OAuth 2.1 is an in-progress effort to consolidate and simplify OAuth 2.0.
Since the original publication of OAuth 2.0 (RFC 6749) in 2012, several new RFCs have been published that either add or remove functionality from the core spec, including OAuth 2.0 for Native Apps (RFC 8252), Proof Key for Code Exchange (RFC 7636), OAuth for Browser-Based Apps, and OAuth 2.0 Security Best Current Practice.
OAuth 2.1 consolidates the changes published in later specs to simplify the core document.
The major differences from OAuth 2.0 are listed below.
- The authorization code grant is extended with the functionality from PKCE such that the only method of using the authorization code grant according to this specification requires the addition of the PKCE mechanism
- Redirect URIs must be compared using exact string matching
- The Implicit grant (`response_type=token`) is omitted from this specification
- The Resource Owner Password Credentials grant is omitted from this specification
- Bearer token usage omits the use of bearer tokens in the query string of URIs
- Refresh tokens must either be sender-constrained or one-time use