Available Flows
Specs & references
Authoritative reading list for OAuth 2.0 — core specs, security considerations, and companion standards.
Core specs
· The specifications that define this protocol.Security & privacy
· Dedicated security and privacy considerations.Companion specs
· Extensions, hardenings, and supporting RFCs.- RFC 7636 — Proof Key for Code Exchange (PKCE)
- RFC 7662 — Token Introspection
- RFC 7009 — Token Revocation
- RFC 8414 — Authorization Server Metadata
- RFC 8693 — Token Exchange
- RFC 8707 — Resource Indicators
- RFC 9207 — Authorization Server Issuer Identification
AS Mix-Up defence.
- RFC 9449 — DPoP (Demonstrating Proof of Possession)
- RFC 9101 — JWT-Secured Authorization Request (JAR)
- RFC 9126 — Pushed Authorization Requests (PAR)
OAuth 2.0 Features
Authorization Code Flow
Standard flow for server-side applications
PKCE for Public Clients
Enhanced security for SPAs and mobile apps (RFC 7636)
Client Credentials
Machine-to-machine authentication