OAuth Parameters
- Created
- 2012-07-27
- Last Updated
- 2024-12-20
- Available Formats
-
XML
HTML
Plain text
Registries included below
- OAuth Access Token Types
- OAuth Authorization Endpoint Response Types
- OAuth Extensions Error Registry
- OAuth Parameters
- OAuth Token Type Hints
- OAuth URI
- OAuth Dynamic Client Registration Metadata
- OAuth Token Endpoint Authentication Methods
- PKCE Code Challenge Methods
- OAuth Token Introspection Response
- OAuth Authorization Server Metadata
- OAuth Protected Resource Metadata
OAuth Access Token Types
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Hannes Tschofenig, Mike Jones
- Reference
- [RFC6749][RFC8414]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC6749]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Name | Additional Token Endpoint Response Parameters | HTTP Authentication Scheme(s) | Change Controller | Reference |
---|---|---|---|---|
Bearer | Bearer | IETF | [RFC6750] | |
N_A | IESG | [RFC8693, Section 2.2.1] | ||
PoP | cnf, rs_cnf (see section 3.1 of [RFC8747] and section 3.2 of [RFC9201]). | N/A | IETF | [RFC9200] |
DPoP | DPoP | IETF | [RFC9449] |
OAuth Authorization Endpoint Response Types
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Hannes Tschofenig, Mike Jones
- Reference
- [RFC6749]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC6749]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Name | Change Controller | Reference |
---|---|---|
code | IETF | [RFC6749] |
code id_token | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OAuth 2.0 Multiple Response Type Encoding Practices] |
code id_token token | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OAuth 2.0 Multiple Response Type Encoding Practices] |
code token | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OAuth 2.0 Multiple Response Type Encoding Practices] |
id_token | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OAuth 2.0 Multiple Response Type Encoding Practices] |
id_token token | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OAuth 2.0 Multiple Response Type Encoding Practices] |
none | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OAuth 2.0 Multiple Response Type Encoding Practices] |
token | IETF | [RFC6749] |
OAuth Extensions Error Registry
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Hannes Tschofenig, Mike Jones
- Reference
- [RFC6749]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC6749]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Name | Usage Location | Protocol Extension | Change Controller | Reference |
---|---|---|---|---|
invalid_request | resource access error response | bearer access token type | IETF | [RFC6750] |
invalid_token | resource access error response | bearer access token type | IETF | [RFC6750] |
insufficient_scope | resource access error response | bearer access token type | IETF | [RFC6750] |
unsupported_token_type | revocation endpoint error response | token revocation endpoint | IETF | [RFC7009] |
interaction_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
login_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
account_selection_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
consent_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
invalid_request_uri | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
invalid_request_object | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
request_not_supported | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
request_uri_not_supported | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
registration_not_supported | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
need_info (and its subsidiary parameters) | authorization server response, token endpoint | Kantara UMA | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.6] |
request_denied | authorization server response, token endpoint | Kantara UMA | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.6] |
request_submitted (and its subsidiary parameters) | authorization server response, token endpoint | Kantara UMA | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.6] |
authorization_pending | Token endpoint response | [RFC8628] | IETF | [RFC8628, Section 3.5] |
access_denied | Token endpoint response | [RFC8628] | IETF | [RFC8628, Section 3.5] |
slow_down | Token endpoint response | [RFC8628] | IETF | [RFC8628, Section 3.5] |
expired_token | Token endpoint response | [RFC8628] | IETF | [RFC8628, Section 3.5] |
invalid_target | implicit grant error response, token error response | resource parameter | IESG | [RFC8707] |
unsupported_pop_key | token error response | [RFC9200] | IETF | [RFC9200, Section 5.8.3] |
incompatible_ace_profiles | token error response | [RFC9200] | IETF | [RFC9200, Section 5.8.3] |
invalid_authorization_details | token endpoint, authorization endpoint | OAuth 2.0 Rich Authorization Requests | IETF | [RFC9396, Section 5] |
invalid_dpop_proof | token error response, resource access error response | Demonstrating Proof of Possession (DPoP) | IETF | [RFC9449] |
use_dpop_nonce | token error response, resource access error response | Demonstrating Proof of Possession (DPoP) | IETF | [RFC9449] |
insufficient_user_authentication | resource access error response | OAuth 2.0 Step Up Authentication Challenge Protocol | IETF | [RFC9470, Section 3] |
missing_trust_anchor | Authorization Endpoint | OpenID Federation | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 12.1.2 of OpenID Federation 1.0] |
validation_failed | Authorization Endpoint | OpenID Federation | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 12.1.2 of OpenID Federation 1.0] |
OAuth Parameters
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Hannes Tschofenig, Mike Jones
- Reference
- [RFC6749]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC6749]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Name | Parameter Usage Location | Change Controller | Reference |
---|---|---|---|
client_id | authorization request, token request | IETF | [RFC6749] |
client_secret | token request | IETF | [RFC6749] |
response_type | authorization request | IETF | [RFC6749] |
redirect_uri | authorization request, token request | IETF | [RFC6749] |
scope | authorization request, authorization response, token request, token response | IETF | [RFC6749] |
state | authorization request, authorization response | IETF | [RFC6749] |
code | authorization response, token request | IETF | [RFC6749] |
error | authorization response, token response | IETF | [RFC6749] |
error_description | authorization response, token response | IETF | [RFC6749] |
error_uri | authorization response, token response | IETF | [RFC6749] |
grant_type | token request | IETF | [RFC6749] |
access_token | authorization response, token response | IETF | [RFC6749] |
token_type | authorization response, token response | IETF | [RFC6749] |
expires_in | authorization response, token response | IETF | [RFC6749] |
username | token request | IETF | [RFC6749] |
password | token request | IETF | [RFC6749] |
refresh_token | token request, token response | IETF | [RFC6749] |
nonce | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
display | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
prompt | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
max_age | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
ui_locales | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
claims_locales | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
id_token_hint | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
login_hint | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
acr_values | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
claims | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
registration | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
request | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
request_uri | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
id_token | authorization response, access token response | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
session_state | authorization response, access token response | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Session Management 1.0, Section 2] |
assertion | token request | IESG | [RFC7521] |
client_assertion | token request | IESG | [RFC7521] |
client_assertion_type | token request | IESG | [RFC7521] |
code_verifier | token request | IESG | [RFC7636] |
code_challenge | authorization request | IESG | [RFC7636] |
code_challenge_method | authorization request | IESG | [RFC7636] |
claim_token | client request, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] |
pct | client request, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] |
pct | authorization server response, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.5] |
rpt | client request, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] |
ticket | client request, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] |
upgraded | authorization server response, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.5] |
vtr | authorization request, token request | IESG | [RFC8485] |
device_code | token request | IESG | [RFC8628, Section 3.1] |
resource | authorization request, token request | IESG | [RFC8707] |
audience | token request | IESG | [RFC8693, Section 2.1] |
requested_token_type | token request | IESG | [RFC8693, Section 2.1] |
subject_token | token request | IESG | [RFC8693, Section 2.1] |
subject_token_type | token request | IESG | [RFC8693, Section 2.1] |
actor_token | token request | IESG | [RFC8693, Section 2.1] |
actor_token_type | token request | IESG | [RFC8693, Section 2.1] |
issued_token_type | token response | IESG | [RFC8693, Section 2.2.1] |
response_mode | Authorization Request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OAuth 2.0 Multiple Response Type Encoding Practices] |
nfv_token | Access Token Response | [ETSI] | [ETSI GS NFV-SEC 022 V2.7.1] |
iss | authorization request, authorization response | IETF | [RFC9207, Section 2][RFC9101][RFC7519, Section 4.1.1] |
sub | authorization request | IETF | [RFC7519, Section 4.1.2][RFC9101] |
aud | authorization request | IETF | [RFC7519, Section 4.1.3][RFC9101] |
exp | authorization request | IETF | [RFC7519, Section 4.1.4][RFC9101] |
nbf | authorization request | IETF | [RFC7519, Section 4.1.5][RFC9101] |
iat | authorization request | IETF | [RFC7519, Section 4.1.6][RFC9101] |
jti | authorization request | IETF | [RFC7519, Section 4.1.7][RFC9101] |
ace_profile | token response | IETF | [RFC9200, Sections 5.8.2, 5.8.4.3] |
nonce1 | client-rs request | IETF | [RFC9203] |
nonce2 | rs-client response | IETF | [RFC9203] |
ace_client_recipientid | client-rs request | IETF | [RFC9203] |
ace_server_recipientid | rs-client response | IETF | [RFC9203] |
req_cnf | token request | IETF | [RFC9201, Section 5] |
rs_cnf | token response | IETF | [RFC9201, Section 5] |
cnf | token response | IETF | [RFC9201, Section 5] |
authorization_details | authorization request, token request, token response | IETF | [RFC9396] |
dpop_jkt | authorization request | IETF | [RFC9449, Section 10] |
sign_info | client-rs request, rs-client response | IETF | [RFC9594] |
kdcchallenge | rs-client response | IETF | [RFC9594] |
trust_chain | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 12.1.1.1.2 of OpenID Federation 1.0] |
OAuth Token Type Hints
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Torsten Lodderstedt, Mike Jones
- Reference
- [RFC7009]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC7009]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Hint Value | Change Controller | Reference |
---|---|---|
access_token | IETF | [RFC7009] |
refresh_token | IETF | [RFC7009] |
pct | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.7] |
OAuth URI
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Hannes Tschofenig, Mike Jones
- Reference
- [RFC6755]
- Note
-
Prefix: urn:ietf:params:oauth
- Available Formats
-
CSV
URN | Common Name | Change Controller | Reference |
---|---|---|---|
urn:ietf:params:oauth:grant-type:jwt-bearer | JWT Bearer Token Grant Type Profile for OAuth 2.0 | IESG | [RFC7523] |
urn:ietf:params:oauth:client-assertion-type:jwt-bearer | JWT Bearer Token Profile for OAuth 2.0 Client Authentication | IESG | [RFC7523] |
urn:ietf:params:oauth:grant-type:saml2-bearer | SAML 2.0 Bearer Assertion Grant Type Profile for OAuth 2.0 | IESG | [RFC7522] |
urn:ietf:params:oauth:client-assertion-type:saml2-bearer | SAML 2.0 Bearer Assertion Profile for OAuth 2.0 Client Authentication | IESG | [RFC7522] |
urn:ietf:params:oauth:token-type:jwt | JSON Web Token (JWT) Token Type | IESG | [RFC7519] |
urn:ietf:params:oauth:grant-type:device_code | Device flow grant type for OAuth 2.0 | IESG | [RFC8628, Section 3.1] |
urn:ietf:params:oauth:grant-type:token-exchange | Token exchange grant type for OAuth 2.0 | IESG | [RFC8693, Section 2.1] |
urn:ietf:params:oauth:token-type:access_token | Token type URI for an OAuth 2.0 access token | IESG | [RFC8693, Section 3] |
urn:ietf:params:oauth:token-type:refresh_token | Token type URI for an OAuth 2.0 refresh token | IESG | [RFC8693, Section 3] |
urn:ietf:params:oauth:token-type:id_token | Token type URI for an ID Token | IESG | [RFC8693, Section 3] |
urn:ietf:params:oauth:token-type:saml1 | Token type URI for a base64url-encoded SAML 1.1 assertion | IESG | [RFC8693, Section 3] |
urn:ietf:params:oauth:token-type:saml2 | Token type URI for a base64url-encoded SAML 2.0 assertion | IESG | [RFC8693, Section 3] |
urn:ietf:params:oauth:request_uri | A URN Sub-Namespace for OAuth Request URIs. | IESG | [RFC9126, Section 2.2] |
urn:ietf:params:oauth:jwk-thumbprint | JWK Thumbprint URI | IESG | [RFC9278] |
urn:ietf:params:oauth:ckt | COSE Key Thumbprint URI | IETF | [RFC9679] |
OAuth Dynamic Client Registration Metadata
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Justin Richer
- Reference
- [RFC7591]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC7591]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Client Metadata Name | Client Metadata Description | Change Controller | Reference |
---|---|---|---|
redirect_uris | Array of redirection URIs for use in redirect-based flows | IESG | [RFC7591] |
token_endpoint_auth_method | Requested authentication method for the token endpoint | IESG | [RFC7591] |
grant_types | Array of OAuth 2.0 grant types that the client may use | IESG | [RFC7591] |
response_types | Array of the OAuth 2.0 response types that the client may use | IESG | [RFC7591] |
client_name | Human-readable name of the client to be presented to the user | IESG | [RFC7591] |
client_uri | URL of a web page providing information about the client | IESG | [RFC7591] |
logo_uri | URL that references a logo for the client | IESG | [RFC7591] |
scope | Space-separated list of OAuth 2.0 scope values | IESG | [RFC7591] |
contacts | Array of strings representing ways to contact people responsible for this client, typically email addresses | IESG | [RFC7591] |
tos_uri | URL that points to a human-readable terms of service document for the client | IESG | [RFC7591] |
policy_uri | URL that points to a human-readable policy document for the client | IESG | [RFC7591] |
jwks_uri | URL referencing the client's JSON Web Key Set [RFC7517] document representing the client's public keys | IESG | [RFC7591] |
jwks | Client's JSON Web Key Set [RFC7517] document representing the client's public keys | IESG | [RFC7591] |
software_id | Identifier for the software that comprises a client | IESG | [RFC7591] |
software_version | Version identifier for the software that comprises a client | IESG | [RFC7591] |
client_id | Client identifier | IESG | [RFC7591] |
client_secret | Client secret | IESG | [RFC7591] |
client_id_issued_at | Time at which the client identifier was issued | IESG | [RFC7591] |
client_secret_expires_at | Time at which the client secret will expire | IESG | [RFC7591] |
registration_access_token | OAuth 2.0 Bearer Token used to access the client configuration endpoint | IESG | [RFC7592] |
registration_client_uri | Fully qualified URI of the client registration endpoint | IESG | [RFC7592] |
application_type | Kind of the application -- "native" or "web" | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
sector_identifier_uri | URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
subject_type | subject_type requested for responses to this Client -- "pairwise" or "public" | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
id_token_signed_response_alg | JWS alg algorithm REQUIRED for signing the ID Token issued to this Client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
id_token_encrypted_response_alg | JWE alg algorithm REQUIRED for encrypting the ID Token issued to this Client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
id_token_encrypted_response_enc | JWE enc algorithm REQUIRED for encrypting the ID Token issued to this Client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
userinfo_signed_response_alg | JWS alg algorithm REQUIRED for signing UserInfo Responses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
userinfo_encrypted_response_alg | JWE alg algorithm REQUIRED for encrypting UserInfo Responses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
userinfo_encrypted_response_enc | JWE enc algorithm REQUIRED for encrypting UserInfo Responses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
request_object_signing_alg | JWS alg algorithm that MUST be used for signing Request Objects sent to the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
request_object_encryption_alg | JWE alg algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
request_object_encryption_enc | JWE enc algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
token_endpoint_auth_signing_alg | JWS alg algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
default_max_age | Default Maximum Authentication Age | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
require_auth_time | Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
default_acr_values | Default requested Authentication Context Class Reference values | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
initiate_login_uri | URI using the https scheme that a third party can use to initiate a login by the RP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
request_uris | Array of request_uri values that are pre-registered by the RP for use at the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
claims_redirect_uris | claims redirection endpoints | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 2] |
nfv_token_signed_response_alg | JWS alg algorithm required for signing the nfv Token issued to this Client | [ETSI] | [ETSI GS NFV-SEC 022 V2.7.1] |
nfv_token_encrypted_response_alg | JWE alg algorithm required for encrypting the nfv Token issued to this Client | [ETSI] | [ETSI GS NFV-SEC 022 V2.7.1] |
nfv_token_encrypted_response_enc | JWE enc algorithm required for encrypting the nfv Token issued to this Client | [ETSI] | [ETSI GS NFV-SEC 022 V2.7.1] |
tls_client_certificate_bound_access_tokens | Indicates the client's intention to use mutual-TLS client certificate-bound access tokens. | [IESG] | [RFC8705, Section 3.4] |
tls_client_auth_subject_dn | String value specifying the expected subject DN of the client certificate. | [IESG] | [RFC8705, Section 2.1.2] |
tls_client_auth_san_dns | String value specifying the expected dNSName SAN entry in the client certificate. | [IESG] | [RFC8705, Section 2.1.2] |
tls_client_auth_san_uri | String value specifying the expected uniformResourceIdentifier SAN entry in the client certificate. | [IESG] | [RFC8705, Section 2.1.2] |
tls_client_auth_san_ip | String value specifying the expected iPAddress SAN entry in the client certificate. | [IESG] | [RFC8705, Section 2.1.2] |
tls_client_auth_san_email | String value specifying the expected rfc822Name SAN entry in the client certificate. | [IESG] | [RFC8705, Section 2.1.2] |
require_signed_request_object | Indicates where authorization request needs to be protected as Request Object and provided through either request or request_uri parameter. | [IETF] | [RFC9101, Section 10.5] |
require_pushed_authorization_requests | Indicates whether the client is required to use PAR to initiate authorization requests. | [IESG] | [RFC9126, Section 6] |
introspection_signed_response_alg | String value indicating the client’s desired introspection response signing algorithm | [IETF] | [RFC-ietf-oauth-jwt-introspection-response-12, Section 6] |
introspection_encrypted_response_alg | String value specifying the desired introspection response content key encryption algorithm (alg value) | [IETF] | [RFC-ietf-oauth-jwt-introspection-response-12, Section 6] |
introspection_encrypted_response_enc | String value specifying the desired introspection response content encryption algorithm (enc value) | [IETF] | [RFC-ietf-oauth-jwt-introspection-response-12, Section 6] |
frontchannel_logout_uri | RP URL that will cause the RP to log itself out when rendered in an iframe by the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Front-Channel Logout 1.0, Section 2] |
frontchannel_logout_session_required | Boolean value specifying whether the RP requires that a sid (session ID) query parameter be included to identify the RP session with the OP when the frontchannel_logout_uri is used | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Front-Channel Logout 1.0, Section 2] |
backchannel_logout_uri | RP URL that will cause the RP to log itself out when sent a Logout Token by the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Back-Channel Logout 1.0, Section 2.2] |
backchannel_logout_session_required | Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Back-Channel Logout 1.0, Section 2.2] |
post_logout_redirect_uris | Array of URLs supplied by the RP to which it MAY request that the End-User's User Agent be redirected using the post_logout_redirect_uri parameter after a logout has been performed | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect RP-Initiated Logout 1.0, Section 3.1] |
authorization_details_types | Indicates what authorization details types the client uses. | [IETF] | [RFC9396, Section 10] |
dpop_bound_access_tokens | Boolean value specifying whether the client always uses DPoP for token requests | [IETF] | [RFC9449, Section 5.2] |
client_registration_types | An array of strings specifying the client registration types the RP wants to use | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.1.2 of OpenID Federation 1.0] |
signed_jwks_uri | URL referencing a signed JWT having the client's JWK Set document as its payload | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.2.1 of OpenID Federation 1.0] |
organization_name | Human-readable name representing the organization owning this client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.2.2 of OpenID Federation 1.0] |
homepage_uri | URL of a Web page for the organization owning this client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.2.2 of OpenID Federation 1.0] |
OAuth Token Endpoint Authentication Methods
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Justin Richer
- Reference
- [RFC7591][RFC8414]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC7591]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Token Endpoint Authentication Method Name | Change Controller | Reference |
---|---|---|
none | IESG | [RFC7591] |
client_secret_post | IESG | [RFC7591] |
client_secret_basic | IESG | [RFC7591] |
client_secret_jwt | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
private_key_jwt | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0 incorporating errata set 1] |
tls_client_auth | IESG | [RFC8705, Section 2.1.1] |
self_signed_tls_client_auth | IESG | [RFC8705, Section 2.2.1] |
PKCE Code Challenge Methods
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
John Bradley, Mike Jones
- Reference
- [RFC7636]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC7636]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Code Challenge Method Parameter Name | Change Controller | Reference |
---|---|---|
plain | IESG | [Section 4.2 of RFC7636] |
S256 | IESG | [Section 4.2 of RFC7636] |
OAuth Token Introspection Response
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Justin Richer
- Reference
- [RFC7662]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC7662]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Name | Description | Change Controller | Reference |
---|---|---|---|
active | Token active status | IESG | [RFC7662, Section 2.2] |
username | User identifier of the resource owner | IESG | [RFC7662, Section 2.2] |
client_id | Client identifier of the client | IESG | [RFC7662, Section 2.2] |
scope | Authorized scopes of the token | IESG | [RFC7662, Section 2.2] |
token_type | Type of the token | IESG | [RFC7662, Section 2.2] |
exp | Expiration timestamp of the token | IESG | [RFC7662, Section 2.2] |
iat | Issuance timestamp of the token | IESG | [RFC7662, Section 2.2] |
nbf | Timestamp which the token is not valid before | IESG | [RFC7662, Section 2.2] |
sub | Subject of the token | IESG | [RFC7662, Section 2.2] |
aud | Audience of the token | IESG | [RFC7662, Section 2.2] |
iss | Issuer of the token | IESG | [RFC7662, Section 2.2] |
jti | Unique identifier of the token | IESG | [RFC7662, Section 2.2] |
permissions | array of objects, each describing a scoped, time-limitable permission for a resource | [Kantara_UMA_WG] | [Federated Authorization for UMA 2.0, Section 5.1.1] |
vot | Vector of Trust value | IESG | [RFC8485] |
vtm | Vector of Trust trustmark URL | IESG | [RFC8485] |
act | Actor | IESG | [RFC8693, Section 4.1] |
may_act | Authorized Actor - the party that is authorized to become the actor | IESG | [RFC8693, Section 4.4] |
cnf | Confirmation | IESG | [RFC7800][RFC8705] |
ace_profile | The ACE profile used between the client and RS. | IETF | [RFC9200, Section 5.9.2] |
cnonce | "client-nonce". A nonce previously provided to the AS by the RS via the client. Used to verify token freshness when the RS cannot synchronize its clock with the AS. | IETF | [RFC9200, Section 5.9.2] |
cti | "CWT ID". The identifier of a CWT as defined in [RFC8392]. | IETF | [RFC9200, Section 5.9.2] |
exi | "Expires in". Lifetime of the token in seconds from the time the RS first sees it. Used to implement a weaker form of token expiration for devices that cannot synchronize their internal clocks. | IETF | [RFC9200, Section 5.9.2] |
authorization_details | The member authorization_details contains a JSON array of JSON objects representing the rights of the access token. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. | IETF | [RFC9396, Section 9.2] |
acr | Authentication Context Class Reference | IETF | [RFC9470, Section 6.2] |
auth_time | Time when the user authentication occurred | IETF | [RFC9470, Section 6.2] |
OAuth Authorization Server Metadata
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Mike Jones, Nat Sakimura, John Bradley, Dick Hardt
- Reference
- [RFC8414]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC8414]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Metadata Name | Metadata Description | Change Controller | Reference |
---|---|---|---|
issuer | Authorization server's issuer identifier URL | IESG | [RFC8414, Section 2] |
authorization_endpoint | URL of the authorization server's authorization endpoint | IESG | [RFC8414, Section 2] |
token_endpoint | URL of the authorization server's token endpoint | IESG | [RFC8414, Section 2] |
jwks_uri | URL of the authorization server's JWK Set document | IESG | [RFC8414, Section 2] |
registration_endpoint | URL of the authorization server's OAuth 2.0 Dynamic Client Registration Endpoint | IESG | [RFC8414, Section 2] |
scopes_supported | JSON array containing a list of the OAuth 2.0 "scope" values that this authorization server supports | IESG | [RFC8414, Section 2] |
response_types_supported | JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports | IESG | [RFC8414, Section 2] |
response_modes_supported | JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports | IESG | [RFC8414, Section 2] |
grant_types_supported | JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports | IESG | [RFC8414, Section 2] |
token_endpoint_auth_methods_supported | JSON array containing a list of client authentication methods supported by this token endpoint | IESG | [RFC8414, Section 2] |
token_endpoint_auth_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms supported by the token endpoint for the signature on the JWT used to authenticate the client at the token endpoint | IESG | [RFC8414, Section 2] |
service_documentation | URL of a page containing human-readable information that developers might want or need to know when using the authorization server | IESG | [RFC8414, Section 2] |
ui_locales_supported | Languages and scripts supported for the user interface, represented as a JSON array of language tag values from BCP 47 [RFC5646] | IESG | [RFC8414, Section 2] |
op_policy_uri | URL that the authorization server provides to the person registering the client to read about the authorization server's requirements on how the client can use the data provided by the authorization server | IESG | [RFC8414, Section 2] |
op_tos_uri | URL that the authorization server provides to the person registering the client to read about the authorization server's terms of service | IESG | [RFC8414, Section 2] |
revocation_endpoint | URL of the authorization server's OAuth 2.0 revocation endpoint | IESG | [RFC8414, Section 2] |
revocation_endpoint_auth_methods_supported | JSON array containing a list of client authentication methods supported by this revocation endpoint | IESG | [RFC8414, Section 2] |
revocation_endpoint_auth_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms supported by the revocation endpoint for the signature on the JWT used to authenticate the client at the revocation endpoint | IESG | [RFC8414, Section 2] |
introspection_endpoint | URL of the authorization server's OAuth 2.0 introspection endpoint | IESG | [RFC8414, Section 2] |
introspection_endpoint_auth_methods_supported | JSON array containing a list of client authentication methods supported by this introspection endpoint | IESG | [RFC8414, Section 2] |
introspection_endpoint_auth_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms supported by the introspection endpoint for the signature on the JWT used to authenticate the client at the introspection endpoint | IESG | [RFC8414, Section 2] |
code_challenge_methods_supported | PKCE code challenge methods supported by this authorization server | IESG | [RFC8414, Section 2] |
signed_metadata | Signed JWT containing metadata values about the authorization server as claims | IESG | [RFC8414, Section 2.1] |
device_authorization_endpoint | URL of the authorization server's device authorization endpoint | IESG | [RFC8628, Section 4] |
tls_client_certificate_bound_access_tokens | Indicates authorization server support for mutual-TLS client certificate-bound access tokens. | IESG | [RFC8705, Section 3.3] |
mtls_endpoint_aliases | JSON object containing alternative authorization server endpoints, which a client intending to do mutual TLS will use in preference to the conventional endpoints. | IESG | [RFC8705, Section 5] |
nfv_token_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms supported by the server for signing the JWT used as NFV Token | [ETSI] | [ETSI GS NFV-SEC 022 V2.7.1] |
nfv_token_encryption_alg_values_supported | JSON array containing a list of the JWE encryption algorithms (alg values) supported by the server to encode the JWT used as NFV Token | [ETSI] | [ETSI GS NFV-SEC 022 V2.7.1] |
nfv_token_encryption_enc_values_supported | JSON array containing a list of the JWE encryption algorithms (enc values) supported by the server to encode the JWT used as NFV Token | [ETSI] | [ETSI GS NFV-SEC 022 V2.7.1] |
userinfo_endpoint | URL of the OP's UserInfo Endpoint | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
acr_values_supported | JSON array containing a list of the Authentication Context Class References that this OP supports | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
subject_types_supported | JSON array containing a list of the Subject Identifier types that this OP supports | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
id_token_signing_alg_values_supported | JSON array containing a list of the JWS "alg" values supported by the OP for the ID Token | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
id_token_encryption_alg_values_supported | JSON array containing a list of the JWE "alg" values supported by the OP for the ID Token | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
id_token_encryption_enc_values_supported | JSON array containing a list of the JWE "enc" values supported by the OP for the ID Token | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
userinfo_signing_alg_values_supported | JSON array containing a list of the JWS "alg" values supported by the UserInfo Endpoint | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
userinfo_encryption_alg_values_supported | JSON array containing a list of the JWE "alg" values supported by the UserInfo Endpoint | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
userinfo_encryption_enc_values_supported | JSON array containing a list of the JWE "enc" values supported by the UserInfo Endpoint | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
request_object_signing_alg_values_supported | JSON array containing a list of the JWS "alg" values supported by the OP for Request Objects | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
request_object_encryption_alg_values_supported | JSON array containing a list of the JWE "alg" values supported by the OP for Request Objects | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
request_object_encryption_enc_values_supported | JSON array containing a list of the JWE "enc" values supported by the OP for Request Objects | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
display_values_supported | JSON array containing a list of the "display" parameter values that the OpenID Provider supports | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
claim_types_supported | JSON array containing a list of the Claim Types that the OpenID Provider supports | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
claims_supported | JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
claims_locales_supported | Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP 47 [RFC5646] language tag values | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
claims_parameter_supported | Boolean value specifying whether the OP supports use of the "claims" parameter | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
request_parameter_supported | Boolean value specifying whether the OP supports use of the "request" parameter | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
request_uri_parameter_supported | Boolean value specifying whether the OP supports use of the "request_uri" parameter | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
require_request_uri_registration | Boolean value specifying whether the OP requires any "request_uri" values used to be pre-registered | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Discovery 1.0, Section 3] |
require_signed_request_object | Indicates where authorization request needs to be protected as Request Object and provided through either request or request_uri parameter. | IETF | [RFC9101, Section 10.5] |
pushed_authorization_request_endpoint | URL of the authorization server's pushed authorization request endpoint | IESG | [RFC9126, Section 5] |
require_pushed_authorization_requests | Indicates whether the authorization server accepts authorization requests only via PAR. | IESG | [RFC9126, Section 5] |
introspection_signing_alg_values_supported | JSON array containing a list of algorithms supported by the authorization server for introspection response signing | IETF | [RFC-ietf-oauth-jwt-introspection-response-12, Section 7] |
introspection_encryption_alg_values_supported | JSON array containing a list of algorithms supported by the authorization server for introspection response content key encryption (alg value) | IETF | [RFC-ietf-oauth-jwt-introspection-response-12, Section 7] |
introspection_encryption_enc_values_supported | JSON array containing a list of algorithms supported by the authorization server for introspection response content encryption (enc value) | IETF | [RFC-ietf-oauth-jwt-introspection-response-12, Section 7] |
authorization_response_iss_parameter_supported | Boolean value indicating whether the authorization server provides the iss parameter in the authorization response. | IETF | [RFC9207, Section 3] |
check_session_iframe | URL of an OP iframe that supports cross-origin communications for session state information with the RP Client, using the HTML5 postMessage API | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Session Management 1.0, Section 3.3] |
frontchannel_logout_supported | Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Front-Channel Logout 1.0, Section 3] |
backchannel_logout_supported | Boolean value specifying whether the OP supports back-channel logout, with true indicating support | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Back-Channel Logout 1.0, Section 2] |
backchannel_logout_session_supported | Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP session with the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Back-Channel Logout 1.0, Section 2] |
end_session_endpoint | URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect RP-Initiated Logout 1.0, Section 2.1] |
backchannel_token_delivery_modes_supported | Supported CIBA authentication result delivery modes | [OpenID_Foundation_MODRNA_Working_Group] | [OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0, Section 4] |
backchannel_authentication_endpoint | CIBA Backchannel Authentication Endpoint | [OpenID_Foundation_MODRNA_Working_Group] | [OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0, Section 4] |
backchannel_authentication_request_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms supported for validation of signed CIBA authentication requests | [OpenID_Foundation_MODRNA_Working_Group] | [OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0, Section 4] |
backchannel_user_code_parameter_supported | Indicates whether the OP supports the use of the CIBA user_code parameter. | [OpenID_Foundation_MODRNA_Working_Group] | [OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0, Section 4] |
authorization_details_types_supported | JSON array containing the authorization details types the AS supports | IETF | [RFC9396, Section 10] |
dpop_signing_alg_values_supported | JSON array containing a list of the JWS algorithms supported for DPoP proof JWTs | IETF | [RFC9449, Section 5.1] |
client_registration_types_supported | Client Registration Types Supported | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.1.3 of OpenID Federation 1.0] |
federation_registration_endpoint | Federation Registration Endpoint | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.1.3 of OpenID Federation 1.0] |
request_authentication_methods_supported | Authentication request authentication methods supported | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.1.3 of OpenID Federation 1.0] |
request_authentication_signing_alg_values_supported | JSON array containing the JWS signing algorithms supported for the signature on the JWT used to authenticate the request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.1.3 of OpenID Federation 1.0] |
signed_jwks_uri | URL referencing a signed JWT having this authorization server's JWK Set document as its payload | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.2.1 of OpenID Federation 1.0] |
jwks | JSON Web Key Set document, passed by value | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.2.1 of OpenID Federation 1.0] |
organization_name | Human-readable name representing the organization owning this authorization server | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.2.2 of OpenID Federation 1.0] |
contacts | Array of strings representing ways to contact people responsible for this authorization server, typically email addresses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.2.2 of OpenID Federation 1.0] |
logo_uri | URL that references a logo for the organization owning this authorization server | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.2.2 of OpenID Federation 1.0] |
homepage_uri | URL of a Web page for the organization owning this authorization server | [OpenID_Foundation_Artifact_Binding_Working_Group] | [Section 5.2.2 of OpenID Federation 1.0] |
protected_resources | JSON array containing a list of resource identifiers for OAuth protected resources | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 4] |
OAuth Protected Resource Metadata
- Registration Procedure(s)
-
Specification Required
- Expert(s)
-
Unassigned
- Reference
- [RFC-ietf-oauth-resource-metadata-13]
- Note
-
Registration requests should be sent to [oauth-ext-review@ietf.org], as described in [RFC-ietf-oauth-resource-metadata-13]. If approved, designated experts should notify IANA within two weeks. For assistance, please contact iana@iana.org. IANA does not monitor the list.
- Available Formats
-
CSV
Metadata Name | Metadata Description | Change Controller | Reference |
---|---|---|---|
resource | Protected resource's resource identifier URL | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
authorization_servers | JSON array containing a list of OAuth authorization server issuer identifiers | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
jwks_uri | URL of the protected resource's JWK Set document | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
scopes_supported | JSON array containing a list of the OAuth 2.0 scope values that are used in authorization requests to request access to this protected resource | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
bearer_methods_supported | JSON array containing a list of the OAuth 2.0 Bearer Token presentation methods that this protected resource supports | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
resource_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms (alg values) supported by the protected resource for signed content | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
resource_name | Human-readable name of the protected resource | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
resource_documentation | URL of a page containing human-readable information that developers might want or need to know when using the protected resource | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
resource_policy_uri | URL of a page containing human-readable information about the protected resource's requirements on how the client can use the data provided by the protected resource | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
resource_tos_uri | URL of a page containing human-readable information about the protected resource's terms of service | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
tls_client_certificate_bound_access_tokens | Boolean value indicating protected resource support for mutual-TLS client certificate-bound access tokens | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
authorization_details_types_supported | JSON array containing a list of the authorization details type values supported by the resource server when the authorization_details request parameter is used | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
dpop_signing_alg_values_supported | JSON array containing a list of the JWS alg values supported by the resource server for validating DPoP proof JWTs | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
dpop_bound_access_tokens_required | Boolean value specifying whether the protected resource always requires the use of DPoP-bound access tokens | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2] |
signed_metadata | Signed JWT containing metadata parameters about the protected resource as claims | IETF | [RFC-ietf-oauth-resource-metadata-13, Section 2.2] |
Contact Information
ID | Name | Contact URI | Last Updated |
---|---|---|---|
[ETSI] | ETSI | mailto:pnns&etsi.org | 2019-07-22 |
[IESG] | Internet Engineering Steering Group | mailto:iesg&ietf.org | |
[IETF] | Internet Engineering Task Force | mailto:ietf&ietf.org | |
[Kantara_UMA_WG] | Kantara Initiative User-Managed Access Work Group | mailto:staff&kantarainitiative.org | 2018-04-23 |
[OpenID_Foundation_Artifact_Binding_Working_Group] | OpenID Foundation Artifact Binding Working Group | mailto:openid-specs-ab&lists.openid.net | 2022-09-23 |
[OpenID_Foundation_MODRNA_Working_Group] | OpenID Foundation MODRNA Working Group | mailto:openid-specs-mobile-profile&lists.openid.net | 2022-12-01 |