FWIW: There is no dedicated section for grant types, but several identifiers representing grant types are listed in the OAuth URI section ( https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#uri ).
- urn:ietf:params:oauth:grant-type:device_code - urn:ietf:params:oauth:grant-type:jwt-bearer - urn:ietf:params:oauth:grant-type:saml2-bearer - urn:ietf:params:oauth:grant-type:token-exchange On Fri, Mar 6, 2026 at 4:16 AM Lombardo, Jeff <jeffsec= [email protected]> wrote: > I second your remark > > Jean-François “Jeff” Lombardo | Amazon Web Services > > Architecte Principal de Solutions, Spécialiste de Sécurité > Principal Solution Architect, Security Specialist > Montréal, Canada > > Commentaires à propos de notre échange? Exprimez-vous ici. > > Thoughts on our interaction? Provide feedback here. > > -----Original Message----- > From: Emelia S. <[email protected]> > Sent: March 5, 2026 2:12 PM > To: Lombardo, Jeff <[email protected]> > Cc: [email protected]; Lombardo, Jeff <[email protected]> > Subject: RE: [EXT] [OAUTH-WG] Is there an IANA Registry for Grant Types? > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. > Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez > pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que > le contenu ne présente aucun risque. > > > > This question actually isn't about CIMD here! I've been working with a > team on a low-level OAuth implementation for Swift, and I just happened to > notice that we'd hardcoded grant types whilst writing the client, and I > went to try to find information on a registry of grant types, because I > knew that was an extension point, but couldn't find one. > > Feels a bit odd not to have a well known registry of grant types and their > corresponding specifications. > > – Emelia > > > On 5 Mar 2026, at 20:02, Lombardo, Jeff <jeffsec= > [email protected]> wrote: > > > > That is what I tried to propose to OSW and former IETF meetings > > through: > > https://github.com/identitymonk/draft-lombardo-oauth-client-extension- > > claims > > > > it was for Claims in tokens but surely would applied to CIMD which I > > what I think you point at too on top of OAuth 2.1 > > > > > > > > Jean-François “Jeff” Lombardo | Amazon Web Services > > > > Architecte Principal de Solutions, Spécialiste de Sécurité Principal > > Solution Architect, Security Specialist Montréal, Canada > > > > Commentaires à propos de notre échange? Exprimez-vous ici. > > > > Thoughts on our interaction? Provide feedback here. > > > > -----Original Message----- > > From: Emelia S. <[email protected]> > > Sent: March 5, 2026 1:32 PM > > To: [email protected] > > Subject: [EXT] [OAUTH-WG] Is there an IANA Registry for Grant Types? > > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > > > > > AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur > externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous > ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas > certain que le contenu ne présente aucun risque. > > > > > > > > Hi all, > > > > I just noticed that there doesn't seem to be an explicit registry of > OAuth Grant Types defined anywhere, should there be such a registry kept > with IANA for standardized grant types? > > > > https://datatracker.ietf.org/doc/html/rfc6749#section-8.3 > > > >> Defining New Authorization Grant Types New authorization grant types > >> can be defined by assigning them a unique absolute URI for use with the > "grant_type" parameter. If the extension grant type requires additional > token endpoint parameters, they MUST be registered in the OAuth Parameters > registry as described by Section 11.2. > > > > This just says the additional parameters must be registered, but nothing > about the grant type itself besides it must be an absolute URI (urn's are > often used). > > > > Would it be worth defining an explicit registry with IANA as part of > OAuth 2.1? > > > > Yours, > > Emelia Smith > > _______________________________________________ > > OAuth mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- *Takahiko Kawasaki* Co-Founder [email protected] [image: Authlete] authlete.com <https://www.authlete.com/> |Linkedin <https://www.linkedin.com/company/authlete/>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
