Konubinix' opinionated web of thoughts

Forget About OAuth 2.0. Here Comes OAuth 2.1 - Philippe De Ryck - NDC Oslo 2022


  • External reference:

OAuth 2.0, OAuth 2.1


refresh token make sense when the client secret can be kept secret.

therefore, in public clients, because the secret is not very secret, the refresh token is a simple bearer token.

therefore, the authorization code grant does not make sense and the implicit grant was suggested otherwise, not less secure.

It is still very insecure though.

Now, in public client one should perform authorization code grant with PKCE and refresh token rotation.

Notes linking here