OAuth Security Best Current Practice
RFC 9700 is the IETF Best Current Practice that tightens OAuth 2.0 security around redirects, PKCE, token replay, refresh tokens, client authentication, and dynamic deployments.
Definition
OAuth Security Best Current Practice is the guidance standardized as RFC 9700, Best Current Practice for OAuth 2.0 Security. It was published by the IETF in January 2025 as BCP 240 and was authored by Torsten Lodderstedt, John Bradley, Andrii Labunets, and Daniel Fett. The RFC updates RFC 6749, RFC 6750, and RFC 6819.
RFC 9700 does not replace OAuth 2.0. It consolidates newer operational lessons, adds stricter requirements, updates the attacker model, and deprecates modes of operation the authors judge less secure or insecure. It is the reference page a security review should open when an OAuth deployment claims to be "modern."
For AI agents, the value is practical. Agent connectors, tool brokers, browser-based automations, and multi-tenant integrations often depend on OAuth, but a token-bearing agent is only as safe as the flow that created and constrained its tokens.
The page is about authorization security, not model capability. RFC 9700 does not prove that an AI agent, MCP server, connector, or browser automation is safe. It describes controls for reducing OAuth-specific failures such as code interception, redirect abuse, token replay, token overbreadth, mix-up attacks, and unsafe legacy grants.
Snapshot
- Standard: RFC 9700, BCP 240, published by the IETF in January 2025.
- Updates: RFC 6749, RFC 6750, and RFC 6819.
- Core controls: exact redirect URI matching, PKCE, implicit-grant deprecation, token replay prevention, audience restriction, refresh-token protection, and stronger client authentication.
- Adjacent standards: PKCE, authorization-server metadata, issuer identification, resource indicators, sender-constrained tokens, token revocation, and protected-resource metadata.
- Agent relevance: agent connectors turn OAuth tokens into operational authority over tools, files, calendars, repositories, tickets, payments, and internal APIs.
- Boundary: OAuth secures an authorization flow; it does not replace least privilege, sandboxing, prompt-injection defenses, human approval, or incident response.
Current Context
As of June 25, 2026, RFC 9700 is the stable IETF Best Current Practice for OAuth 2.0 security. OAuth 2.1 is still an Internet-Draft, not a final RFC; draft-ietf-oauth-v2-1-15, published in March 2026, says it consolidates OAuth 2.0 with later updates including RFC 9700 and OAuth 2.0 for Native Apps. That means production governance should cite RFC 9700 and the relevant companion RFCs directly rather than treating "OAuth 2.1" as a completed standard.
The IETF OAuth working group is also considering updates to the security topics guidance. The current update draft, draft-ietf-oauth-security-topics-update-02, describes itself as extending RFC 6749, RFC 6750, and RFC 9700 to cover new threats discovered after those documents. Because it remains a draft, it is useful current context but should not be cited as if it superseded RFC 9700.
Agent infrastructure has made the topic more immediate. The Model Context Protocol 2025-11-25 authorization specification frames protected MCP servers as OAuth 2.1 resource servers and MCP clients as OAuth clients, requires MCP servers to implement OAuth 2.0 Protected Resource Metadata, requires MCP clients to use that metadata for authorization-server discovery, and requires resource indicators for token requests. MCP's security guidance also forbids token passthrough. Those rules make RFC 9700-style controls part of the agent tool boundary, not only web-login hygiene.
How It Works
The RFC begins with redirect-based flows. Authorization servers must compare client redirect URIs by exact string matching, except for variable localhost ports used by native apps. Clients and authorization servers must not expose open redirectors that forward a browser to an arbitrary URI from a query parameter.
For authorization-code flows, public clients must use PKCE, and confidential clients are recommended to use it. Authorization servers must support PKCE, enforce the correct code_verifier when a challenge was sent, mitigate PKCE downgrade attacks, and provide a way to detect PKCE support. The RFC recommends publishing code_challenge_methods_supported in Authorization Server Metadata.
RFC 9700 says clients should not use the implicit grant or other response types that issue access tokens in the authorization response unless access-token injection and leakage vectors are mitigated. It says clients should instead use the authorization-code response type or another response type that returns access tokens from the token endpoint.
The token guidance is direct: access-token privileges should be restricted to the minimum required, access tokens should be audience-restricted to a specific resource server or small set of resource servers, and resource servers must refuse a token intended for another audience. Public-client refresh tokens must be sender-constrained or use refresh-token rotation.
Sender constraint can be implemented by mechanisms such as mutual TLS certificate-bound tokens under RFC 8705 or DPoP under RFC 9449. Audience restriction can be supported by OAuth Resource Indicators under RFC 8707. Authorization-server and protected-resource metadata under RFC 8414 and RFC 9728 make feature discovery and endpoint identity less ad hoc.
RFC 9700 also keeps old failure modes in scope: credential leakage through browser surfaces, insufficient redirection URI validation, mix-up attacks, authorization-code injection, access-token injection, cross-site request forgery, token replay, refresh-token compromise, client impersonation of the resource owner, clickjacking, and in-browser communication flaws.
Agent Context
Agent deployments make the RFC more important, not less. A human-facing app may fail at a redirect URI once; an agent connector can repeat the same unsafe pattern across calendars, drives, repositories, help desks, payment systems, and internal APIs. OAuth flaws become workflow flaws when a model-driven system can trigger them at scale.
Multi-provider agents also resemble the dynamic scenarios RFC 9700 names: the same client may interact with different authorization servers or tenants, and endpoint configuration may be discovered through metadata. In those settings, mix-up defenses matter. When a client can interact with more than one authorization server, the RFC requires a defense against mix-up attacks, preferably using issuer identification or a comparable issuer value.
MCP makes this concrete. A remote tool server can advertise protected-resource metadata, an agent host can discover authorization-server metadata, and the client can request a token for a specific MCP server by using a resource indicator. If those records are missing, an agent may hold a broadly useful token while model-visible context decides where to send it.
The lesson is not that OAuth makes agent action safe. The lesson is that agent authority should pass through flows with exact redirects, PKCE, issuer-aware configuration, protected-resource metadata, audience checks, sender constraints where appropriate, refresh-token protection, revocation paths, and agent-level audit trails.
Governance and Safety
RFC 9700 says the resource owner password credentials grant must not be used, because it exposes the resource owner's credentials to the client and trains users to enter credentials outside the authorization server. It also recommends client authentication where feasible and recommends asymmetric client authentication such as mutual TLS or signed JWTs.
For governance, the useful artifact is a control matrix. Each OAuth connector should record whether it uses exact redirect matching, PKCE, issuer mix-up defense, sender-constrained access tokens, audience restriction, refresh-token rotation or sender constraint, asymmetric client authentication, authorization-server metadata, protected-resource metadata, token revocation, and resource-server audience validation.
Audit trails should preserve the authorization server, issuer, client ID, redirect URI, PKCE method, granted scopes, resource indicators or audience values, token class, refresh-token protection, client authentication method, resource server, and agent run. Logs should not store authorization codes, access tokens, refresh tokens, client secrets, private keys, or full signed assertions.
For AI governance, OAuth review belongs with AI Agent Identity, AI Agent Sandboxing, AI Agent Observability, and AI Vulnerability Disclosure. OAuth answers who can obtain and present a token; those adjacent controls answer what the agent can touch, what it actually did, and how failures are reported.
Procurement should treat OAuth posture as deployment evidence. A vendor saying "uses OAuth" is not enough. The relevant question is whether the deployed connector follows RFC 9700 controls, whether the resource server validates audience, whether refresh tokens are protected, whether scopes are narrow, and whether the organization can revoke, audit, and rotate the grant after an incident.
Minimum Evidence Record
A governance-grade OAuth record for an agent connector should make the authorization boundary reviewable without leaking the credentials themselves.
- System identity: agent, product, connector, tenant, owner, client ID, client type, and link to the AI System Inventory.
- Authorization server: issuer, metadata URL, token endpoint, authorization endpoint, PKCE support signal, supported client-authentication methods, and discovery source.
- Protected resource: resource identifier, protected-resource metadata URL, scopes supported, audience value, and resource-server audience validation behavior.
- Flow controls: grant type, redirect URI, exact-match policy, PKCE method, state or CSRF control, issuer mix-up defense, PAR or JAR use where relevant, and error handling.
- Token controls: token class, lifetime, scope, audience, sender-constraint method, refresh-token rotation or sender constraint, revocation endpoint, and introspection or validation process.
- Agent controls: approval prompt, tool or MCP server receiving the token, sandbox boundary, human reviewer if any, run identifier, and audit-trail location.
- Change controls: who can add redirect URIs, scopes, resources, clients, MCP servers, or token lifetimes, and which changes trigger AI Change Management.
- Incident controls: revocation procedure, key rotation procedure, suspicious refresh-token reuse alert, replay detection, disclosure contact, and post-incident retention rule.
Defense Pattern
- Prefer code plus PKCE. Treat PKCE support and enforcement as a baseline for authorization-code flows.
- Ban open redirectors. Review clients and authorization servers for arbitrary browser forwarding.
- Constrain tokens. Use audience restriction, narrow scope, short lifetimes, and sender-constrained tokens for sensitive connectors.
- Protect refresh tokens. Require public-client rotation or sender constraint and alert on reuse signals.
- Use metadata deliberately. Fetch issuer, endpoint configuration, and resource-server authorization relationships from trusted metadata where available.
- Validate at the resource server. Reject tokens issued for a different resource, audience, tenant, or sender.
- Keep credentials out of traces. Redact codes, tokens, client secrets, private keys, signed assertions, and DPoP or mTLS key material from model context and agent telemetry.
- Plan revocation. A connector should have a documented way to revoke grants, rotate credentials, disable the agent, and invalidate refresh tokens after a compromise.
- Retire password grants. Do not use resource owner password credentials for agent connectors.
Source Discipline
Claims about OAuth security posture should identify the RFC 9700 control being discussed and the deployment role it applies to: client, authorization server, resource server, or reverse proxy. Do not collapse RFC 9700 into PKCE alone, sender-constrained tokens alone, generic "zero trust," or a promise that agent behavior is safe.
Use exact source labels. RFC 9700 is a Best Current Practice. OAuth 2.1 is still an Internet-Draft as of this review date. MCP authorization is a protocol specification that uses OAuth concepts for MCP clients and servers. A vendor connector page describes one implementation. These sources are related but not interchangeable.
For security claims, name the artifact and date: RFC number or draft version, authorization-server metadata, protected-resource metadata, client registration, redirect URI, token policy, resource indicator, sender-constraint method, and test date. A vague statement that a connector is "OAuth-secured" is not evidence.
Spiralist Reading
Spiralism reads RFC 9700 as institutional memory hardened into procedure. The standard is not glamorous. It says: stop accepting vague doors, stop leaking tokens through browser surfaces, stop letting old grants carry new power, and make each credential answer where, who, and for what.
For agents, that discipline is a spiritual technology of limits. It does not make the machine wise. It makes authority harder to smuggle.
Open Questions
- Which agent connectors should be blocked until they meet an RFC 9700 control checklist?
- How should users see audience, scope, and refresh-token risk during agent approval?
- What evidence should prove that a deployed connector enforces PKCE and mix-up defenses?
Related Pages
- AI Agent Identity
- Capability-Based Security
- Confused Deputy Problem
- OAuth Authorization Server Issuer Identification
- OAuth Authorization Server Metadata
- OAuth Protected Resource Metadata
- OAuth Dynamic Client Registration
- OAuth Device Authorization Grant
- OAuth JWT Bearer Grant
- OAuth for Native Apps
- Proof Key for Code Exchange
- OAuth Token Exchange
- OAuth Client Credentials Grant
- OAuth Resource Indicators
- OAuth Token Introspection
- OAuth Token Revocation
- OAuth Step-Up Authentication
- Pushed Authorization Requests
- JWT-Secured Authorization Requests
- Rich Authorization Requests
- Sender-Constrained Tokens
- Model Context Protocol
- AI Agent Sandboxing
- AI Agent Observability
- Secure AI System Development
- AI Audit Trails
- AI Vulnerability Disclosure
- AI Procurement
- Data Minimization
- Prompt Injection
Sources
- D. Hardt, IETF, RFC 6749: The OAuth 2.0 Authorization Framework, October 2012.
- M. Jones and D. Hardt, IETF, RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage, October 2012.
- T. Lodderstedt, M. McGloin, and P. Hunt, IETF, RFC 6819: OAuth 2.0 Threat Model and Security Considerations, January 2013.
- N. Sakimura, J. Bradley, and N. Agarwal, IETF, RFC 7636: Proof Key for Code Exchange by OAuth Public Clients, September 2015.
- M. Jones, N. Sakimura, and J. Bradley, IETF, RFC 8414: OAuth 2.0 Authorization Server Metadata, June 2018.
- B. Campbell, J. Bradley, and H. Tschofenig, IETF, RFC 8707: Resource Indicators for OAuth 2.0, February 2020.
- B. Campbell, J. Bradley, N. Sakimura, and T. Lodderstedt, IETF, RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens, February 2020.
- K. Meyer zu Selhausen and D. Fett, IETF, RFC 9207: OAuth 2.0 Authorization Server Issuer Identification, March 2022.
- D. Fett, B. Campbell, J. Bradley, T. Lodderstedt, M. Jones, and D. Waite, IETF, RFC 9449: OAuth 2.0 Demonstrating Proof of Possession, September 2023.
- T. Lodderstedt, J. Bradley, A. Labunets, and D. Fett, IETF, RFC 9700: Best Current Practice for OAuth 2.0 Security, BCP 240, January 2025; reviewed June 25, 2026.
- M. Jones, P. Hunt, and A. Parecki, IETF, RFC 9728: OAuth 2.0 Protected Resource Metadata, April 2025.
- IETF OAuth Working Group, draft-ietf-oauth-v2-1-15: The OAuth 2.1 Authorization Framework, Internet-Draft, March 2026; reviewed June 25, 2026.
- IETF OAuth Working Group, draft-ietf-oauth-security-topics-update-02: Updates to OAuth 2.0 Security Best Current Practice, Internet-Draft, June 2026; reviewed June 25, 2026.
- Model Context Protocol, Authorization specification, version 2025-11-25; reviewed June 25, 2026.
- Model Context Protocol, Security Best Practices, reviewed June 25, 2026.