OAuth 2.1

[cjslep]

Ensure other parts of the oauth2 server library conform to the OAuth 2.1 spec, which is more of a compilation of best practices and learnings from OAuth2.

The major differences from OAuth 2.0 are listed below.

• PKCE is required for all OAuth clients using the authorization code flow
• Redirect URIs must be compared using exact string matching
• The Implicit grant (response_type=token) is omitted from this specification
• The Resource Owner Password Credentials grant is omitted from this specification
• Bearer token usage omits the use of bearer tokens in the query string of URIs
• Refresh tokens for public clients must either be sender-constrained or one-time use

• PKCE is #36 because I think it may be possible to do so w/o forking the oauth2 library
• All other above bullets are this issue
• Separate issue for upgrading to the latest version of the oauth2 library #37

[cjslep]

Turning the above into a checklist:

• [ ] PKCE is required for all OAuth clients using the authorization code flow (see: #36)
• [ ] Redirect URIs must be compared using exact string matching
• [ ] The Implicit grant (response_type=token) is omitted from this specification
• [ ] The Resource Owner Password Credentials grant is omitted from this specification
• [ ] Bearer token usage omits the use of bearer tokens in the query string of URIs
• [ ] Refresh tokens for public clients must either be sender-constrained or one-time use