OAuth 2.0 Security Best Current Practice
The original RFC 6749 allowed patterns now known to be insecure. RFC 9700 is the current security baseline — follow it, not just the base OAuth spec.
What It Defines
Current security guidance for OAuth 2.0 deployments. Deprecates implicit flow, mandates PKCE, restricts redirect URI matching, and addresses token leakage, CSRF, and mix-up attacks.
Canonical (Normative)
Convenient (Practical)
The canonical publication point for finalized RFCs. If a protocol is standardized as an RFC, the RFC Editor text is the normative final reference. Published by the IETF, IRTF, IAB, and independent stream.
Related Specs
The foundation of modern app auth: third-party login, API authorization, SSO, and machine-to-machine access all use OAuth 2.0.
Required for all public clients (SPAs, mobile apps, desktop apps). If you're building a non-confidential OAuth client, PKCE is mandatory per current best practice.