Would love to hear more about your interop experience with version numbers — are there a couple gotchas that come to mind?
code_challenge is only one of the new requirements, and a server is either 2.1 compliant or not We have yet to go through all the features that have been tightened up — refirect_uris is another one top of mind On Mon, Sep 15, 2025 at 7:55 PM Michael Sweet <[email protected]> wrote: > Dick, > > I have no problems with adding supported OAuth protocol versions, however > from experience managing the Internet Printing Protocol I also know that > version numbers are a poor interoperability solution. > > In the case of things like code_challenge, it is probably better to make > the code_challenge_methods_supported metadata required so that OAuth 2.0 > and 2.1 clients are able to detect when code_challenge is required. > Obviously 2.1 clients and servers MUST support code_challenge, but a client > discovers whether the AS supports it via the metadata. > > > > On Sep 15, 2025, at 1:58 PM, Dick Hardt <[email protected]> wrote: > > > > Hey everyone, > > > > A key decision in adopting the OAuth 2.1 work was that there would be no > new normative text. As it turns out, we do need to add the ability for the > AS and client to discover if the other party supports OAuth 2.1. > > > > There are a number of protocol features that are valid in OAuth 2.0 that > are not valid in OAuth 2.1. For example, the code_challenge is REQUIRED in > OAuth 2.1 > > > > We are proposing the following normative additions to support version > support discovery between the AS and the client. > > > > For a client to know if an AS supports 2.1, the AS metadata contains a > new "oauth_versions_supported" property that is an array of version > strings. > > > > example: > > > > "oauth_versions_supported": ["2.0","2.1"] > > > > This indicates the AS supports both OAuth 2.0 and OAuth 2.1 > > > > For an AS to learn that a client supports 2.1, the client would include > in its metadata the "oauth_version" property which would contain the string > "2.1" > > > > example: > > > > "oauth_version": "2.1" > > > > Note that there is no explicit signal from the client or server at > runtime if a given request or response is conforming with OAuth 2.0 vs > OAuth 2.1 > > > > > > https://github.com/oauth-wg/oauth-v2-1/issues/120 > > > > > > _______________________________________________ > > OAuth mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > ________________________ > Michael Sweet > >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
