Standard · reviewed 2026-05-22

OAuth 2.1 explained — what changed, what it replaces, when to use it

OAuth 2.1 is the consolidated best-practice version of OAuth 2.0 — Authorization Code with PKCE is the default for every client.

Read the spec

OAuth 2.1 authorization code flow diagram with PKCE — visual sequence from user authentication through token exchange

TL;DR

If you're writing new OAuth code in 2026, you write OAuth 2.1. It folds RFC 6749 + RFC 7636 (PKCE) + RFC 9700 (Security BCP) into a single spec, removes the Implicit Flow and Resource Owner Password Credentials grant, requires PKCE for every authorization-code flow, and tightens refresh-token handling.

Published by

IETF OAuth Working Group

Spec

draft-ietf-oauth-v2-1 (Active draft as of 2026)

Who uses it

Every modern OAuth implementation — Okta, Microsoft Entra, Auth0, Ping, Curity, Google, GitHub, every IdP shipping new code in the last 2 years. The draft is informally treated as the current best-practice profile of OAuth even though it has not formally completed the IETF process.

Reviewed

2026-05-22

When to use

Every new OAuth integration. Migrate existing OAuth 2.0 code to OAuth 2.1 profile incrementally — start by adding PKCE everywhere, then remove Implicit + ROPC, then enable refresh-token rotation.

When not to use

No real "when not to use" — even if your IdP only formally supports OAuth 2.0, you can implement against the OAuth 2.1 profile (PKCE-everywhere) without breaking interop. If the IdP requires the Implicit Flow specifically (some legacy on-prem SAML-bridge products), get off it.

What got removed

OAuth 2.1 removes two grants that produced more incidents than value:

Implicit Flow — Returned the access token directly in the URL fragment. Vulnerable to token leakage via browser history, referer headers, and analytics. Replaced by Authorization Code + PKCE, which is just as fast for SPAs and dramatically safer.
Resource Owner Password Credentials (ROPC) — Client asks the user for their username + password, then exchanges them for a token. Defeats the entire purpose of OAuth (third-party auth without sharing the password). Was originally allowed only as a migration aid for legacy systems.

What got mandated

OAuth 2.1 promotes several previously-optional protections to required:

PKCE on every authorization-code flow — not just public clients. Even confidential clients must use PKCE. This eliminates a class of code-interception attacks.
Exact-match redirect URIs — no wildcard matching, no path-suffix matching. The IdP compares the redirect_uri to the registered URI byte-for-byte.
Refresh-token rotation for public clients — each /token call with a refresh_token returns a *new* refresh_token; the old one is invalidated. Reuse of an old refresh token signals a possible compromise.
Sender-constrained access tokens (recommended, not required) — DPoP or mTLS binding so a stolen bearer token cannot be replayed from a different client.

The Authorization Code + PKCE flow, end to end

This is now the universal default. Every other flow is a specialization. The flow:

# 1. Generate PKCE pair (client-side)
  code_verifier  = high-entropy random string (43-128 chars)
  code_challenge = base64url(sha256(code_verifier))

# 2. Redirect to /authorize
GET /authorize
  ?response_type=code
  &client_id=<client>
  &redirect_uri=<callback>
  &scope=openid profile
  &state=<csrf>
  &code_challenge=<challenge>
  &code_challenge_method=S256

# 3. User authenticates + consents → /callback?code=<auth_code>&state=<csrf>

# 4. Exchange code for tokens
POST /token
  grant_type=authorization_code
  &code=<auth_code>
  &redirect_uri=<callback>
  &client_id=<client>
  &code_verifier=<verifier>

# 5. Tokens returned
{
  "access_token": "...",
  "id_token": "...",
  "refresh_token": "...",
  "token_type": "Bearer",
  "expires_in": 3600
}

What "OAuth 2.1 compliant" actually means in practice

Most IdP product teams use "OAuth 2.1 compliant" as a marketing label. What it means concretely:

The product accepts and validates PKCE on every authorization-code flow.
The product does not offer the Implicit Flow or ROPC as default options.
The product validates redirect_uri exactly against the registered URI.
The product enforces refresh-token rotation (for public clients) and detects replay.

Migration checklist for an existing OAuth 2.0 codebase

Sequence that minimizes risk for an in-place upgrade:

Audit existing flows. Find every place you call /authorize. List the grant type for each.
Add PKCE to every authorization-code flow. Backwards-compatible: an IdP that doesn't understand PKCE will ignore the parameters.
Eliminate the Implicit Flow. Replace every implicit-flow client with authorization-code + PKCE. SPA frameworks have supported this for years.
Eliminate ROPC. If you still have it for legacy integrations, those need a real upgrade path (federated SSO or a service-account migration).
Tighten redirect_uri registration. Move from wildcards to exact URIs.
Enable refresh-token rotation. Many IdPs now offer this as a per-application toggle.

FAQ

Questions we get on this standard.

What is OAuth?
OAuth is an open authorization framework that lets an application access a resource (an API, an account) on a user's behalf without ever handling the user's password. The user grants the app a scoped, revocable access token; the app uses that token to call the API. OAuth governs authorization (what an app may do) — not authentication (who the user is); that is added by OpenID Connect on top. OAuth 2.1 is the current best-practice consolidation of OAuth 2.0.
Is OAuth 2.1 an official IETF RFC yet?
Not yet. It's an active IETF Internet-Draft. The industry has informally adopted the practices in advance of formal publication because the changes are non-controversial — every major IdP already implements the profile.
Does OAuth 2.1 deprecate OAuth 2.0?
No, OAuth 2.0 (RFC 6749) remains in force. OAuth 2.1 is a "best current practices" consolidation. Code written to OAuth 2.0 + PKCE + the security BCP is OAuth-2.1-compliant by default.
How does OAuth 2.1 relate to OpenID Connect (OIDC)?
OIDC is an identity layer on top of OAuth 2.0 — it adds the ID Token concept + standard claims + a discovery endpoint. OIDC works on top of OAuth 2.1 the same way it worked on OAuth 2.0. Anywhere you used PKCE before, you still use it.
What about the Device Authorization Grant (RFC 8628)?
Still valid. RFC 8628 is referenced by OAuth 2.1 as the correct flow for devices with no browser (smart TVs, IoT, CLIs). The Implicit Flow was the wrong tool for that job; the Device Grant is the right one.

Use the tool

Understanding the spec is the easy part.

We implement OAuth 2.1 integrations across regulated enterprises — workforce SSO, B2B SaaS federation, customer identity. Same-day reply.

Talk to a practice leadMore explainers

What got removed

OAuth 2.1 removes two grants that produced more incidents than value:

Implicit Flow — Returned the access token directly in the URL fragment. Vulnerable to token leakage via browser history, referer headers, and analytics. Replaced by Authorization Code + PKCE, which is just as fast for SPAs and dramatically safer.

Resource Owner Password Credentials (ROPC) — Client asks the user for their username + password, then exchanges them for a token. Defeats the entire purpose of OAuth (third-party auth without sharing the password). Was originally allowed only as a migration aid for legacy systems.

What got mandated

OAuth 2.1 promotes several previously-optional protections to required:

PKCE on every authorization-code flow — not just public clients. Even confidential clients must use PKCE. This eliminates a class of code-interception attacks.

Exact-match redirect URIs — no wildcard matching, no path-suffix matching. The IdP compares the redirect_uri to the registered URI byte-for-byte.

Refresh-token rotation for public clients — each /token call with a refresh_token returns a *new* refresh_token; the old one is invalidated. Reuse of an old refresh token signals a possible compromise.

Sender-constrained access tokens (recommended, not required) — DPoP or mTLS binding so a stolen bearer token cannot be replayed from a different client.

The Authorization Code + PKCE flow, end to end

This is now the universal default. Every other flow is a specialization. The flow:

# 1. Generate PKCE pair (client-side) code_verifier = high-entropy random string (43-128 chars) code_challenge = base64url(sha256(code_verifier)) # 2. Redirect to /authorize GET /authorize ?response_type=code &client_id=<client> &redirect_uri=<callback> &scope=openid profile &state=<csrf> &code_challenge=<challenge> &code_challenge_method=S256 # 3. User authenticates + consents → /callback?code=<auth_code>&state=<csrf> # 4. Exchange code for tokens POST /token grant_type=authorization_code &code=<auth_code> &redirect_uri=<callback> &client_id=<client> &code_verifier=<verifier> # 5. Tokens returned { "access_token": "...", "id_token": "...", "refresh_token": "...", "token_type": "Bearer", "expires_in": 3600 }

What "OAuth 2.1 compliant" actually means in practice

Most IdP product teams use "OAuth 2.1 compliant" as a marketing label. What it means concretely:

The product accepts and validates PKCE on every authorization-code flow.

The product does not offer the Implicit Flow or ROPC as default options.

The product validates redirect_uri exactly against the registered URI.

The product enforces refresh-token rotation (for public clients) and detects replay.

Migration checklist for an existing OAuth 2.0 codebase

Sequence that minimizes risk for an in-place upgrade:

Audit existing flows. Find every place you call /authorize. List the grant type for each.

Add PKCE to every authorization-code flow. Backwards-compatible: an IdP that doesn't understand PKCE will ignore the parameters.

Eliminate the Implicit Flow. Replace every implicit-flow client with authorization-code + PKCE. SPA frameworks have supported this for years.

Eliminate ROPC. If you still have it for legacy integrations, those need a real upgrade path (federated SSO or a service-account migration).

Tighten redirect_uri registration. Move from wildcards to exact URIs.

Enable refresh-token rotation. Many IdPs now offer this as a per-application toggle.

Questions we get on this standard.

What is OAuth?

OAuth is an open authorization framework that lets an application access a resource (an API, an account) on a user's behalf without ever handling the user's password. The user grants the app a scoped, revocable access token; the app uses that token to call the API. OAuth governs authorization (what an app may do) — not authentication (who the user is); that is added by OpenID Connect on top. OAuth 2.1 is the current best-practice consolidation of OAuth 2.0.

Is OAuth 2.1 an official IETF RFC yet?

Not yet. It's an active IETF Internet-Draft. The industry has informally adopted the practices in advance of formal publication because the changes are non-controversial — every major IdP already implements the profile.

Does OAuth 2.1 deprecate OAuth 2.0?

No, OAuth 2.0 (RFC 6749) remains in force. OAuth 2.1 is a "best current practices" consolidation. Code written to OAuth 2.0 + PKCE + the security BCP is OAuth-2.1-compliant by default.

How does OAuth 2.1 relate to OpenID Connect (OIDC)?

OIDC is an identity layer on top of OAuth 2.0 — it adds the ID Token concept + standard claims + a discovery endpoint. OIDC works on top of OAuth 2.1 the same way it worked on OAuth 2.0. Anywhere you used PKCE before, you still use it.

What about the Device Authorization Grant (RFC 8628)?

Still valid. RFC 8628 is referenced by OAuth 2.1 as the correct flow for devices with no browser (smart TVs, IoT, CLIs). The Implicit Flow was the wrong tool for that job; the Device Grant is the right one.