This question actually isn't about CIMD here! I've been working with a team on a low-level OAuth implementation for Swift, and I just happened to notice that we'd hardcoded grant types whilst writing the client, and I went to try to find information on a registry of grant types, because I knew that was an extension point, but couldn't find one.
Feels a bit odd not to have a well known registry of grant types and their corresponding specifications. – Emelia > On 5 Mar 2026, at 20:02, Lombardo, Jeff <[email protected]> > wrote: > > That is what I tried to propose to OSW and former IETF meetings through: > https://github.com/identitymonk/draft-lombardo-oauth-client-extension-claims > > it was for Claims in tokens but surely would applied to CIMD which I what I > think you point at too on top of OAuth 2.1 > > > > Jean-François “Jeff” Lombardo | Amazon Web Services > > Architecte Principal de Solutions, Spécialiste de Sécurité > Principal Solution Architect, Security Specialist > Montréal, Canada > > Commentaires à propos de notre échange? Exprimez-vous ici. > > Thoughts on our interaction? Provide feedback here. > > -----Original Message----- > From: Emelia S. <[email protected]> > Sent: March 5, 2026 1:32 PM > To: [email protected] > Subject: [EXT] [OAUTH-WG] Is there an IANA Registry for Grant Types? > > CAUTION: This email originated from outside of the organization. Do not click > links or open attachments unless you can confirm the sender and know the > content is safe. > > > > AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne > cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas > confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le > contenu ne présente aucun risque. > > > > Hi all, > > I just noticed that there doesn't seem to be an explicit registry of OAuth > Grant Types defined anywhere, should there be such a registry kept with IANA > for standardized grant types? > > https://datatracker.ietf.org/doc/html/rfc6749#section-8.3 > >> Defining New Authorization Grant Types New authorization grant types >> can be defined by assigning them a unique absolute URI for use with the >> "grant_type" parameter. If the extension grant type requires additional >> token endpoint parameters, they MUST be registered in the OAuth Parameters >> registry as described by Section 11.2. > > This just says the additional parameters must be registered, but nothing > about the grant type itself besides it must be an absolute URI (urn's are > often used). > > Would it be worth defining an explicit registry with IANA as part of OAuth > 2.1? > > Yours, > Emelia Smith > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
