Start with Identity
Subscribe
Standard · draft

OAuth 2.1

draft-ietf-oauth-v2-1IETFdraft-ietf-oauth-v2-1 (2026)Official spec ↗

What it is

OAuth 2.1 is not a new protocol but a cleanup: it folds OAuth 2.0, PKCE, and the OAuth Security Best Current Practice into one document and removes the parts that proved unsafe. The goal is that a developer who follows OAuth 2.1 gets a secure result by default, without having to read a dozen RFCs and errata.

What changes from OAuth 2.0

  • PKCE is required for all authorization code flows, not just public clients.
  • The implicit grant is removed. Tokens are no longer returned in the front channel.
  • The resource owner password credentials grant is removed.
  • Exact redirect URI matching is mandated.
  • Refresh token handling is tightened, with rotation or sender-constraining for public clients.

How it works

The model is the same as OAuth 2.0: clients obtain scoped access tokens from an authorization server. In practice OAuth 2.1 means: use the authorization code flow with PKCE for anything with a user, the client credentials grant for machine-to-machine, and the device authorization grant for input-constrained devices.

Status

OAuth 2.1 is an active IETF draft. Most modern identity platforms already implement its recommendations, so adopting it today is mostly about avoiding the removed flows rather than waiting for a final RFC.

Pitfalls

  • Legacy apps using the implicit or password grants need migration before they can claim OAuth 2.1 compliance.
  • "OAuth 2.1 support" from a vendor usually means PKCE-by-default and dropped legacy grants; confirm the specifics.

Related

OAuth 2.0, OpenID Connect, and the guide OAuth vs OIDC.

Independent, community-driven reference. Always confirm details against the official specification linked above.