OAuth2ResponseType uses ConstantsTrait
Enumeration of standard OAuth 2.0 / OIDC `response_type` values.
Values used with the response_type parameter of an authorization
request (see OAuth2Parameter::RESPONSE_TYPE) to indicate the
flow to follow at the authorization endpoint.
The single values self::CODE and self::TOKEN come from
RFC 6749. OIDC Core §3 introduces self::ID_TOKEN, the
response_type=none extension, and the three hybrid combinations
used by the OIDC Hybrid Flow.
For combined values, the order of the space-separated tokens is not significant on the wire, but this enum uses the canonical ordering from OIDC Core §3.3.
Example:
$authUrl = $authorizationEndpoint . '?' . http_build_query
([
OAuth2Parameter::CLIENT_ID => $clientId ,
OAuth2Parameter::REDIRECT_URI => $redirectUri ,
OAuth2Parameter::RESPONSE_TYPE => OAuth2ResponseType::CODE ,
OAuth2Parameter::SCOPE => OidcScope::OPENID ,
OAuth2Parameter::STATE => $state ,
]) ;
References:
- RFC 6749 §3.1.1 (Response Type)
- OIDC Core 1.0 §3 (Authentication: Code / Implicit / Hybrid flows)
- OIDC Core 1.0 §3.1.2.1, §3.2.2.1, §3.3.2.1
- OAuth 2.0 Multiple Response Type Encoding Practices (
none)
Tags
Table of Contents
Constants
- CODE : string = 'code'
- `code` — Authorization Code flow (RFC 6749 §4.1).
- CODE_ID_TOKEN : string = 'code id_token'
- `code id_token` — OIDC Hybrid flow: authorization endpoint returns both an authorization code and an ID Token.
- CODE_ID_TOKEN_TOKEN : string = 'code id_token token'
- `code id_token token` — OIDC Hybrid flow: authorization endpoint returns an authorization code, an ID Token, and an access token.
- CODE_TOKEN : string = 'code token'
- `code token` — OIDC Hybrid flow: authorization endpoint returns both an authorization code and an access token.
- ID_TOKEN : string = 'id_token'
- `id_token` — OIDC Implicit flow returning only an ID Token (OIDC Core §3.2).
- ID_TOKEN_TOKEN : string = 'id_token token'
- `id_token token` — OIDC Implicit flow returning both an ID Token and an access token (OIDC Core §3.2).
- NONE : string = 'none'
- `none` — Indicates that no token should be returned from the authorization endpoint. Used in OIDC for clients that only need to confirm the user is logged in.
- TOKEN : string = 'token'
- `token` — Implicit flow (RFC 6749 §4.2).
Constants
CODE
`code` — Authorization Code flow (RFC 6749 §4.1).
public
string
CODE
= 'code'
The authorization endpoint returns an authorization code that the client subsequently exchanges for tokens at the token endpoint. Recommended flow for all client types when combined with PKCE.
CODE_ID_TOKEN
`code id_token` — OIDC Hybrid flow: authorization endpoint returns both an authorization code and an ID Token.
public
string
CODE_ID_TOKEN
= 'code id_token'
CODE_ID_TOKEN_TOKEN
`code id_token token` — OIDC Hybrid flow: authorization endpoint returns an authorization code, an ID Token, and an access token.
public
string
CODE_ID_TOKEN_TOKEN
= 'code id_token token'
CODE_TOKEN
`code token` — OIDC Hybrid flow: authorization endpoint returns both an authorization code and an access token.
public
string
CODE_TOKEN
= 'code token'
ID_TOKEN
`id_token` — OIDC Implicit flow returning only an ID Token (OIDC Core §3.2).
public
string
ID_TOKEN
= 'id_token'
ID_TOKEN_TOKEN
`id_token token` — OIDC Implicit flow returning both an ID Token and an access token (OIDC Core §3.2).
Like self::TOKEN, the implicit flow is discouraged by RFC 9700.
public
string
ID_TOKEN_TOKEN
= 'id_token token'
NONE
`none` — Indicates that no token should be returned from the authorization endpoint. Used in OIDC for clients that only need to confirm the user is logged in.
public
string
NONE
= 'none'
Defined by "OAuth 2.0 Multiple Response Type Encoding Practices".
TOKEN
`token` — Implicit flow (RFC 6749 §4.2).
Disallowed by OAuth 2.1 and RFC 9700 (Security BCP). Use self::CODE with PKCE instead.
public
string
TOKEN
= 'token'
The authorization endpoint returns an access token directly in the URL fragment.