OAuth 2.1 vs. OAuth 2.0: A Detailed Tutorial

OAuth 2.1 is an evolution of the OAuth 2.0 framework, bringing several security enhancements and simplifications to the table. This tutorial will walk you through the key differences between OAuth 2.0 and OAuth 2.1, using practical examples to illustrate the changes.
Key Differences Between OAuth 2.0 and OAuth 2.1
- PKCE by Default
- Removal of Implicit Grant
- Redirect URI Requirements
- Refresh Token Best Practices
- OAuth 2.0 Form Post Response Mode
- Security Improvements and Recommendations
1. PKCE by Default
OAuth 2.0: PKCE (Proof Key for Code Exchange) was optional and primarily recommended for public clients (such as mobile apps).
OAuth 2.1: PKCE is mandatory for all clients, including confidential clients, to protect against authorization code interception attacks.
Example:
OAuth 2.0 (PKCE Optional):
GET /authorize?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=YOUR_SCOPES
&state=RANDOM_STRING
OAuth 2.1 (PKCE Mandatory):
GET /authorize?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=YOUR_SCOPES
&state=RANDOM_STRING
&code_challenge=BASE64URL(sha256(CODE_VERIFIER))
&code_challenge_method=S256
2. Removal of Implicit Grant
OAuth 2.0: The Implicit Grant flow was used for single-page applications to obtain tokens directly from the authorization endpoint without an intermediate authorization code.
OAuth 2.1: The Implicit Grant flow has been removed due to security vulnerabilities. Single-page applications should now use the Authorization Code flow with PKCE.
Example:
OAuth 2.0 Implicit Grant (Deprecated in OAuth 2.1):
GET /authorize?response_type=token
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=YOUR_SCOPES
&state=RANDOM_STRING
OAuth 2.1 Authorization Code with PKCE:
GET /authorize?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=YOUR_SCOPES
&state=RANDOM_STRING
&code_challenge=BASE64URL(sha256(CODE_VERIFIER))
&code_challenge_method=S256
3. Redirect URI Requirements
OAuth 2.0: Allowed the use of wildcard patterns in redirect URIs, which could introduce security risks.
OAuth 2.1: Requires exact matches for redirect URIs, enhancing security by preventing open redirect attacks.
Example:
OAuth 2.0 Wildcard Redirect URI:
redirect_uri=https://example.com/*
OAuth 2.1 Exact Redirect URI:
redirect_uri=https://example.com/callback
4. Refresh Token Best Practices
OAuth 2.0: Did not specify best practices for refresh token usage.
OAuth 2.1: Recommends refresh token rotation, where each refresh token use results in a new refresh token being issued, invalidating the previous one. This reduces the impact of a compromised refresh token.
Example:
OAuth 2.0 Refresh Token Request:
POST /token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=YOUR_REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID
OAuth 2.1 Refresh Token Rotation:
Each refresh token use:
POST /token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=YOUR_REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID
The response includes a new refresh token:
{
"access_token": "NEW_ACCESS_TOKEN",
"refresh_token": "NEW_REFRESH_TOKEN",
"expires_in": 3600,
"token_type": "Bearer"
}
5. OAuth 2.0 Form Post Response Mode
OAuth 2.1: Recommends using the Form Post response mode for returning authorization responses to prevent attacks related to URLs.
Example:
OAuth 2.0 Query Response Mode:
GET /callback?code=AUTHORIZATION_CODE&state=RANDOM_STRING
OAuth 2.1 Form Post Response Mode:
<form method="post" action="YOUR_REDIRECT_URI">
<input type="hidden" name="code" value="AUTHORIZATION_CODE">
<input type="hidden" name="state" value="RANDOM_STRING">
</form>
6. Security Improvements and Recommendations
OAuth 2.1: Incorporates various security best practices, including mandatory state parameters to prevent CSRF attacks and recommendations for secure token storage and handling.
Conclusion
OAuth 2.1 builds upon OAuth 2.0 by enhancing security, simplifying the framework, and incorporating best practices into the core specification. By adopting OAuth 2.1, developers can create more secure and robust applications.
For further assistance with OAuth implementation, troubleshooting, or detailed guidance, feel free to reach your OAuth Expert.