[Announcement] OAuth2.1 and OAuth3 drafts

[ybelenko]

OAuth2.1 and OAuth3 drafts has been announced.

OAuth 2.1:

• RFC6749 - OAuth 2.0 Core
• RFC6750 - Bearer token usage
• RFC7636 - PKCE
• Native App & Browser-Based App BCPs(best current practices)
• Security BCP(best current practice):
  • MUST support PKCE for all client types
  • No password grant
  • No implicit flow
  • Exact string matching for redirect URIs
  • No access tokens in query string
  • Refresh tokens must be sender-constrained or one-time use

OAuth 3:

• In development under a new IETF working group
• Re-thinking OAuth from the ground up
• Not backwards compatible
• Consolidate all various use cases in OAuth into a new framework

---

It seems to me that changes to specification should be applied:

• Deprecate implicit in OAuth Flows Object
• Deprecate password in OAuth Flows Object
• Deprecate in: query for apiKey type of security scheme(this one not sure, maybe apiKey isn't related to access tokens)

Don't know whether I should subscribe @aaronpk to this thread, but at least he can confirm that I retyped text from his What's New With OAuth and OIDC? video presentation correctly.