OAuth 2.1: What Changed and Why It Matters
OAuth 2.1 consolidates security best practices from recent years. We break down key differences from OAuth 2.0 and what you need to update in your application.
What is OAuth 2.1
OAuth 2.1 is not a new protocol, but an updated specification that combines OAuth 2.0 and all the accumulated security best practices into a single document.
If you’re using OAuth 2.0 following modern recommendations, the transition will be minimal. If not, this article will show you where the issues are.
Key Changes
1. PKCE is mandatory for everyone
In OAuth 2.0, PKCE (Proof Key for Code Exchange) was an optional extension for mobile apps. In OAuth 2.1, it’s mandatory for all clients, including server-side ones.
PKCE protects against authorization code interception. Without it, an attacker who intercepts the code can obtain a token.
# Client generates:
code_verifier = random_string(43-128 chars)
code_challenge = BASE64URL(SHA256(code_verifier))
# In /authorize request:
?code_challenge=...&code_challenge_method=S256
# In /token request:
&code_verifier=...
2. Implicit flow removed
Implicit flow returned access_token directly in the redirect URI (in URL fragment). This created risks:
- Token ended up in browser history
- Token could leak through Referer header
- Cannot issue refresh token
Replacement: Authorization Code Flow + PKCE works in both SPAs and mobile apps.
3. Resource Owner Password Credentials removed
ROPC flow passed the user’s login and password directly to the client. This violates the main OAuth principle — the user should not trust their password to the application.
Replacement: Device Authorization Grant for devices without a browser.
4. Refresh token rotation
Every time a refresh token is used, the server issues a new one and invalidates the old one. If the old token is reused — it’s a sign of a leak, and all session tokens are revoked.
What to Update
If you maintain an OAuth 2.0 server:
- Add mandatory PKCE validation for Authorization Code Flow
- Disable Implicit and ROPC endpoints
- Implement refresh token rotation
- Verify that Bearer tokens are not accepted in URL query parameters
Versola and OAuth 2.1
Versola implements OAuth 2.1 and OpenID Connect from day one. PKCE is mandatory, Implicit flow is absent, refresh token rotation is enabled by default.