Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Announcement] OAuth2.1 and OAuth3 drafts
See original GitHub issueOAuth2.1 and OAuth3 drafts has been announced.
OAuth 2.1:
- RFC6749 - OAuth 2.0 Core
- RFC6750 - Bearer token usage
- RFC7636 - PKCE
- Native App & Browser-Based App BCPs(best current practices)
- Security BCP(best current practice):
- MUST support PKCE for all client types
- No password grant
- No implicit flow
- Exact string matching for redirect URIs
- No access tokens in query string
- Refresh tokens must be sender-constrained or one-time use
OAuth 3:
- In development under a new IETF working group
- Re-thinking OAuth from the ground up
- Not backwards compatible
- Consolidate all various use cases in OAuth into a new framework
It seems to me that changes to specification should be applied:
- Deprecate
implicitin OAuth Flows Object - Deprecate
passwordin OAuth Flows Object - Deprecate
in: queryforapiKeytype of security scheme(this one not sure, maybeapiKeyisn’t related to access tokens)
Don’t know whether I should subscribe @aaronpk to this thread, but at least he can confirm that I retyped text from his What’s New With OAuth and OIDC? video presentation correctly.
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
The OAuth 2.1 Authorization Framework draft-ietf-oauth-v2-1-07
The OAuth 2.1 Authorization Framework draft-ietf-oauth-v2-1-07 · Abstract · Hardt, et al. Expires 27 April 2023 [Page 1] · Copyright Notice · Hardt,...
Read more >What's new in OAuth 2.1? - FusionAuth
The OAuth 2.1 draft specification provides two options for refresh tokens: they can be one-time use or tied to the sender with a...
Read more >OAuth - Wikipedia
OAuth (short for "Open Authorization") is an open standard for access delegation, commonly used as a way for internet users to grant websites...
Read more >OAuth 2.1
datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07. OAuth 2.1 is an in-progress effort to consolidate and simplify the most commonly used features of ...
Read more >OAuth 3 - Hacker News
And OAuth2 is very good of triggering each one of them. ... I'm personally more excited about this year's OAuth 2.1 draft[1], since...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Can we consider adding a flag to indicate that PKCE is used for Authorization flows? We’re currently doing this out-of-band for some tooll, ie: https://github.com/swagger-api/swagger-ui/pull/7438.
Yep, OpenAPI is not here to tell people how to build an API, its just a language for letting them describe any piece of junk they might need to describe. I often take the approach of
If you take away stuff people need to do 1, you don’t get to 2 or 3.