Torsten Lodderstedt • OAuth 2.1 is a consolidation of:
OAuth 2.0 (RFC6749), Native Apps BCP (RFC8252), PKCE (RFC7636), Browser-Based Apps BCP (draft), Security BCP (draft),
Bearer Tokens (RFC6750) • Grant types defined: Authorization Code with PKCE, Client Credentials • Exact redirect URI matching • No Bearer tokens in query strings • Refresh tokens for SPAs must be sender-constrained or one-time use • Implicit and password grants are omitted