OAuth 2.1: The Future of API Security

OAuth 2.1 The Future of API Security Rob Allen, October 2025

OAuth is the standard for securing access to APIs Rob Allen ~ akrabat.com

OAuth 2.0 A Refresher Rob Allen ~ akrabat.com

OAuth 2.0 Roles • • • • Resource Owner (The User) Resource Server (The API) Client (The application that uses the API) Authorization Server (OAuth server) Rob Allen ~ akrabat.com

OAuth 2.0 Protocol Flows • • • • Resource Owner Password Credentials Authorization Code Implict Client Credentials Rob Allen ~ akrabat.com

Password Credentials Flow For logging into 1st party apps Rob Allen ~ akrabat.com

Password Credentials Flow Rob Allen ~ akrabat.com

Authorization Code Flow For logging into 3rd party websites Rob Allen ~ akrabat.com

Authorization Code Flow Rob Allen ~ akrabat.com

Implicit Flow For logging into 3rd party apps and web SPAs Rob Allen ~ akrabat.com

Implict Flow Rob Allen ~ akrabat.com

Client Credentials Flow For jobs that don’t need user permission Rob Allen ~ akrabat.com

Client Credentials Flow Rob Allen ~ akrabat.com

OAuth 2.0 Refresh token • Allows the client to gain a new access token • Refresh tokens need to be kept secure • Authorization server can choose not to issue Rob Allen ~ akrabat.com

OAuth 2.0 Since 2012 Rob Allen ~ akrabat.com

The OAuth 2.0 Framework in 2012 Rob Allen ~ akrabat.com

The OAuth 2.0 Framework Today Rob Allen ~ akrabat.com

Key extensions since 2012 • • • • RFC 7009: OAuth 2.0 Token Revocation RFC 7519: JSON Web Tokens (JWT) RFC 7636: Authorization Code without a client secret (PKCE) RFC 8628: Device Authorization grant for devices Rob Allen ~ akrabat.com

PKCE • First created for mobile, but useful for all public clients • Protects the authorization code in the redirect • We know that the right client is converting the code to a token Rob Allen ~ akrabat.com

PKCE workflow Rob Allen ~ akrabat.com

Device Authorization Flow For apps with no browser (or keyboard) Rob Allen ~ akrabat.com

Device Authorization Flow Rob Allen ~ akrabat.com

Best Practices since 2012 • RFC 7900: Best Current Practice for OAuth 2.0 Security • RFC 8653: OAuth 2.0 for Native Apps • OAUTH-WG: OAuth 2.0 for Browser Apps Rob Allen ~ akrabat.com

OAuth 2.1 Rob Allen ~ akrabat.com

My main goal with OAuth 2.1 is to capture the current best practices in OAuth 2.0 as well as its well-established extensions under a single name. Aaron Parecki Rob Allen ~ akrabat.com

Key Objectives of OAuth 2.1 • Not a new protocol Rob Allen ~ akrabat.com

Key Objectives of OAuth 2.1 • Not a new protocol • Simplifies the specification Rob Allen ~ akrabat.com

Key Objectives of OAuth 2.1 • Not a new protocol • Simplifies the specification • Incorporation of Best Current Practices Rob Allen ~ akrabat.com

OAuth 2.1 Flows • Authorization Code must be used with PKCE • Device Authorization • Client Credentials Rob Allen ~ akrabat.com

Tokens • No access tokens in query strings Rob Allen ~ akrabat.com

Tokens • No access tokens in query strings • Refresh tokens must be sender constrained or one-time use Rob Allen ~ akrabat.com

Tokens • No access tokens in query strings • Refresh tokens must be sender constrained or one-time use • Refined token management (shorter lifetimes, rotation policies) Rob Allen ~ akrabat.com

Other things • Redirect URIs must be exact matches Rob Allen ~ akrabat.com

Other things • Redirect URIs must be exact matches • State parameter is now mandatory for CSRF protection Rob Allen ~ akrabat.com

Other things • Redirect URIs must be exact matches • State parameter is now mandatory for CSRF protection • Confidential client now means a client that has credentials, otherwise it’s Public Rob Allen ~ akrabat.com

Going forwards Rob Allen ~ akrabat.com

Migrating to 2.1 Rob Allen ~ akrabat.com

Migrating to 2.1 • Review current implementation Rob Allen ~ akrabat.com

Migrating to 2.1 • Review current implementation • Adopt Authorization Code flow with PKCE Rob Allen ~ akrabat.com

Migrating to 2.1 • Review current implementation • Adopt Authorization Code flow with PKCE • Remove deprecated flows Rob Allen ~ akrabat.com

Migrating to 2.1 • • • • Review current implementation Adopt Authorization Code flow with PKCE Remove deprecated flows Secure redirect Uris Rob Allen ~ akrabat.com

Migrating to 2.1 • • • • • Review current implementation Adopt Authorization Code flow with PKCE Remove deprecated flows Secure redirect Uris Review and implement the Best Current Practices Rob Allen ~ akrabat.com

Other relatively new OAuth features Rob Allen ~ akrabat.com

Other relatively new OAuth features • Demonstrating Proof of Possession (RFC 9449) • Mutual TLS (RFC 8705) Rob Allen ~ akrabat.com

Other relatively new OAuth features • • • • Demonstrating Proof of Possession (RFC 9449) Mutual TLS (RFC 8705) JWT Profile for Access Tokens (RFC 9068) JWT-Secured Authorization Requests (RFC 9101) Rob Allen ~ akrabat.com

Other relatively new OAuth features • • • • • • Demonstrating Proof of Possession (RFC 9449) Mutual TLS (RFC 8705) JWT Profile for Access Tokens (RFC 9068) JWT-Secured Authorization Requests (RFC 9101) Rich Authorization Requests (RFC 9396) Pushed Authorization Requests (RFC 9126) Rob Allen ~ akrabat.com

Rob Allen ~ akrabat.com

Thank you! slides: https://akrabat.com/7505 Rob Allen ~ akrabat.com