OAuth 2.1 vs. OAuth 2.0: A Detailed Tutorial

Master Spring Ter
3 min readJun 21, 2024

OAuth 2.1 is an evolution of the OAuth 2.0 framework, bringing several security enhancements and simplifications to the table. This tutorial will walk you through the key differences between OAuth 2.0 and OAuth 2.1, using practical examples to illustrate the changes.

Key Differences Between OAuth 2.0 and OAuth 2.1

  1. PKCE by Default
  2. Removal of Implicit Grant
  3. Redirect URI Requirements
  4. Refresh Token Best Practices
  5. OAuth 2.0 Form Post Response Mode
  6. Security Improvements and Recommendations

1. PKCE by Default

OAuth 2.0: PKCE (Proof Key for Code Exchange) was optional and primarily recommended for public clients (such as mobile apps).

OAuth 2.1: PKCE is mandatory for all clients, including confidential clients, to protect against authorization code interception attacks.

Example:

OAuth 2.0 (PKCE Optional):

GET /authorize?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=YOUR_SCOPES
&state=RANDOM_STRING

OAuth 2.1 (PKCE Mandatory):

GET /authorize?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=YOUR_SCOPES
&state=RANDOM_STRING
&code_challenge=BASE64URL(sha256(CODE_VERIFIER))
&code_challenge_method=S256

2. Removal of Implicit Grant

OAuth 2.0: The Implicit Grant flow was used for single-page applications to obtain tokens directly from the authorization endpoint without an intermediate authorization code.

OAuth 2.1: The Implicit Grant flow has been removed due to security vulnerabilities. Single-page applications should now use the Authorization Code flow with PKCE.

Example:

OAuth 2.0 Implicit Grant (Deprecated in OAuth 2.1):

GET /authorize?response_type=token
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=YOUR_SCOPES
&state=RANDOM_STRING

OAuth 2.1 Authorization Code with PKCE:

GET /authorize?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&scope=YOUR_SCOPES
&state=RANDOM_STRING
&code_challenge=BASE64URL(sha256(CODE_VERIFIER))
&code_challenge_method=S256

3. Redirect URI Requirements

OAuth 2.0: Allowed the use of wildcard patterns in redirect URIs, which could introduce security risks.

OAuth 2.1: Requires exact matches for redirect URIs, enhancing security by preventing open redirect attacks.

Example:

OAuth 2.0 Wildcard Redirect URI:

redirect_uri=https://example.com/*

OAuth 2.1 Exact Redirect URI:

redirect_uri=https://example.com/callback

4. Refresh Token Best Practices

OAuth 2.0: Did not specify best practices for refresh token usage.

OAuth 2.1: Recommends refresh token rotation, where each refresh token use results in a new refresh token being issued, invalidating the previous one. This reduces the impact of a compromised refresh token.

Example:

OAuth 2.0 Refresh Token Request:

POST /token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token=YOUR_REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID

OAuth 2.1 Refresh Token Rotation:

Each refresh token use:

POST /token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token=YOUR_REFRESH_TOKEN
&client_id=YOUR_CLIENT_ID

The response includes a new refresh token:

{
"access_token": "NEW_ACCESS_TOKEN",
"refresh_token": "NEW_REFRESH_TOKEN",
"expires_in": 3600,
"token_type": "Bearer"
}

5. OAuth 2.0 Form Post Response Mode

OAuth 2.1: Recommends using the Form Post response mode for returning authorization responses to prevent attacks related to URLs.

Example:

OAuth 2.0 Query Response Mode:

GET /callback?code=AUTHORIZATION_CODE&state=RANDOM_STRING

OAuth 2.1 Form Post Response Mode:

<form method="post" action="YOUR_REDIRECT_URI">
<input type="hidden" name="code" value="AUTHORIZATION_CODE">
<input type="hidden" name="state" value="RANDOM_STRING">
</form>

6. Security Improvements and Recommendations

OAuth 2.1: Incorporates various security best practices, including mandatory state parameters to prevent CSRF attacks and recommendations for secure token storage and handling.

Conclusion

OAuth 2.1 builds upon OAuth 2.0 by enhancing security, simplifying the framework, and incorporating best practices into the core specification. By adopting OAuth 2.1, developers can create more secure and robust applications.

For further assistance with OAuth implementation, troubleshooting, or detailed guidance, feel free to reach your OAuth Expert.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Master Spring Ter
Master Spring Ter

Written by Master Spring Ter

https://chatgpt.com/g/g-dHq8Bxx92-master-spring-ter Specialized ChatGPT expert in Spring Boot, offering insights and guidance for developers.

No responses yet

Write a response