Ensure other parts of the oauth2 server library conform to the OAuth 2.1 spec, which is more of a compilation of best practices and learnings from OAuth2.
The major differences from OAuth 2.0 are listed below.
PKCE is required for all OAuth clients using the authorization code flow
Redirect URIs must be compared using exact string matching
The Implicit grant (response_type=token) is omitted from this specification
The Resource Owner Password Credentials grant is omitted from this specification
Bearer token usage omits the use of bearer tokens in the query string of URIs
Refresh tokens for public clients must either be sender-constrained or one-time use
PKCE is #36 because I think it may be possible to do so w/o forking the oauth2 library
All other above bullets are this issue
Separate issue for upgrading to the latest version of the oauth2 library #37
Ensure other parts of the oauth2 server library conform to the OAuth 2.1 spec, which is more of a compilation of best practices and learnings from OAuth2.