rfc-9700

Best Current Practice for OAuth 2.0 Security

T. Lodderstedt, J. Bradley, A. Labunets, D. Fett

date2025-01 streamIETF areasec wgoauth statusBEST CURRENT PRACTICE pages46 canonicalhttps://www.rfc-editor.org/rfc/rfc9700 doi10.17487/RFC9700

This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.

updates

rfc-6749 — The OAuth 2.0 Authorization Framework
rfc-6750 — The OAuth 2.0 Authorization Framework: Bearer Token Usage
rfc-6819 — OAuth 2.0 Threat Model and Security Considerations

also

bcp-240