51°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • OAuth WG

    First Draft of OAuth 2.1

    March 11, 2020

    I'm happy to share that Dick and Torsten and I have published a first draft of OAuth 2.1. We've taken the feedback from the discussions on the list and incorporated that into the draft.

    tools.ietf.org/html/draft-parecki-oauth-v2-1-01

    A summary of the differences between this draft and OAuth 2.0 can be found in section 12, and I've copied them here below.

    This draft consolidates the functionality in OAuth 2.0 (RFC6749), OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange (RFC7636), OAuth 2.0 for Browser-Based Apps (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage (RFC6750).

    Where a later draft updates or obsoletes functionality found in the original [RFC6749], that functionality in this draft is updated with the normative changes described in a later draft, or removed entirely.

    A non-normative list of changes from OAuth 2.0 is listed below:

    • The authorization code grant is extended with the functionality from PKCE ([RFC7636]) such that the only method of using the authorization code grant according to this specification requires the addition of the PKCE mechanism
    • Redirect URIs must be compared using exact string matching as per Section 4.1.3 of [I-D.ietf-oauth-security-topics]
    • The Implicit grant ("response_type=token") is omitted from this specification as per Section 2.1.2 of [I-D.ietf-oauth-security-topics]
    • The Resource Owner Password Credentials grant is omitted from this specification as per Section 2.4 of [I-D.ietf-oauth-security-topics]
    • Bearer token usage omits the use of bearer tokens in the query string of URIs as per Section 4.3.2 of [I-D.ietf-oauth-security-topics] * Refresh tokens must either be sender-constrained or one-time use as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]

    tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12

    I'm excited for the direction this is taking, and it has been a pleasure working with Dick and Torsten on this so far. My hope is that this first draft can serve as a good starting point for our future discussions!

    Wed, Mar 11, 2020 5:22pm -07:00 #oauth #oauth2 #ietf #oauth21
    61 likes 27 reposts 2 replies 4 mentions
    • Charlotte Allen
    • Jamie Tanna
    • Pelle Wessman
    • Randall Degges
    • Tim Cappalli
    • @herestomwiththeweather@mastodon.social
    • Matt Raible
    • Dmitri Shuralyov
    • Andy Millington 🐘 on UCU Strike Action
    • Dave Wood 🇨🇦
    • 陳建勳
    • 刘亚涛
    • Martin Gallo 🇦🇷 💚
    • José Netto
    • Tom
    • Nick Farina
    • Mark Diskin
    • Mike
    • kim kwang yong
    • Marek Grabarz
    • Amirsh
    • balaji
    • Torsten Lodderstedt
    • David Piggott
    • Jonathan Giddy
    • Neil Madden 🦑
    • Scott Brady
    • Scalanjava
    • Curt Siffert
    • daniel
    • Ingo Griebsch
    • Jan Jaap Z
    • Mags
    • Vladimir Dzhuvinov
    • Kyra Peterson
    • बसन्त राज वन्त 🇳🇵
    • Raphael DUCOM
    • Josh Cummings
    • Nicky Muller
    • Manfred Steyer
    • nhosoya
    • Mobile Enterprise Security
    • 根無草
    • 🇨🇦 Mark Drummond 🆔 🌐
    • Venkat R Viswanathan
    • Federico Yankelevich
    • D. Munch
    • Heiko Scherrer ⚜️
    • Karl McGuinness
    • Cory Plastek
    • mmaha
    • Micah Silverman
    • NS
    • Lynn
    • @Rx0n7@mastodon.social
    • Luís Cobucci
    • Víctor Román Archidona
    • Candace Sanchez
    • Andreas Falk
    • Sara Anderson
    • 是擅長 workaround 的朋友呢!
    • Stuart Winter-Tear
    • Andreas Falk
    • Víctor Román Archidona
    • Luís Cobucci
    • Rafael Dohms
    • Fabien Arrault
    • NS
    • Micah Silverman
    • Karl McGuinness
    • Cory Plastek
    • Heiko Scherrer ⚜️
    • Yoann GUION
    • Michael Herman
    • Raphael DUCOM
    • David Keller
    • Florian Weil
    • daniel
    • David Piggott
    • Antonio Sanso
    • Frank Pientka☁️
    • Amirsh
    • José Netto
    • raisel melian
    • Matt Raible
    • Jason Filipe
    • Pelle Wessman
    • Randall Degges
    • Amirsh twitter.com/A_sharif90
      Congratulations. So, happy to hear that the first Draft is coming out.
      Thu, Mar 12, 2020 5:36am +00:00 (via brid-gy.appspot.com)
    • Boomrang twitter.com/boomrang99
      Congratulations! What is the normal process where this becomes a standard?
      Thu, Mar 12, 2020 1:47am +00:00 (via brid-gy.appspot.com)

    Other Mentions

    • N (\dev\ice) twitter.com/XGRldlxpY2UK
      aaronparecki.com/2020/03/11/14/…
      Fri, Mar 20, 2020 5:29pm +00:00 (via brid-gy.appspot.com)
    • Marta Beltrán twitter.com/experiencia_T
      First Draft of OAuth 2.1 aaronparecki.com/2020/03/11/14/…
      Thu, Mar 12, 2020 8:19am +00:00 (via brid-gy.appspot.com)
    • Torsten Lodderstedt twitter.com/tlodderstedt
      The OAuth 2.1 draft aims at rolling up the Security and other BCPs into an up-to-date starting point for developers.
      Thu, Mar 12, 2020 7:10am +00:00 (via brid-gy.appspot.com)
    • Aaron Parecki aaronparecki.com
      The first draft of OAuth 2.1 is out! Thanks so much to @tlodderstedt and @DickHardt for their work on this!

      https://aaronparecki.com/2020/03/11/14/oauth-2-1
      Wed, Mar 11, 2020 5:32pm -07:00
Posted in /articles using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv