OAuth 2.1 isn't a finished RFC. Auth0, Okta, and Keycloak are enforcing it anyway.
OAuth 2.1 has no RFC number yet. It's still draft-ietf-oauth-v2-1-15. Major identity providers are already enforcing its core rules anyway — here's what actually breaks, and why.
By FlowVerify Editorial Team