Security

OAuth 2.1

The modern auth-delegation flow: code + PKCE for everyone.

In plain terms

Removes implicit and password grants. Adds mandatory PKCE, exact-match redirect URIs, refresh token rotation.

Origin

Aaron Parecki and Dick Hardt began consolidating OAuth 2.0 + ten years of security errata into OAuth 2.1 in 2020. Still draft at IETF, but most modern OAuth libraries already implement its rules.

Where it shows up in production

PKCE everywhere Previously only mobile/public clients; now confidential clients use it too.
No implicit / no password grants Both grant types are deprecated. Only authorization-code-with-PKCE and client-credentials remain.

On Semicolony

Guide oauth

Sources & further reading

RFC OAuth 2.1 draft spec
Blog Aaron Parecki — OAuth 2.1 explained

Found this useful?