For better or worse, and for reasons I don't fully remember, the way things were defined for grant types was that the core ones in RFC6749 got to be plain string values and extensions had to be URIs. Trying to work with/in these constructs and have official(ish) looking URIs for extension grants gave rise to RFC6755, which established the registry Taka pointed to below. And to kinda encourage its use with the form urn:ietf:params:oauth:grant-type:<name> for extension grants, which has occurred in some cases. But it's not exhaustive, top of mind I can think of at least https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html that uses a different namespace with urn:openid:params:grant-type:ciba.
It is indeed a bit odd but that ship has sailed and a new registry via OAuth 2.1 might not help much or even be appropriate. On Fri, Mar 6, 2026 at 3:36 PM Takahiko Kawasaki <[email protected]> wrote: > FWIW: There is no dedicated section for grant types, but several > identifiers representing grant types are listed in the OAuth URI section ( > https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#uri > ). > > > - urn:ietf:params:oauth:grant-type:device_code > - urn:ietf:params:oauth:grant-type:jwt-bearer > - urn:ietf:params:oauth:grant-type:saml2-bearer > - urn:ietf:params:oauth:grant-type:token-exchange > > > > On Fri, Mar 6, 2026 at 4:16 AM Lombardo, Jeff <jeffsec= > [email protected]> wrote: > >> I second your remark >> >> Jean-François “Jeff” Lombardo | Amazon Web Services >> >> Architecte Principal de Solutions, Spécialiste de Sécurité >> Principal Solution Architect, Security Specialist >> Montréal, Canada >> >> Commentaires à propos de notre échange? Exprimez-vous ici. >> >> Thoughts on our interaction? Provide feedback here. >> >> -----Original Message----- >> From: Emelia S. <[email protected]> >> Sent: March 5, 2026 2:12 PM >> To: Lombardo, Jeff <[email protected]> >> Cc: [email protected]; Lombardo, Jeff <[email protected]> >> Subject: RE: [EXT] [OAUTH-WG] Is there an IANA Registry for Grant Types? >> >> CAUTION: This email originated from outside of the organization. Do not >> click links or open attachments unless you can confirm the sender and know >> the content is safe. >> >> >> >> AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. >> Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez >> pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que >> le contenu ne présente aucun risque. >> >> >> >> This question actually isn't about CIMD here! I've been working with a >> team on a low-level OAuth implementation for Swift, and I just happened to >> notice that we'd hardcoded grant types whilst writing the client, and I >> went to try to find information on a registry of grant types, because I >> knew that was an extension point, but couldn't find one. >> >> Feels a bit odd not to have a well known registry of grant types and >> their corresponding specifications. >> >> – Emelia >> >> > On 5 Mar 2026, at 20:02, Lombardo, Jeff <jeffsec= >> [email protected]> wrote: >> > >> > That is what I tried to propose to OSW and former IETF meetings >> > through: >> > https://github.com/identitymonk/draft-lombardo-oauth-client-extension- >> > claims >> > >> > it was for Claims in tokens but surely would applied to CIMD which I >> > what I think you point at too on top of OAuth 2.1 >> > >> > >> > >> > Jean-François “Jeff” Lombardo | Amazon Web Services >> > >> > Architecte Principal de Solutions, Spécialiste de Sécurité Principal >> > Solution Architect, Security Specialist Montréal, Canada >> > >> > Commentaires à propos de notre échange? Exprimez-vous ici. >> > >> > Thoughts on our interaction? Provide feedback here. >> > >> > -----Original Message----- >> > From: Emelia S. <[email protected]> >> > Sent: March 5, 2026 1:32 PM >> > To: [email protected] >> > Subject: [EXT] [OAUTH-WG] Is there an IANA Registry for Grant Types? >> > >> > CAUTION: This email originated from outside of the organization. Do not >> click links or open attachments unless you can confirm the sender and know >> the content is safe. >> > >> > >> > >> > AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur >> externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous >> ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas >> certain que le contenu ne présente aucun risque. >> > >> > >> > >> > Hi all, >> > >> > I just noticed that there doesn't seem to be an explicit registry of >> OAuth Grant Types defined anywhere, should there be such a registry kept >> with IANA for standardized grant types? >> > >> > https://datatracker.ietf.org/doc/html/rfc6749#section-8.3 >> > >> >> Defining New Authorization Grant Types New authorization grant types >> >> can be defined by assigning them a unique absolute URI for use with >> the "grant_type" parameter. If the extension grant type requires additional >> token endpoint parameters, they MUST be registered in the OAuth Parameters >> registry as described by Section 11.2. >> > >> > This just says the additional parameters must be registered, but >> nothing about the grant type itself besides it must be an absolute URI >> (urn's are often used). >> > >> > Would it be worth defining an explicit registry with IANA as part of >> OAuth 2.1? >> > >> > Yours, >> > Emelia Smith >> > _______________________________________________ >> > OAuth mailing list -- [email protected] >> > To unsubscribe send an email to [email protected] >> >> _______________________________________________ >> OAuth mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > > -- > *Takahiko Kawasaki* > Co-Founder > [email protected] > [image: Authlete] > authlete.com <https://www.authlete.com/> |Linkedin > <https://www.linkedin.com/company/authlete/> > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
