Dick, I have no problems with adding supported OAuth protocol versions, however from experience managing the Internet Printing Protocol I also know that version numbers are a poor interoperability solution.
In the case of things like code_challenge, it is probably better to make the code_challenge_methods_supported metadata required so that OAuth 2.0 and 2.1 clients are able to detect when code_challenge is required. Obviously 2.1 clients and servers MUST support code_challenge, but a client discovers whether the AS supports it via the metadata. > On Sep 15, 2025, at 1:58 PM, Dick Hardt <dick.ha...@gmail.com> wrote: > > Hey everyone, > > A key decision in adopting the OAuth 2.1 work was that there would be no new > normative text. As it turns out, we do need to add the ability for the AS and > client to discover if the other party supports OAuth 2.1. > > There are a number of protocol features that are valid in OAuth 2.0 that are > not valid in OAuth 2.1. For example, the code_challenge is REQUIRED in OAuth > 2.1 > > We are proposing the following normative additions to support version support > discovery between the AS and the client. > > For a client to know if an AS supports 2.1, the AS metadata contains a new > "oauth_versions_supported" property that is an array of version strings. > > example: > > "oauth_versions_supported": ["2.0","2.1"] > > This indicates the AS supports both OAuth 2.0 and OAuth 2.1 > > For an AS to learn that a client supports 2.1, the client would include in > its metadata the "oauth_version" property which would contain the string "2.1" > > example: > > "oauth_version": "2.1" > > Note that there is no explicit signal from the client or server at runtime if > a given request or response is conforming with OAuth 2.0 vs OAuth 2.1 > > > https://github.com/oauth-wg/oauth-v2-1/issues/120 > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org ________________________ Michael Sweet _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
