We have a new IETF draft for OAuth v2.1, Authorization Framework. It's not radically different from 2.0, but does have the latest security best practices built-in by design. Aaron Parecki had a great blog post explaining the rationale behind the update.
The main changes for your dev teams to be aware of are:
- Proof Key for Code Exchange (PKCE) is now required for authorization code grant.
- Exact matching is required for redirect URIs.
- Refresh tokens are now sender-constrained or one-time use only.
- Implicit grant and Resource Owner Password Credentials grant have been removed.
- Bearer tokens in query parameters are no longer allowed.
