trustmark URL IESG [RFC8485] act Actor IESG [RFC8693, Section 4.1] may_act Authorized Actor - the party that is authorized to become the IESG [RFC8693, Section 4.4] actor cnf Confirmation IESG [RFC7800][RFC8705] ace_profile The ACE profile used between the client and RS. IETF [RFC9200, Section 5.9.2] "client-nonce". A nonce previously provided to the AS by the RS cnonce via the client. Used to verify token freshness when the RS cannot IETF [RFC9200, Section 5.9.2] synchronize its clock with the AS. cti "CWT ID". The identifier of a CWT as defined in [RFC8392]. IETF [RFC9200, Section 5.9.2] "Expires in". Lifetime of the token in seconds from the time the exi RS first sees it. Used to implement a weaker form of token IETF [RFC9200, Section 5.9.2] expiration for devices that cannot synchronize their internal clocks. The member authorization_details contains a JSON array of JSON authorization_details objects representing the rights of the access token. Each JSON IETF [RFC9396, Section 9.2] object contains the data to specify the authorization requirements for a certain type of resource. acr Authentication Context Class Reference IETF [RFC9470, Section 6.2] auth_time Time when the user authentication occurred IETF [RFC9470, Section 6.2] OAuth Authorization Server Metadata Registration Procedure(s) Specification Required Expert(s) Michael Jones, Nat Sakimura, John Bradley, Dick Hardt Reference [RFC8414] Note Registration requests should be sent to the mailing list described in [RFC8414]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. Available Formats [IMG] CSV Metadata Name Metadata Change Controller Reference Description Authorization issuer server's issuer IESG [RFC8414, Section 2] identifier URL URL of the authorization authorization_endpoint server's IESG [RFC8414, Section 2] authorization endpoint URL of the token_endpoint authorization IESG [RFC8414, Section 2] server's token endpoint URL of the jwks_uri authorization IESG [RFC8414, Section 2] server's JWK Set document URL of the authorization server's OAuth registration_endpoint 2.0 Dynamic IESG [RFC8414, Section 2] Client Registration Endpoint JSON array containing a list of the OAuth 2.0 scopes_supported "scope" values IESG [RFC8414, Section 2] that this authorization server supports JSON array containing a list of the OAuth 2.0 response_types_supported "response_type" IESG [RFC8414, Section 2] values that this authorization server supports JSON array containing a list of the OAuth 2.0 response_modes_supported "response_mode" IESG [RFC8414, Section 2] values that this authorization server supports JSON array containing a list of the OAuth 2.0 grant_types_supported grant type values IESG [RFC8414, Section 2] that this authorization server supports JSON array containing a list of client token_endpoint_auth_methods_supported authentication IESG [RFC8414, Section 2] methods supported by this token endpoint JSON array containing a list of the JWS signing algorithms token_endpoint_auth_signing_alg_values_supported supported by the IESG [RFC8414, Section 2] token endpoint for the signature on the JWT used to authenticate the client at the token endpoint URL of a page containing human-readable information that service_documentation developers might IESG [RFC8414, Section 2] want or need to know when using the authorization server Languages and scripts supported for the user interface, ui_locales_supported represented as a IESG [RFC8414, Section 2] JSON array of language tag values from BCP 47 [RFC5646] URL that the authorization server provides to the person registering the client to read about the op_policy_uri authorization IESG [RFC8414, Section 2] server's requirements on how the client can use the data provided by the authorization server URL that the authorization server provides to the person op_tos_uri registering the IESG [RFC8414, Section 2] client to read about the authorization server's terms of service URL of the authorization revocation_endpoint server's OAuth IESG [RFC8414, Section 2] 2.0 revocation endpoint JSON array containing a list of client revocation_endpoint_auth_methods_supported authentication IESG [RFC8414, Section 2] methods supported by this revocation endpoint JSON array containing a list of the JWS signing algorithms supported by the revocation_endpoint_auth_signing_alg_values_supported revocation IESG [RFC8414, Section 2] endpoint for the signature on the JWT used to authenticate the client at the revocation endpoint URL of the authorization introspection_endpoint server's OAuth IESG [RFC8414, Section 2] 2.0 introspection endpoint JSON array containing a list of client introspection_endpoint_auth_methods_supported authentication IESG [RFC8414, Section 2] methods supported by this introspection endpoint JSON array containing a list of the JWS signing algorithms supported by the introspection_endpoint_auth_signing_alg_values_supported introspection IESG [RFC8414, Section 2] endpoint for the signature on the JWT used to authenticate the client at the introspection endpoint PKCE code challenge methods code_challenge_methods_supported supported by this IESG [RFC8414, Section 2] authorization server Signed JWT containing signed_metadata metadata values IESG [RFC8414, Section 2.1] about the authorization server as claims URL of the authorization device_authorization_endpoint server's device IESG [RFC8628, Section 4] authorization endpoint Indicates authorization server support tls_client_certificate_bound_access_tokens for mutual-TLS IESG [RFC8705, Section 3.3] client certificate-bound access tokens. JSON object containing alternative authorization server endpoints, mtls_endpoint_aliases which a client IESG [RFC8705, Section 5] intending to do mutual TLS will use in preference to the conventional endpoints. JSON array containing a list of the JWS signing nfv_token_signing_alg_values_supported algorithms [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] supported by the server for signing the JWT used as NFV Token JSON array containing a list of the JWE encryption nfv_token_encryption_alg_values_supported algorithms (alg [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] values) supported by the server to encode the JWT used as NFV Token JSON array containing a list of the JWE encryption nfv_token_encryption_enc_values_supported algorithms (enc [ETSI] [ETSI GS NFV-SEC 022 V2.7.1] values) supported by the server to encode the JWT used as NFV Token userinfo_endpoint URL of the OP's [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] UserInfo Endpoint JSON array containing a list of the acr_values_supported Authentication [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] Context Class References that this OP supports JSON array containing a list subject_types_supported of the Subject [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] Identifier types that this OP supports JSON array containing a list id_token_signing_alg_values_supported of the JWS "alg" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] values supported by the OP for the ID Token JSON array containing a list id_token_encryption_alg_values_supported of the JWE "alg" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] values supported by the OP for the ID Token JSON array containing a list id_token_encryption_enc_values_supported of the JWE "enc" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] values supported by the OP for the ID Token JSON array containing a list userinfo_signing_alg_values_supported of the JWS "alg" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] values supported by the UserInfo Endpoint JSON array containing a list userinfo_encryption_alg_values_supported of the JWE "alg" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] values supported by the UserInfo Endpoint JSON array containing a list userinfo_encryption_enc_values_supported of the JWE "enc" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] values supported by the UserInfo Endpoint JSON array containing a list request_object_signing_alg_values_supported of the JWS "alg" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] values supported by the OP for Request Objects JSON array containing a list request_object_encryption_alg_values_supported of the JWE "alg" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] values supported by the OP for Request Objects JSON array containing a list request_object_encryption_enc_values_supported of the JWE "enc" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] values supported by the OP for Request Objects JSON array containing a list display_values_supported of the "display" [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] parameter values that the OpenID Provider supports JSON array containing a list claim_types_supported of the Claim [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] Types that the OpenID Provider supports JSON array containing a list of the Claim claims_supported Names of the [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] Claims that the OpenID Provider MAY be able to supply values for Languages and scripts supported for values in Claims being claims_locales_supported returned, [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] represented as a JSON array of BCP 47 [RFC5646] language tag values Boolean value specifying claims_parameter_supported whether the OP [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] supports use of the "claims" parameter Boolean value specifying request_parameter_supported whether the OP [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] supports use of the "request" parameter Boolean value specifying request_uri_parameter_supported whether the OP [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] supports use of the "request_uri" parameter Boolean value specifying whether the OP require_request_uri_registration requires any [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Discovery 1.0, Section 3] "request_uri" values used to be pre-registered Indicates where authorization request needs to be protected as require_signed_request_object Request Object IETF [RFC9101, Section 10.5] and provided through either request or request_uri parameter. URL of the authorization pushed_authorization_request_endpoint server's pushed IESG [RFC9126, Section 5] authorization request endpoint Indicates whether the authorization require_pushed_authorization_requests server accepts IESG [RFC9126, Section 5] authorization requests only via PAR. JSON array containing a list of algorithms introspection_signing_alg_values_supported supported by the IETF [RFC-ietf-oauth-jwt-introspection-response-12, authorization Section 7] server for introspection response signing. JSON array containing a list of algorithms supported by the introspection_encryption_alg_values_supported authorization IETF [RFC-ietf-oauth-jwt-introspection-response-12, server for Section 7] introspection response content key encryption (alg value). JSON array containing a list of algorithms supported by the introspection_encryption_enc_values_supported authorization IETF [RFC-ietf-oauth-jwt-introspection-response-12, server for Section 7] introspection response content encryption (enc value). Boolean value indicating whether the authorization authorization_response_iss_parameter_supported server provides IETF [RFC9207, Section 3] the iss parameter in the authorization response. URL of an OP iframe that supports cross-origin check_session_iframe communications [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Session Management 1.0, for session state Section 3.3] information with the RP Client, using the HTML5 postMessage API Boolean value specifying whether the OP frontchannel_logout_supported supports [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Front-Channel Logout 1.0, HTTP-based Section 3] logout, with true indicating support Boolean value specifying whether the OP backchannel_logout_supported supports [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Back-Channel Logout 1.0, back-channel Section 2] logout, with true indicating support Boolean value specifying whether the OP can pass a sid backchannel_logout_session_supported (session ID) [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect Back-Channel Logout 1.0, Claim in the Section 2] Logout Token to identify the RP session with the OP URL at the OP to which an RP can perform a end_session_endpoint redirect to [OpenID_Foundation_Artifact_Binding_Working_Group] [OpenID Connect RP-Initiated Logout 1.0, request that the Section 2.1] End-User be logged out at the OP Supported CIBA backchannel_token_delivery_modes_supported authentication [OpenID_Foundation_MODRNA_Working_Group] [OpenID Connect Client-Initiated Backchannel result delivery Authentication Flow - Core 1.0, Section 4] modes CIBA Backchannel [OpenID Connect Client-Initiated Backchannel backchannel_authentication_endpoint Authentication [OpenID_Foundation_MODRNA_Working_Group] Authentication Flow - Core 1.0, Section 4] Endpoint JSON array containing a list of the JWS signing backchannel_authentication_request_signing_alg_values_supported algorithms [OpenID_Foundation_MODRNA_Working_Group] [OpenID Connect Client-Initiated Backchannel supported for Authentication Flow - Core 1.0, Section 4] validation of signed CIBA authentication requests Indicates whether the OP supports [OpenID Connect Client-Initiated Backchannel backchannel_user_code_parameter_supported the use of the [OpenID_Foundation_MODRNA_Working_Group] Authentication Flow - Core 1.0, Section 4] CIBA user_code parameter. JSON array containing the authorization_details_types_supported authorization IETF [RFC9396, Section 10] details types the AS supports JSON array containing a list dpop_signing_alg_values_supported of the JWS IETF [RFC9449, Section 5.1] algorithms supported for DPoP proof JWTs Contact Information ID Name Contact URI Last Updated [ETSI] ETSI mailto:pnns&etsi.org 2019-07-22 [IESG] Internet Engineering mailto:iesg&ietf.org Steering Group [IETF] Internet Engineering Task mailto:ietf&ietf.org Force Kantara Initiative [Kantara_UMA_WG] User-Managed Access Work mailto:staff&kantarainitiative.org 2018-04-23 Group [OpenID_Foundation_Artifact_Binding_Working_Group] OpenID Foundation Artifact mailto:openid-specs-ab&lists.openid.net 2022-09-23 Binding Working Group [OpenID_Foundation_MODRNA_Working_Group] OpenID Foundation MODRNA mailto:openid-specs-mobile-profile&lists.openid.net 2022-12-01 Working Group Licensing Terms