OAuth 2.0 shipped in 2012 with good intentions and glaring gaps. Public clients leaked secrets. Bearer tokens could be stolen and replayed. Authorization required users glued to their screens. Metadata lived in developer documentation rather than in discoverable endpoints. Token delegation meant copying credentials. Developers worked around these gaps with custom solutions and best practices until the spec formalized them.

OAuth 2.1 isn't a revolution; it's a consolidation. PKCE moves from optional to mandatory. DPoP adds cryptographic proof of possession to bearer tokens and guards against replay attacks. CIBA decouples authorization from your browser session. Client ID Metadata Documents, and Authorization Server Metadata turn configuration from copy-paste into discovery. Token Exchange lets services act on behalf of users without copying credentials, so secrets never have to leave the authorization server. Cross-App Access extends this further with identity assertion grants. Each piece solves a real problem; together they form modern OAuth.

In this talk, we’ll illustrate why these extensions exist and when to reach for each one. Build systems that are secure by default, not by accident. Know which parts of the spec matter for your use case, from traditional apps to AI agents to B2B integrations.

We’ll assume some basic OAuth and OIDC knowledge and build on that, explaining each new concept from scratch.