OAuth2TokenType uses ConstantsTrait
Enumeration of OAuth 2.0 / OIDC access token types and Token Exchange token type identifiers.
Two distinct registries are exposed here:
-
HTTP token types — values returned in the OAuth2TokenField::TOKEN_TYPE field of a successful token response and used in the
AuthorizationHTTP header scheme: self::BEARER, self::DPOP, self::MAC. -
Token Exchange URIs (RFC 8693 §3) — values used in the
subject_token_type,actor_token_type,requested_token_type, andissued_token_typeparameters of a Token Exchange request or response.
Example (Bearer):
$client = new Client( [ 'headers' =>
[
'Authorization' => OAuth2TokenType::BEARER . ' ' . $accessToken ,
]]) ;
Example (Token Exchange):
$params =
[
OAuth2Parameter::GRANT_TYPE => OAuth2GrantType::TOKEN_EXCHANGE ,
OAuth2Parameter::SUBJECT_TOKEN => $userToken ,
'subject_token_type' => OAuth2TokenType::URI_ACCESS_TOKEN ,
'requested_token_type' => OAuth2TokenType::URI_ACCESS_TOKEN ,
] ;
References:
- RFC 6749 §5.1 (token_type)
- RFC 6750 (Bearer)
- RFC 8693 §3 (Token Exchange token type identifiers)
- RFC 9449 (DPoP)
- draft-ietf-oauth-v2-http-mac (MAC, expired)
Tags
Table of Contents
Constants
- BEARER : string = 'Bearer'
- `Bearer` — Bearer token (RFC 6750).
- DPOP : string = 'DPoP'
- `DPoP` — Demonstrating Proof-of-Possession at the Application Layer (RFC 9449).
- MAC : string = 'MAC'
- `MAC` — Message Authentication Code token type.
- N_A : string = 'N_A'
- `N_A` — Returned by Token Exchange (RFC 8693) when the issued token is not directly usable as a bearer-style access token (e.g. a SAML assertion).
- URI_ACCESS_TOKEN : string = 'urn:ietf:params:oauth:token-type:access_token'
- `urn:ietf:params:oauth:token-type:access_token` — Indicates that the token is an OAuth 2.0 access token (RFC 8693 §3).
- URI_ID_TOKEN : string = 'urn:ietf:params:oauth:token-type:id_token'
- `urn:ietf:params:oauth:token-type:id_token` — Indicates that the token is an OIDC ID Token (RFC 8693 §3).
- URI_JWT : string = 'urn:ietf:params:oauth:token-type:jwt'
- `urn:ietf:params:oauth:token-type:jwt` — Indicates that the token is a JWT (RFC 7519). Often used as a generic JWT subject token in Token Exchange (RFC 8693 §3).
- URI_REFRESH_TOKEN : string = 'urn:ietf:params:oauth:token-type:refresh_token'
- `urn:ietf:params:oauth:token-type:refresh_token` — Indicates that the token is an OAuth 2.0 refresh token (RFC 8693 §3).
- URI_SAML1 : string = 'urn:ietf:params:oauth:token-type:saml1'
- `urn:ietf:params:oauth:token-type:saml1` — Indicates that the token is a base64url-encoded SAML 1.1 assertion (RFC 8693 §3).
- URI_SAML2 : string = 'urn:ietf:params:oauth:token-type:saml2'
- `urn:ietf:params:oauth:token-type:saml2` — Indicates that the token is a base64url-encoded SAML 2.0 assertion (RFC 8693 §3).
Constants
BEARER
`Bearer` — Bearer token (RFC 6750).
public
string
BEARER
= 'Bearer'
Any party in possession of the token can use it. By far the most
common token type. Sent in the Authorization: Bearer <token>
HTTP header.
Value is case-insensitive on the wire (RFC 6749 §5.1) but the
canonical form is Bearer.
DPOP
`DPoP` — Demonstrating Proof-of-Possession at the Application Layer (RFC 9449).
public
string
DPOP
= 'DPoP'
Sender-constrained access token tied to a client-held key. Each
request must carry a fresh DPoP proof JWT in the DPoP header
alongside Authorization: DPoP <token>.
MAC
`MAC` — Message Authentication Code token type.
The MAC token type IETF draft has expired and is not a published RFC. Exposed only for completeness; prefer self::DPOP for sender-constrained tokens.
public
string
MAC
= 'MAC'
N_A
`N_A` — Returned by Token Exchange (RFC 8693) when the issued token is not directly usable as a bearer-style access token (e.g. a SAML assertion).
public
string
N_A
= 'N_A'
URI_ACCESS_TOKEN
`urn:ietf:params:oauth:token-type:access_token` — Indicates that the token is an OAuth 2.0 access token (RFC 8693 §3).
public
string
URI_ACCESS_TOKEN
= 'urn:ietf:params:oauth:token-type:access_token'
URI_ID_TOKEN
`urn:ietf:params:oauth:token-type:id_token` — Indicates that the token is an OIDC ID Token (RFC 8693 §3).
public
string
URI_ID_TOKEN
= 'urn:ietf:params:oauth:token-type:id_token'
URI_JWT
`urn:ietf:params:oauth:token-type:jwt` — Indicates that the token is a JWT (RFC 7519). Often used as a generic JWT subject token in Token Exchange (RFC 8693 §3).
public
string
URI_JWT
= 'urn:ietf:params:oauth:token-type:jwt'
URI_REFRESH_TOKEN
`urn:ietf:params:oauth:token-type:refresh_token` — Indicates that the token is an OAuth 2.0 refresh token (RFC 8693 §3).
public
string
URI_REFRESH_TOKEN
= 'urn:ietf:params:oauth:token-type:refresh_token'
URI_SAML1
`urn:ietf:params:oauth:token-type:saml1` — Indicates that the token is a base64url-encoded SAML 1.1 assertion (RFC 8693 §3).
public
string
URI_SAML1
= 'urn:ietf:params:oauth:token-type:saml1'
URI_SAML2
`urn:ietf:params:oauth:token-type:saml2` — Indicates that the token is a base64url-encoded SAML 2.0 assertion (RFC 8693 §3).
public
string
URI_SAML2
= 'urn:ietf:params:oauth:token-type:saml2'