RFC 6749 — OAuth 2.0 Authorization Framework

Spec: datatracker.ietf.org/doc/html/rfc6749Status: Partial

RFC 6749 defines the core OAuth 2.0 framework: the /authorize and /token endpoints, the four canonical grant types, and the rules for client authentication and redirect URI handling.

Implemented

• Authorization Code Grant — /authorize + /oauth/token with grant_type=authorization_code.
• Client Credentials Grant — /oauth/token with grant_type=client_credentials.
• Refresh Token Grant — /oauth/token with grant_type=refresh_token, including rotation and revocation.
• Client authentication — client_secret_basic (HTTP Basic) and client_secret_post (form body).
• Redirect URI validation — exact-match against the registered allowlist.
• State parameter — round-tripped through the authorization request for CSRF protection.
• Scope handling — scopes validated against the client's configured scopes.
• Error responses — standard error / error_description JSON and redirect forms.

Partial / not yet implemented

• Implicit Grant — response types token and id_token are advertised via OIDC discovery and work for hybrid flows, but the legacy Implicit Grant is not recommended and not a primary supported path.
• Resource Owner Password Credentials Grant — not exposed as the RFC 6749 grant; the Auth0-compatible passwordless OTP grant (http://auth0.com/oauth/grant-type/passwordless/otp) is used instead.
• Token introspection (RFC 7662) — not implemented.
• Token revocation (RFC 7009) — revocation_endpoint is advertised in discovery metadata but not yet routed.

Related AuthHero documentation

• Authentication Flows
• Login Flow endpoints