OAuth 2.1 — one-pager · askmeidentity

askmeidentity · OAuth 2.1 · 2026-05-22

OAuth 2.1 — one-pager

A printable single-page reference for OAuth 2.1: the canonical flow, the parameters that matter, what got removed from 2.0, and the security baseline.

The canonical flow (Authorization Code + PKCE)

1. Client generates code_verifier (random ≥43 chars) + code_challenge = SHA-256(verifier).
2. Client → /authorize with response_type=code + client_id + redirect_uri + code_challenge + code_challenge_method=S256 + scope + state.
3. User authenticates + consents. Authorization server redirects → redirect_uri?code=...&state=...
4. Client → /token with grant_type=authorization_code + code + redirect_uri + client_id + code_verifier.
5. Authorization server returns access_token (+ refresh_token if rotated) + id_token (if OIDC).

Required parameters

response_type	code	Only value accepted in OAuth 2.1
client_id	string	Registered client identifier
redirect_uri	absolute URI	Must be exact-match to a registered URI
code_challenge	S256 hash	PKCE — required even for confidential clients
code_challenge_method	S256	plain is NOT allowed in 2.1
state	opaque	CSRF protection, validated on callback
scope	space-separated	Optional but recommended
nonce	opaque	Required for OIDC, prevents token replay

What OAuth 2.1 removed from 2.0

Implicit Flow (response_type=token) — replaced by Authorization Code + PKCE
Resource Owner Password Credentials grant (ROPC) — incompatible with MFA + passkeys
Bearer tokens in query strings — must use Authorization header
Redirect URI partial matching — exact match only
"plain" PKCE method — S256 only

Refresh token rules (2.1)

Rotate on every use (single-use refresh tokens)
Bind to client when issued to a public client
Revoke entire chain if reuse detected (refresh-token reuse attack)

When to use which grant

SPA / mobile app	Authorization Code + PKCE	Public client
Server-side web app	Authorization Code + PKCE	Confidential client
Service-to-service	Client Credentials	No user involved
IoT / CLI	Device Authorization Grant	User auths on a separate device

askmeidentity · OAuth 2.1 · 2026-05-22

OAuth 2.1 — one-pager

A printable single-page reference for OAuth 2.1: the canonical flow, the parameters that matter, what got removed from 2.0, and the security baseline.

The canonical flow (Authorization Code + PKCE)

1. Client generates code_verifier (random ≥43 chars) + code_challenge = SHA-256(verifier).
2. Client → /authorize with response_type=code + client_id + redirect_uri + code_challenge + code_challenge_method=S256 + scope + state.
3. User authenticates + consents. Authorization server redirects → redirect_uri?code=...&state=...
4. Client → /token with grant_type=authorization_code + code + redirect_uri + client_id + code_verifier.
5. Authorization server returns access_token (+ refresh_token if rotated) + id_token (if OIDC).

Required parameters

response_type	code	Only value accepted in OAuth 2.1
client_id	string	Registered client identifier
redirect_uri	absolute URI	Must be exact-match to a registered URI
code_challenge	S256 hash	PKCE — required even for confidential clients
code_challenge_method	S256	plain is NOT allowed in 2.1
state	opaque	CSRF protection, validated on callback
scope	space-separated	Optional but recommended
nonce	opaque	Required for OIDC, prevents token replay

What OAuth 2.1 removed from 2.0

Implicit Flow (response_type=token) — replaced by Authorization Code + PKCE
Resource Owner Password Credentials grant (ROPC) — incompatible with MFA + passkeys
Bearer tokens in query strings — must use Authorization header
Redirect URI partial matching — exact match only
"plain" PKCE method — S256 only

Refresh token rules (2.1)

Rotate on every use (single-use refresh tokens)
Bind to client when issued to a public client
Revoke entire chain if reuse detected (refresh-token reuse attack)

When to use which grant

SPA / mobile app	Authorization Code + PKCE	Public client
Server-side web app	Authorization Code + PKCE	Confidential client
Service-to-service	Client Credentials	No user involved
IoT / CLI	Device Authorization Grant	User auths on a separate device

OAuth 2.1 — one-pager

OAuth 2.1 — one-pager

The canonical flow (Authorization Code + PKCE)

Required parameters

What OAuth 2.1 removed from 2.0

Refresh token rules (2.1)

When to use which grant

All printable references in one place.

OAuth 2.1 — one-pager

OAuth 2.1 — one-pager

The canonical flow (Authorization Code + PKCE)

Required parameters

What OAuth 2.1 removed from 2.0

Refresh token rules (2.1)

When to use which grant

All printable references in one place.