I second your remark Jean-François “Jeff” Lombardo | Amazon Web Services
Architecte Principal de Solutions, Spécialiste de Sécurité Principal Solution Architect, Security Specialist Montréal, Canada Commentaires à propos de notre échange? Exprimez-vous ici. Thoughts on our interaction? Provide feedback here. -----Original Message----- From: Emelia S. <[email protected]> Sent: March 5, 2026 2:12 PM To: Lombardo, Jeff <[email protected]> Cc: [email protected]; Lombardo, Jeff <[email protected]> Subject: RE: [EXT] [OAUTH-WG] Is there an IANA Registry for Grant Types? CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque. This question actually isn't about CIMD here! I've been working with a team on a low-level OAuth implementation for Swift, and I just happened to notice that we'd hardcoded grant types whilst writing the client, and I went to try to find information on a registry of grant types, because I knew that was an extension point, but couldn't find one. Feels a bit odd not to have a well known registry of grant types and their corresponding specifications. – Emelia > On 5 Mar 2026, at 20:02, Lombardo, Jeff <[email protected]> > wrote: > > That is what I tried to propose to OSW and former IETF meetings > through: > https://github.com/identitymonk/draft-lombardo-oauth-client-extension- > claims > > it was for Claims in tokens but surely would applied to CIMD which I > what I think you point at too on top of OAuth 2.1 > > > > Jean-François “Jeff” Lombardo | Amazon Web Services > > Architecte Principal de Solutions, Spécialiste de Sécurité Principal > Solution Architect, Security Specialist Montréal, Canada > > Commentaires à propos de notre échange? Exprimez-vous ici. > > Thoughts on our interaction? Provide feedback here. > > -----Original Message----- > From: Emelia S. <[email protected]> > Sent: March 5, 2026 1:32 PM > To: [email protected] > Subject: [EXT] [OAUTH-WG] Is there an IANA Registry for Grant Types? > > CAUTION: This email originated from outside of the organization. Do not click > links or open attachments unless you can confirm the sender and know the > content is safe. > > > > AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne > cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas > confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le > contenu ne présente aucun risque. > > > > Hi all, > > I just noticed that there doesn't seem to be an explicit registry of OAuth > Grant Types defined anywhere, should there be such a registry kept with IANA > for standardized grant types? > > https://datatracker.ietf.org/doc/html/rfc6749#section-8.3 > >> Defining New Authorization Grant Types New authorization grant types >> can be defined by assigning them a unique absolute URI for use with the >> "grant_type" parameter. If the extension grant type requires additional >> token endpoint parameters, they MUST be registered in the OAuth Parameters >> registry as described by Section 11.2. > > This just says the additional parameters must be registered, but nothing > about the grant type itself besides it must be an absolute URI (urn's are > often used). > > Would it be worth defining an explicit registry with IANA as part of OAuth > 2.1? > > Yours, > Emelia Smith > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
