<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] (OAuth Authorization Endpoint Response Types) defined in [Section 3.1.1|RFC 6749] the [{$pagename}] is used in the [Authorization Request]

The [OAuth Client] informs the [Authorization Server] of the desired [Grant Type] using the following parameter:
[response_type]  REQUIRED.  The value MUST be one of:
* &quot;[code|Authorization Code]&quot; for requesting an [Authorization Code Grant] as described by [Section 4.1.1|RFC 6749], 
* &quot;[token]&quot; for requesting an [Access Token] ([Implicit Grant]) as described by [Section 4.2.1|RFC 6749], 
* &quot;none&quot; the [Authorization Server] [SHOULD NOT] return an [OAuth 2.0] [Authorization Code], [Access Token], [token_type], or [Identity Token] in a successful response to the grant request. If a [redirect_uri] is supplied, the [User-agent] [SHOULD] be redirected there after granting or denying access.[1] 
* &quot;[id_token|Identity Token]&quot; -  The intended purpose of the [id_token|Identity Token] is that it __[MUST]__ provide an assertion of the identity of the [Resource Owner] as understood by the [Authorization Server]. The assertion [MUST] specify a targeted [audience|aud], e.g. the requesting Client. [1]
* or a registered extension value as described by Section 8.4.

Extension response types [MAY] contain a space-delimited (%x20) list of values, where the order of values does not matter (e.g., response type &quot;a b&quot; is the same as &quot;b a&quot;).  The meaning of such composite [{$pagename}] is defined by their respective specifications.

If an [Authorization Request] is missing the &quot;[response_type]&quot; parameter, or if the [response_type] is not understood, the [Authorization Server] [MUST] return an [OAuth Error] response as described in [Section 4.1.2.1.|RFC 6749]

!! Definitions of Multiple-Valued [{$pagename}] Combinations
This section defines combinations of the values code, token, and id_token, which are each individually registered Response Types:
* [code|Authorization Code] [token|access_token] - When supplied as the value for the [{$pagename}] parameter, a successful response [MUST] include an [Access Token], an [Access Token] [token_type], and an [Authorization Code]. The default [Response_mode] for this Response Type is the [Fragment Response Mode] encoding and the [query Response Mode] encoding [MUST NOT] be used. Both successful and [OAuth Error] responses [SHOULD] be returned using the supplied [Response_mode], or if none is supplied, using the default [Response_mode].
* [code|Authorization Code] [id_token] - When supplied as the value for the response_type parameter, a successful response [MUST] include both an:
** [Authorization Code] 
** [id_token]. \\The default Response Mode for this Response Type is the [Fragment Response Mode] encoding and the [query Response Mode] encoding [MUST NOT] be used. Both successful and [OAuth Error] responses [SHOULD] be returned using the supplied [Response_mode], or if none is supplied, using the default Response Mode.
* [id_token] [token|access_token] - When supplied as the value for the [{$pagename}] parameter, a successful response [MUST] include an:
** Access Token
** [Access Token Type]
** [id_token]. \\ The default Response Mode for this Response Type is the [Fragment Response Mode] encoding and the query encoding [MUST NOT] be used. Both successful and [OAuth Error] responses [SHOULD] be returned using the supplied Response Mode, or if none is supplied, using the default Response Mode.
* [code|Authorization Code] [id_token] [token|access_token] - When supplied as the value for the response_type [parameter], a successful response [MUST] include an 
** [Authorization Code]
** [id_token]
** [Access Token]
** [Access Token Type]. \\The __default__ [Response_mode] for this Response Type is the [Fragment Response Mode] encoding and the query encoding [MUST NOT] be used. Both successful and [OAuth Error] responses [SHOULD] be returned using the supplied Response Mode, or if none is supplied, using the default Response Mode.

For all these [{$pagename}], the request [MAY] include a state parameter, and if so, the [Authorization Server] [MUST] echo its value as a response parameter when issuing either a successful response or an error response

!! [OAuth Authorization Endpoint Response Types Registry]
[{$pagename}] values should be in the [OAuth Authorization Endpoint Response Types Registry]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [OAuth 2.0 Multiple Response Type Encoding Practices|http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html|target='_blank'] - based on information obtained 2015-08-02
</pre>