Specifications: RFC 6749 and RFC 6750 - Grants and access tokens | RFC 7519 - JSON Web Tokens (JWTs) - see also RFC 7515, RFC 7516, RFC 7517, RFC 7518 and RFC 7520 | RFC 7662 - introspection/access token verification | RFC 7636 - PKCE
- RFC 8252 discusses OAuth grants and mobile applications. Since mobile applications cannot maintain secrets and each application has a high level of control over the user input, there are certain additional steps you must take to ensure security. This is especially important if the client and the IdP are not controlled by the same organization.
- RFC 7591, dynamic client registration, allows clients to register themselves. In core OAuth, client registration occurs rarely and is typically done in a manual manner. With this RFC, clients can discover everything they need to register themselves. This is useful when you want to have many unique clients.
- RFC 8628 creates an additional grant, the device grant, designed specifically for clients that have limited user input options, such as televisions or other appliances. With this grant, people may log in using a secondary input device, such as a computer or phone, and still have the original client receive the access token.
- RFC 9068 covers how to specify JWT access tokens in a standard format, allowing different IdPs and resource servers to interoperate.
- DPoP/MTLS addresses an issue left unresolved with the core token RFC, 6750, because of implementation complexity. These documents (the former of which is a draft, not a full-fledged RFC) outline how to bind a token to a particular client. Each of these uses a different mechanism, but if the idea of a bearer token being stolen and used by a malicious actor is unacceptable to you or your security team, using these can help.
OAuth2 Security Best Practices
OAuth IETF Working Group
What is OAuth? A Breakdown for Beginners
OAuth 2.1 - This specification consolidates best practices around security and usability which have been added to OAuth over the years since it was released. The authors have explicitly ruled out any breaking changes or radical modifications.
GNAP - A reimagination of the OAuth protocol, in the same way that OAuth2 was a reimagining of earlier protocols. This early draft includes breaking changes such as introducing new software actors and changing the core communication format from form parameters to JSON.
Last modified 09 February 2023