Best Current Practice for OAuth 2.0 Security
RFC 9700, “Best Current Practice for OAuth 2.0 Security”, is a Best Current Practice document published in January 2025 by T. Lodderstedt, J. Bradley, A. Labunets, D. Fett. It updates RFC 6749, RFC 6750, RFC 6819. The canonical text is published by the RFC Editor.
Abstract
This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.
What “Best Current Practice” means
Documents the IETF community's recommended operational or procedural practice rather than a protocol specification.
The canonical text of RFC 9700 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9701 JSON Web Token Response for OAuth Token Introspection
- RFC 9698 The JMAPACCESS Extension for IMAP
- RFC 9702 YANG Data Model for Maximum Segment Identifier Depth Types and MPLS MSD
- RFC 9696 Routing in Fat Trees Applicability and Operational Considerations
- RFC 9704 Establishing Local DNS Authority in Validated Split-Horizon Environments
- RFC 9695 The 'haptics' Top-Level Media Type
- RFC 9705 Refresh-Interval Independent RSVP Fast Reroute Facility Protection
- RFC 9694 Guidelines for the Definition of New Top-Level Media Types