Well, kinda. People can still theoretically use OAuth 1 too, but the world has moved on - software has dropped support for it, websites don’t support it, and so on.
I’m a bit confused about what OAuth 2.1 is intended to be. If it’s not a new version of OAuth (“obsoletes” the old RFC), then is not just another BCP? If it is a new version and it removes grant types (OAuth 3.0?) then that effectively has the same impact as removing them from OAuth 2.0, unless we’re envisioning some way for a client to negotiate version 2.0 support from an AS? — Neil > On 22 Feb 2020, at 01:41, Dick Hardt <dick.ha...@gmail.com> wrote: > > I'm a little confused on where this thread is going. If we take ROPC out of > OAuth 2.1 then: > > 1) Existing deployments can keep using ROPC - why break it if it is working. > > 2) New deployments can use ROPC and be OAuth 2.0 compliant. > > 3) New deployments that don't need ROPC can be OAuth 2.1 compliant _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth