OpenAPI-Specification
OpenAPI-Specification copied to clipboard
[Announcement] OAuth2.1 and OAuth3 drafts
OAuth2.1 and OAuth3 drafts has been announced.
OAuth 2.1:
- RFC6749 - OAuth 2.0 Core
- RFC6750 - Bearer token usage
- RFC7636 - PKCE
- Native App & Browser-Based App BCPs(best current practices)
- Security BCP(best current practice):
- MUST support PKCE for all client types
- No password grant
- No implicit flow
- Exact string matching for redirect URIs
- No access tokens in query string
- Refresh tokens must be sender-constrained or one-time use
OAuth 3:
- In development under a new IETF working group
- Re-thinking OAuth from the ground up
- Not backwards compatible
- Consolidate all various use cases in OAuth into a new framework
It seems to me that changes to specification should be applied:
- Deprecate
implicit
in OAuth Flows Object - Deprecate
password
in OAuth Flows Object - Deprecate
in: query
forapiKey
type of security scheme(this one not sure, maybeapiKey
isn't related to access tokens)
Don't know whether I should subscribe @aaronpk to this thread, but at least he can confirm that I retyped text from his What's New With OAuth and OIDC? video presentation correctly.