First Draft of OAuth 2.1

OAuth WG
First Draft of OAuth 2.1

March 11, 2020
I'm happy to share that Dick and Torsten and I have published a first draft of OAuth 2.1. We've taken the feedback from the discussions on the list and incorporated that into the draft.

tools.ietf.org/html/draft-parecki-oauth-v2-1-01

A summary of the differences between this draft and OAuth 2.0 can be found in section 12, and I've copied them here below.
This draft consolidates the functionality in OAuth 2.0 (RFC6749), OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange (RFC7636), OAuth 2.0 for Browser-Based Apps (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage (RFC6750).

Where a later draft updates or obsoletes functionality found in the original [RFC6749], that functionality in this draft is updated with the normative changes described in a later draft, or removed entirely.

A non-normative list of changes from OAuth 2.0 is listed below:

The authorization code grant is extended with the functionality from PKCE ([RFC7636]) such that the only method of using the authorization code grant according to this specification requires the addition of the PKCE mechanism

Redirect URIs must be compared using exact string matching as per Section 4.1.3 of [I-D.ietf-oauth-security-topics]

The Implicit grant ("response_type=token") is omitted from this specification as per Section 2.1.2 of [I-D.ietf-oauth-security-topics]

The Resource Owner Password Credentials grant is omitted from this specification as per Section 2.4 of [I-D.ietf-oauth-security-topics]

Bearer token usage omits the use of bearer tokens in the query string of URIs as per Section 4.3.2 of [I-D.ietf-oauth-security-topics] * Refresh tokens must either be sender-constrained or one-time use as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]
tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12

I'm excited for the direction this is taking, and it has been a pleasure working with Dick and Torsten on this so far. My hope is that this first draft can serve as a good starting point for our future discussions!
Wed, Mar 11, 2020 5:22pm -07:00 #oauth #oauth2 #ietf #oauth21

61 likes 27 reposts 2 replies 4 mentions
Have you written a response to this? Let me know the URL:
- Amirsh twitter.com/A_sharif90
  
  Congratulations. So, happy to hear that the first Draft is coming out.
  
  Thu, Mar 12, 2020 5:36am +00:00 (via brid-gy.appspot.com)
- Boomrang twitter.com/boomrang99
  
  Congratulations! What is the normal process where this becomes a standard?
  
  Thu, Mar 12, 2020 1:47am +00:00 (via brid-gy.appspot.com)
Other Mentions
- N (\dev\ice) twitter.com/XGRldlxpY2UK
  
  aaronparecki.com/2020/03/11/14/…
  
  Fri, Mar 20, 2020 5:29pm +00:00 (via brid-gy.appspot.com)
- Marta Beltrán twitter.com/experiencia_T
  
  First Draft of OAuth 2.1 aaronparecki.com/2020/03/11/14/…
  
  Thu, Mar 12, 2020 8:19am +00:00 (via brid-gy.appspot.com)
- Torsten Lodderstedt twitter.com/tlodderstedt
  
  The OAuth 2.1 draft aims at rolling up the Security and other BCPs into an up-to-date starting point for developers.
  
  Thu, Mar 12, 2020 7:10am +00:00 (via brid-gy.appspot.com)
- Aaron Parecki aaronparecki.com
  
  The first draft of OAuth 2.1 is out! Thanks so much to @tlodderstedt and @DickHardt for their work on this!
  
  https://aaronparecki.com/2020/03/11/14/oauth-2-1
  
  Wed, Mar 11, 2020 5:32pm -07:00

Posted in /articles using quill.p3k.io

Aaron Parecki

Other Mentions