What's New In OAuth 2.1?
See what's new in the OAuth 2.1 authorization framework. OAuth 2.1 specification will replace the OAuth 2.0 Framework (RFC 6749).
Join the DZone community and get the full member experience.Join For Free
The OAuth 2.1 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. The OAuth 2.1 specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749.
The OAuth 2.1 specification consolidates the functionality in OAuth 2.0 (RFC6749), OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange (RFC7636), OAuth 2.0 for Browser-Based Apps, OAuth Security Best Current Practice, and Bearer Token Usage (RFC6750).
Following lists down a set of changes OAuth 2.1 introduces on top of OAuth 2.0.
- The authorization code grant is extended with the functionality from PKCE (RFC7636) such that the default method of using the authorization code grant according to this specification requires the addition of the PKCE parameters
- Redirect URIs must be compared using exact string matching
- The Implicit grant (response_type=token) is omitted
- The Resource Owner Password Credentials grant is omitted
- Bearer token usage omits the use of bearer tokens in the query string of URIs
- Refresh tokens should either be sender-constrained or one-time use
- In addition to the confidential and public client types in OAuth 2.0, 2.1 introduces another new client type: credentialed.
In the 34th Silicon Valley IAM meetup, Torsten Lodderstedt, the Chief Technology Officer (CTO) at yes.com, talked about what is new in OAuth 2.1. Torsten is a key contributor to many identity standards and also an author of the OAuth 2.1 specification. Please find below the recording.
Opinions expressed by DZone contributors are their own.