OAuth 2.1

Authentication Security Notes Jan 6, 2025 JAVASCRIPT

Definition

OAuth 2.0 was released in 2012, and over a decade of real-world attacks and security research has taught us which optional features were actually essential. OAuth 2.1 is the “learned our lessons” version - it takes all those “you really should do this” recommendations and makes them mandatory. If OAuth 2.0 was a house with optional locks on some doors, OAuth 2.1 is the same house where every door is locked and you can’t even buy one without locks anymore.

The biggest change is that PKCE (Proof Key for Code Exchange) is now required for everyone, not just mobile apps. We learned the hard way that authorization codes can be intercepted by malicious apps, browser extensions, or man-in-the-middle attacks. PKCE prevents this by proving that the same client that started the authorization is the one completing it. OAuth 2.1 also completely removes the implicit flow, which was a convenient shortcut that turned out to be a security nightmare - it put access tokens directly in URLs where they could be leaked through browser history, referrer headers, or server logs.

Think of OAuth 2.1 as security-by-default rather than security-if-you-remember. It removes the dangerous options that seemed convenient but caused breaches. No more implicit flow. No more accepting passwords in the clear (the password grant is gone too). Refresh token rotation is strongly recommended. Exact redirect URI matching is required - no more wildcards that attackers could exploit. For developers, this actually simplifies things: fewer decisions to make, fewer ways to get it wrong, and automatic alignment with current security best practices.

Example

OAuth 2.1 reflects hard-learned lessons from security incidents across the industry:

Mobile App Authentication: Before OAuth 2.1, developers of mobile apps had to decide whether to implement PKCE - many didn’t because it seemed like extra work. This led to authorization code theft attacks where malicious apps could intercept codes. Now, a banking app implementing OAuth 2.1 uses PKCE automatically, protecting users even if they accidentally install a malicious app that tries to intercept login flows.

Single-Page Applications (SPAs): JavaScript apps used to commonly use the implicit flow because it was simpler - just get the token in the URL redirect. But those tokens ended up in browser history, got logged by analytics scripts, and leaked through referrer headers. A modern SPA following OAuth 2.1 uses authorization code flow with PKCE, keeping tokens out of URLs entirely and storing them securely.

Third-Party Integrations: When your HR system integrates with Slack or Salesforce, OAuth 2.1’s stricter redirect URI matching prevents a class of attacks where hackers register similar-looking domains. Instead of accepting https://yourcompany.com/*, OAuth 2.1 requires exact matching like https://yourcompany.com/oauth/callback - no wildcards, no path manipulation.

Enterprise Identity Providers: Companies like Okta, Auth0, and Azure AD have updated their services to support OAuth 2.1. When you configure a new application, they guide you toward OAuth 2.1 patterns and warn against (or block) deprecated flows. This means even developers unfamiliar with OAuth security get protected by default.

API Providers: Companies like Stripe and Twilio that offer OAuth-based integrations are adopting OAuth 2.1 to protect their customers. A partner building a Stripe integration automatically gets modern security without having to become an OAuth expert.

Analogy

The Updated Building Code: OAuth 2.0 was like a building code that said “you should probably install smoke detectors.” OAuth 2.1 is the updated code that says “smoke detectors are mandatory, and we’re not issuing permits without them.” The safety features that were optional recommendations are now legal requirements because too many buildings burned down.

The Car Safety Evolution: Early cars had optional seatbelts - many people didn’t use them. Modern cars require seatbelts, have airbags everywhere, and won’t stop beeping until you buckle up. OAuth 2.1 is like modern car safety: the features that save lives aren’t optional anymore because we have decades of crash data proving they work.

The Prescription Medication Update: Sometimes a medication that was available over-the-counter gets moved to prescription-only after we learn about side effects or abuse potential. OAuth 2.1 is similar - the “implicit flow” feature was freely available, but after years of security incidents, it’s been pulled from the shelves entirely.

The Restaurant Health Code: A restaurant might have said “you should wash your hands before handling food.” Then health inspectors made it mandatory after enough people got sick. OAuth 2.1 takes the security practices that were suggested and makes them inspectable requirements - you can’t pass the security audit without them.

Diagram

flowchart TB
    subgraph OAuth2["OAuth 2.0 (2012)"]
        direction TB
        AC1[Authorization Code Flow]
        IMP[Implicit Flow]
        PWD[Password Grant]
        CC1[Client Credentials]
        PKCE1[PKCE - Optional]
        RR1[Refresh Rotation - Optional]
        RU1[Redirect URI - Wildcards OK]
    end

    subgraph OAuth21["OAuth 2.1 (Current Best Practices)"]
        direction TB
        AC2[Authorization Code Flow]
        CC2[Client Credentials]
        PKCE2[PKCE - MANDATORY]
        RR2[Refresh Rotation - Recommended]
        RU2[Redirect URI - Exact Match Only]
    end

    OAuth2 -->|Evolution| OAuth21

    IMP -.->|REMOVED| X1[❌]
    PWD -.->|REMOVED| X2[❌]
    PKCE1 -->|Now Required| PKCE2
    RR1 -->|Strongly Recommended| RR2
    RU1 -->|Stricter| RU2

    style IMP fill:#ff6b6b,color:#fff
    style PWD fill:#ff6b6b,color:#fff
    style X1 fill:#ff6b6b,color:#fff
    style X2 fill:#ff6b6b,color:#fff
    style PKCE2 fill:#51cf66,color:#fff
    style RU2 fill:#51cf66,color:#fff

Code Example


// OAuth 2.1 - PKCE is mandatory for all flows
const crypto = require('crypto');

// Generate PKCE challenge
function generatePKCE() {
  const verifier = crypto.randomBytes(32).toString('base64url');
  const challenge = crypto
    .createHash('sha256')
    .update(verifier)
    .digest('base64url');

  return { verifier, challenge };
}

// 1. Start authorization with PKCE (required in OAuth 2.1)
const { verifier, challenge } = generatePKCE();
sessionStorage.setItem('pkce_verifier', verifier);

const authUrl = new URL('https://oauth.provider.com/authorize');
authUrl.searchParams.append('response_type', 'code');
authUrl.searchParams.append('client_id', 'your_client_id');
authUrl.searchParams.append('redirect_uri', 'https://yourapp.com/callback');
authUrl.searchParams.append('code_challenge', challenge);
authUrl.searchParams.append('code_challenge_method', 'S256');
authUrl.searchParams.append('scope', 'read:user');
authUrl.searchParams.append('state', generateRandomState());

window.location.href = authUrl.toString();

// 2. Exchange code with PKCE verifier
const tokenResponse = await fetch('https://oauth.provider.com/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: authorizationCode,
    client_id: 'your_client_id',
    redirect_uri: 'https://yourapp.com/callback',
    code_verifier: sessionStorage.getItem('pkce_verifier')
  })
});

Security Notes

SECURITY NOTES

CRITICAL: OAuth 2.1 is updated security best practices. Removes weak flows and makes PKCE mandatory.

Removed/Deprecated Flows:

  • No Implicit Flow: Removed due to security issues (tokens in URLs)
  • No Resource Owner Password: Removed due to password exposure
  • Authorization Code only: Primary recommended flow
  • PKCE required: Public clients must use PKCE
  • Refresh token rotation: Rotate on each use

PKCE Requirements:

  • Mandatory for public clients: Apps without backend must use PKCE
  • Code verifier: Random string, high entropy (43-128 characters)
  • Code challenge: SHA256 hash of code verifier
  • Validation: Server verifies challenge matches verifier

Token Security:

  • Bearer token attacks: Protect tokens from theft
  • Token expiration: Short-lived access tokens (minutes)
  • Refresh tokens: Longer-lived, more closely guarded
  • Token binding: Bind tokens to client credentials

Security Enhancements:

  • Proof Key: PKCE prevents authorization code interception
  • JAR (Request Objects): Signed request objects
  • Sender-Constrained Tokens: Tokens bound to client
  • Resource Indicators: Specify resource being accessed

Migration from OAuth 2.0:

  • Update clients: Implement PKCE for all clients
  • Remove implicit: Deprecate implicit flow
  • Token rotation: Implement refresh token rotation
  • Exact redirects: No wildcard redirect URIs
  • Security headers: Implement recommended headers

Standards & RFCs

Standards & RFCs
1)Draft- OAuth 2.1 Draft - IETF (Consolidates OAuth 2.0 best practices)
2)RFC 6749- [](https://reference.apios.info/terms/rfc-6749/) - OAuth 2.0 Authorization Framework (base specification)
3)RFC 7636- PKCE Extension (now mandatory)
4)RFC 9449- OAuth 2.0 DPoP