XML
HTML
Plain text
Registries included below
Specification Required
Hannes Tschofenig
| Name | Additional Endpoint Response Parameters | HTTP Authentication Scheme(s) | Change Controller | Reference |
|---|---|---|---|---|
| Bearer | Bearer | IETF | [RFC6750] |
Specification Required
Hannes Tschofenig
Specification Required
Hannes Tschofenig
| Name | Usage Location | Protocol Extension | Change Controller | Reference |
|---|---|---|---|---|
| invalid_request | resource access error response | bearer access token type | IETF | [RFC6750] |
| invalid_token | resource access error response | bearer access token type | IETF | [RFC6750] |
| insufficient_scope | resource access error response | bearer access token type | IETF | [RFC6750] |
| unsupported_token_type | revocation endpoint error response | token revocation endpoint | IETF | [RFC7009] |
| interaction_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| login_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| session_selection_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| consent_required | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| invalid_request_uri | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| invalid_request_object | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| request_not_supported | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| request_uri_not_supported | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| registration_not_supported | authorization endpoint | OpenID Connect | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| need_info (and its subsidiary parameters) | authorization server response, token endpoint | Kantara UMA | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.6] |
| request_denied | authorization server response, token endpoint | Kantara UMA | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.6] |
| request_submitted (and its subsidiary parameters) | authorization server response, token endpoint | Kantara UMA | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.6] |
Specification Required
Hannes Tschofenig
| Name | Parameter Usage Location | Change Controller | Reference |
|---|---|---|---|
| client_id | authorization request, token request | IETF | [RFC6749] |
| client_secret | token request | IETF | [RFC6749] |
| response_type | authorization request | IETF | [RFC6749] |
| redirect_uri | authorization request, token request | IETF | [RFC6749] |
| scope | authorization request, authorization response, token request, token response | IETF | [RFC6749] |
| state | authorization request, authorization response | IETF | [RFC6749] |
| code | authorization response, token request | IETF | [RFC6749] |
| error | authorization response, token response | IETF | [RFC6749] |
| error_description | authorization response, token response | IETF | [RFC6749] |
| error_uri | authorization response, token response | IETF | [RFC6749] |
| grant_type | token request | IETF | [RFC6749] |
| access_token | authorization response, token response | IETF | [RFC6749] |
| token_type | authorization response, token response | IETF | [RFC6749] |
| expires_in | authorization response, token response | IETF | [RFC6749] |
| username | token request | IETF | [RFC6749] |
| password | token request | IETF | [RFC6749] |
| refresh_token | token request, token response | IETF | [RFC6749] |
| nonce | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| display | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| prompt | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| max_age | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| ui_locales | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| claims_locales | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| id_token_hint | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| login_hint | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| acr_values | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| claims | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| registration | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| request | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| request_uri | authorization request | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| id_token | authorization response, access token response | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-core-1_0.html] |
| session_state | authorization response, access token response | [OpenID_Foundation_Artifact_Binding_Working_Group] | [http://openid.net/specs/openid-connect-session-1_0.html] |
| assertion | token request | IESG | [RFC7521] |
| client_assertion | token request | IESG | [RFC7521] |
| client_assertion_type | token request | IESG | [RFC7521] |
| code_verifier | token request | IESG | [RFC7636] |
| code_challenge | authorization request | IESG | [RFC7636] |
| code_challenge_method | authorization request | IESG | [RFC7636] |
| claim_token | client request, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] |
| pct | client request, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] |
| pct | authorization server response, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.5] |
| rpt | client request, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] |
| ticket | client request, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.1] |
| upgraded | authorization server response, token endpoint | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.3.5] |
| vtr | authorization request, token request | IESG | [RFC8485] |
Specification Required with mandatory two-week mailing list review
Torsten Lodderstedt
| Hint Value | Change Controller | Reference |
|---|---|---|
| access_token | IETF | [RFC7009] |
| refresh_token | IETF | [RFC7009] |
| pct | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 3.7] |
Specification Required
Hannes Tschofenig
Prefix: urn:ietf:params:oauth
| URN | Common Name | Change Controller | Reference |
|---|---|---|---|
| urn:ietf:params:oauth:grant-type:jwt-bearer | JWT Bearer Token Grant Type Profile for OAuth 2.0 | IESG | [RFC7523] |
| urn:ietf:params:oauth:client-assertion-type:jwt-bearer | JWT Bearer Token Profile for OAuth 2.0 Client Authentication | IESG | [RFC7523] |
| urn:ietf:params:oauth:grant-type:saml2-bearer | SAML 2.0 Bearer Assertion Grant Type Profile for OAuth 2.0 | IESG | [RFC7522] |
| urn:ietf:params:oauth:client-assertion-type:saml2-bearer | SAML 2.0 Bearer Assertion Profile for OAuth 2.0 Client Authentication | IESG | [RFC7522] |
| urn:ietf:params:oauth:token-type:jwt | JSON Web Token (JWT) Token Type | IESG | [RFC7519] |
Specification Required
Justin Richer
See [RFC7591]for mailing list information.
| Client Metadata Name | Client Metadata Description | Change Controller | Reference |
|---|---|---|---|
| redirect_uris | Array of redirection URIs for use in redirect-based flows | IESG | [RFC7591] |
| token_endpoint_auth_method | Requested authentication method for the token endpoint | IESG | [RFC7591] |
| grant_types | Array of OAuth 2.0 grant types that the client may use | IESG | [RFC7591] |
| response_types | Array of the OAuth 2.0 response types that the client may use | IESG | [RFC7591] |
| client_name | Human-readable name of the client to be presented to the user | IESG | [RFC7591] |
| client_uri | URL of a web page providing information about the client | IESG | [RFC7591] |
| logo_uri | URL that references a logo for the client | IESG | [RFC7591] |
| scope | Space-separated list of OAuth 2.0 scope values | IESG | [RFC7591] |
| contacts | Array of strings representing ways to contact people responsible for this client, typically email addresses | IESG | [RFC7591] |
| tos_uri | URL that points to a human-readable terms of service document for the client | IESG | [RFC7591] |
| policy_uri | URL that points to a human-readable policy document for the client | IESG | [RFC7591] |
| jwks_uri | URL referencing the client's JSON Web Key Set [RFC7517] document representing the client's public keys | IESG | [RFC7591] |
| jwks | Client's JSON Web Key Set [RFC7517] document representing the client's public keys | IESG | [RFC7591] |
| software_id | Identifier for the software that comprises a client | IESG | [RFC7591] |
| software_version | Version identifier for the software that comprises a client | IESG | [RFC7591] |
| client_id | Client identifier | IESG | [RFC7591] |
| client_secret | Client secret | IESG | [RFC7591] |
| client_id_issued_at | Time at which the client identifier was issued | IESG | [RFC7591] |
| client_secret_expires_at | Time at which the client secret will expire | IESG | [RFC7591] |
| registration_access_token | OAuth 2.0 Bearer Token used to access the client configuration endpoint | IESG | [RFC7592] |
| registration_client_uri | Fully qualified URI of the client registration endpoint | IESG | [RFC7592] |
| application_type | Kind of the application -- "native" or "web" | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| sector_identifier_uri | URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| subject_type | subject_type requested for responses to this Client -- "pairwise" or "public" | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| id_token_signed_response_alg | JWS alg algorithm REQUIRED for signing the ID Token issued to this Client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| id_token_encrypted_response_alg | JWE alg algorithm REQUIRED for encrypting the ID Token issued to this Client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| id_token_encrypted_response_enc | JWE enc algorithm REQUIRED for encrypting the ID Token issued to this Client | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| userinfo_signed_response_alg | JWS alg algorithm REQUIRED for signing UserInfo Responses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| userinfo_encrypted_response_alg | JWE alg algorithm REQUIRED for encrypting UserInfo Responses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| userinfo_encrypted_response_enc | JWE enc algorithm REQUIRED for encrypting UserInfo Responses | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| request_object_signing_alg | JWS alg algorithm that MUST be used for signing Request Objects sent to the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| request_object_encryption_alg | JWE alg algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| request_object_encryption_enc | JWE enc algorithm the RP is declaring that it may use for encrypting Request Objects sent to the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| token_endpoint_auth_signing_alg | JWS alg algorithm that MUST be used for signing the JWT used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| default_max_age | Default Maximum Authentication Age | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| require_auth_time | Boolean value specifying whether the auth_time Claim in the ID Token is REQUIRED | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| default_acr_values | Default requested Authentication Context Class Reference values | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| initiate_login_uri | URI using the https scheme that a third party can use to initiate a login by the RP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| request_uris | Array of request_uri values that are pre-registered by the RP for use at the OP | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2] |
| claims_redirect_uris | claims redirection endpoints | [Kantara_UMA_WG] | [UMA 2.0 Grant for OAuth 2.0, Section 2] |
Specification Required
Justin Richer
See [RFC7591]for mailing list information.
| Token Endpoint Authentication Method Name | Change Controller | Reference |
|---|---|---|
| none | IESG | [RFC7591] |
| client_secret_post | IESG | [RFC7591] |
| client_secret_basic | IESG | [RFC7591] |
| client_secret_jwt | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0] |
| private_key_jwt | [OpenID_Foundation_Artifact_Binding_Working_Group] | [OpenID Connect Core 1.0] |
Specification Required
Unassigned
| Code Challenge Method Parameter Name | Change Controller | Reference |
|---|---|---|
| plain | IESG | [Section 4.2 of RFC7636] |
| S256 | IESG | [Section 4.2 of RFC7636] |
Specification Required
Justin Richer
| Name | Description | Change Controller | Reference |
|---|---|---|---|
| active | Token active status | IESG | [RFC7662, Section 2.2] |
| username | User identifier of the resource owner | IESG | [RFC7662, Section 2.2] |
| client_id | Client identifier of the client | IESG | [RFC7662, Section 2.2] |
| scope | Authorized scopes of the token | IESG | [RFC7662, Section 2.2] |
| token_type | Type of the token | IESG | [RFC7662, Section 2.2] |
| exp | Expiration timestamp of the token | IESG | [RFC7662, Section 2.2] |
| iat | Issuance timestamp of the token | IESG | [RFC7662, Section 2.2] |
| nbf | Timestamp which the token is not valid before | IESG | [RFC7662, Section 2.2] |
| sub | Subject of the token | IESG | [RFC7662, Section 2.2] |
| aud | Audience of the token | IESG | [RFC7662, Section 2.2] |
| iss | Issuer of the token | IESG | [RFC7662, Section 2.2] |
| jti | Unique identifier of the token | IESG | [RFC7662, Section 2.2] |
| permissions | array of objects, each describing a scoped, time-limitable permission for a resource | [Kantara_UMA_WG] | [Federated Authorization for UMA 2.0, Section 5.1.1] |
| vot | Vector of Trust value | IESG | [RFC8485] |
| vtm | Vector of Trust trustmark URL | IESG | [RFC8485] |
Specification Required
Michael Jones, Nat Sakimura, John Bradley
| Metadata Name | Metadata Description | Change Controller | Reference |
|---|---|---|---|
| issuer | Authorization server's issuer identifier URL | IESG | [RFC8414, Section 2] |
| authorization_endpoint | URL of the authorization server's authorization endpoint | IESG | [RFC8414, Section 2] |
| token_endpoint | URL of the authorization server's token endpoint | IESG | [RFC8414, Section 2] |
| jwks_uri | URL of the authorization server's JWK Set document | IESG | [RFC8414, Section 2] |
| registration_endpoint | URL of the authorization server's OAuth 2.0 Dynamic Client Registration Endpoint | IESG | [RFC8414, Section 2] |
| scopes_supported | JSON array containing a list of the OAuth 2.0 "scope" values that this authorization server supports | IESG | [RFC8414, Section 2] |
| response_types_supported | JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports | IESG | [RFC8414, Section 2] |
| response_modes_supported | JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports | IESG | [RFC8414, Section 2] |
| grant_types_supported | JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports | IESG | [RFC8414, Section 2] |
| token_endpoint_auth_methods_supported | JSON array containing a list of client authentication methods supported by this token endpoint | IESG | [RFC8414, Section 2] |
| token_endpoint_auth_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms supported by the token endpoint for the signature on the JWT used to authenticate the client at the token endpoint | IESG | [RFC8414, Section 2] |
| service_documentation | URL of a page containing human-readable information that developers might want or need to know when using the authorization server | IESG | [RFC8414, Section 2] |
| ui_locales_supported | Languages and scripts supported for the user interface, represented as a JSON array of language tag values from [BCP47] | IESG | [RFC8414, Section 2] |
| op_policy_uri | URL that the authorization server provides to the person registering the client to read about the authorization server's requirements on how the client can use the data provided by the authorization server | IESG | [RFC8414, Section 2] |
| op_tos_uri | URL that the authorization server provides to the person registering the client to read about the authorization server's terms of service | IESG | [RFC8414, Section 2] |
| revocation_endpoint | URL of the authorization server's OAuth 2.0 revocation endpoint | IESG | [RFC8414, Section 2] |
| revocation_endpoint_auth_methods_supported | JSON array containing a list of client authentication methods supported by this revocation endpoint | IESG | [RFC8414, Section 2] |
| revocation_endpoint_auth_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms supported by the revocation endpoint for the signature on the JWT used to authenticate the client at the revocation endpoint | IESG | [RFC8414, Section 2] |
| introspection_endpoint | URL of the authorization server's OAuth 2.0 introspection endpoint | IESG | [RFC8414, Section 2] |
| introspection_endpoint_auth_methods_supported | JSON array containing a list of client authentication methods supported by this introspection endpoint | IESG | [RFC8414, Section 2] |
| introspection_endpoint_auth_signing_alg_values_supported | JSON array containing a list of the JWS signing algorithms supported by the introspection endpoint for the signature on the JWT used to authenticate the client at the introspection endpoint | IESG | [RFC8414, Section 2] |
| code_challenge_methods_supported | PKCE code challenge methods supported by this authorization server | IESG | [RFC8414, Section 2] |
| signed_metadata | Signed JWT containing metadata values about the authorization server as claims | IESG | [RFC8414, Section 2.1] |
| ID | Name | Contact URI | Last Updated |
|---|---|---|---|
| [Kantara_UMA_WG] | Kantara Initiative User-Managed Access Work Group | mailto:staff&kantarainitiative.org | 2018-04-23 |
| [OpenID_Foundation_Artifact_Binding_Working_Group] | OpenID Foundation Artifact Binding Working Group | mailto:openid-specs-ab&lists.openid.net | 2015-12-03 |