OAuth 2.1

datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1

OAuth 2.1 is an in-progress effort to consolidate and simplify the most commonly used features of OAuth 2.0.

Since the original publication of OAuth 2.0 (RFC 6749) in 2012, several new RFCs have been published that either add or remove functionality from the core spec, including OAuth 2.0 for Native Apps (RFC 8252), Proof Key for Code Exchange (RFC 7636), OAuth for Browser-Based Apps, and OAuth 2.0 Security Best Current Practice.

OAuth 2.1 consolidates the changes published in later specs to simplify the core document.

The major differences from OAuth 2.0 are listed below.

• PKCE is required for all OAuth clients using the authorization code flow
• Redirect URIs must be compared using exact string matching
• The Implicit grant (response_type=token) is omitted from this specification
• The Resource Owner Password Credentials grant is omitted from this specification
• Bearer token usage omits the use of bearer tokens in the query string of URIs
• Refresh tokens for public clients must either be sender-constrained or one-time use
• The definitions of public and confidential clients have been simplified to only refer to whether the client has credentials

More resources

• It's Time for OAuth 2.1 (by Aaron Parecki)
• What's new in OAuth 2.1? (Dan Moore, fusionauth.io)
• OAuth 2.1: How Many RFCs Does it Take to Change a Lightbulb? (by Lee McGovern)
• What's New with OAuth and OpenID Connect? - Oktane Live (Aaron Parecki)
• Differences between OAuth 2 and OAuth 2.1 (by Dan Moore)