RFC Errata
RFC 8414, "OAuth 2.0 Authorization Server Metadata", June 2018
Source of RFC: oauth (sec)
Errata ID: 7793
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Kristina Yasuda
Date Reported: 2024-01-31
Section 2 says:
response_types_supported REQUIRED. JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports. The array values used are the same as those used with the "response_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591].
It should say:
response_types_supported JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports. This is REQUIRED unless no grant types are supported that use the authorization endpoint. The array values used are the same as those used with the "response_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591].
Notes:
For the authorization servers that only support grant types that do not use authorization endpoint (like client credentials grant), there is no value to put in the required `response_types_supported` parameter. At the same time, section 3.2 says that "Claims with zero elements MUST be omitted from the response." `authorization_endpoint`parameter is already required for the ASs that support grant types that use the authorization endpoint, so it should be the same for the `response_types_supported` parameter.