OAuth 2.1: What Changed and Why It Matters

OAuth 2.1 consolidates security best practices from recent years. We break down key differences from OAuth 2.0 and what you need to update in your application.

What is OAuth 2.1

OAuth 2.1 is not a new protocol, but an updated specification that combines OAuth 2.0 and all the accumulated security best practices into a single document.

If you’re using OAuth 2.0 following modern recommendations, the transition will be minimal. If not, this article will show you where the issues are.

Key Changes

1. PKCE is mandatory for everyone

In OAuth 2.0, PKCE (Proof Key for Code Exchange) was an optional extension for mobile apps. In OAuth 2.1, it’s mandatory for all clients, including server-side ones.

PKCE protects against authorization code interception. Without it, an attacker who intercepts the code can obtain a token.

# Client generates:
code_verifier = random_string(43-128 chars)
code_challenge = BASE64URL(SHA256(code_verifier))

# In /authorize request:
?code_challenge=...&code_challenge_method=S256

# In /token request:
&code_verifier=...

2. Implicit flow removed

Implicit flow returned access_token directly in the redirect URI (in URL fragment). This created risks:

Replacement: Authorization Code Flow + PKCE works in both SPAs and mobile apps.

3. Resource Owner Password Credentials removed

ROPC flow passed the user’s login and password directly to the client. This violates the main OAuth principle — the user should not trust their password to the application.

Replacement: Device Authorization Grant for devices without a browser.

4. Refresh token rotation

Every time a refresh token is used, the server issues a new one and invalidates the old one. If the old token is reused — it’s a sign of a leak, and all session tokens are revoked.

What to Update

If you maintain an OAuth 2.0 server:

  1. Add mandatory PKCE validation for Authorization Code Flow
  2. Disable Implicit and ROPC endpoints
  3. Implement refresh token rotation
  4. Verify that Bearer tokens are not accepted in URL query parameters

Versola and OAuth 2.1

Versola implements OAuth 2.1 and OpenID Connect from day one. PKCE is mandatory, Implicit flow is absent, refresh token rotation is enabled by default.

← All articles