As the web moves toward more decentralized and decoupled architectures, the way we handle authentication is evolving. For years, the Simple OAuth module has been the gold standard for turning Drupal into an OAuth 2.0 Authorization Server.
However, the IETF (Internet Engineering Task Force) is finalizing OAuth 2.1, a consolidated specification that captures a decade of security best practices. To meet these new standards, the Drupal community has introduced the Simple Oauth 2.1 module.
In this post, we’ll explore why OAuth 2.1 matters and how this new module helps you build more secure Drupal-powered APIs.
Why OAuth 2.1?
OAuth 2.1 isn't a "new protocol" but rather a "best-of" collection of OAuth 2.0 extensions. It removes outdated "footguns" and makes security features mandatory. Key changes include:
Mandatory PKCE: Proof Key for Code Exchange (PKCE) is now required for all clients, preventing authorization code interception attacks.
Removal of Implicit Grant: The insecure implicit flow (often used in SPAs) is gone. Developers must now use the Authorization Code flow with PKCE.
Removal of Password Grant: The Resource Owner Password Credentials grant is deprecated to discourage users from sharing their passwords with third-party apps.
Exact Redirect URIs: Redirect URIs must now use exact string matching to prevent open redirector vulnerabilities.
Introducing the Simple OAuth 2.1 Module
The Simple OAuth 2.1 module for Drupal acts as an "umbrella" coordination module. Instead of one massive codebase, it provides a dashboard and a suite of specialized sub-modules:
simple_oauth_pkce: Enforces PKCE requirements across all flows.
simple_oauth_device_flow: Implements RFC 8628 for IoT devices, smart TVs, and CLI applications.
simple_oauth_server_metadata: Provides an automatic discovery endpoint (/.well-known/oauth-authorization-server) so clients can auto-configure themselves.
simple_oauth_native_apps: Adds security specifically for mobile and desktop apps, including WebView detection.
How to Get Started
Installation
You can install the module via Composer. Note that it depends on the original simple_oauth module as its foundation.
composer require 'drupal/simple_oauth_21:^1.0'
Configuration
Here is how you can configure your environment for maximum security and compliance.
The Command Center: Compliance Overview (Dashboard)
Your first stop is the central dashboard. This page acts as your "North Star," showing you exactly where your server stands in terms of the latest security protocols.
Path:/admin/config/people/simple_oauth/oauth-21
Goal: Audit your current compliance status and get a bird's-eye view of your configuration options.
Branding Your Server: Metadata and Discovery (Server Metadata)
For remote HTTP access, your authorization server needs to "introduce" itself to clients. This is handled via the RFC 8414 Authorization Server Metadata and OpenID Connect (OIDC) discovery.
Server Metadata: Navigate to /admin/config/people/simple_oauth/oauth-21/server-metadata to fill in specific fields that describe your server's capabilities.
Discovery: Your server automatically exposes an endpoint at /.well-known/openid-configuration. This tells clients which response types, modes, and claims your system supports.
Refining Endpoints and Claims:
A modern auth server does more than just issue tokens; it manages their entire lifecycle. You can enable optional endpoints to provide a full suite of services:
Token Revocation: Allows clients to "log out" or invalidate a token.
Token Introspection: Allows protected resources to check if a token is still valid.
Device Authorization: Essential for "headless" devices (like Smart TVs) that don't have a standard browser.
Conclusion
The move to OAuth 2.1 is about making the "secure way" the "only way." By using the Simple OAuth 2.1 module ecosystem, you aren't just following a trend—you’re future-proofing your Drupal API against the common vulnerabilities of the past decade.
Whether you're building a headless commerce site, a mobile app, or an AI-driven agent integration, Simple OAuth 2.1 provides the framework you need to stay compliant and secure.
Simple OAuth 2.1 for Drupal is a great way to highlight the shift toward more secure, modern authentication standards. The module isn't just a minor update—it's a comprehensive ecosystem designed to bring Drupal up to the latest IETF standards.
In OAuth 2.1, PKCE (Proof Key for Code Exchange) is no longer optional—it’s a requirement. This prevents authorization code injection attacks, which is especially vital for "public clients" like mobile or desktop apps.
Global Policies: Set security guardrails for mobile environments at /admin/config/people/simple_oauth/oauth-21/native-apps.
Enforcement (PKCE)
Go to /admin/config/people/simple_oauth/oauth-21/pkce and ensure the following settings are toggled:
Mandatory Enforcement: Check this to reject any request without a code challenge.
Method S256: Enable this for secure hashing.
Disable Plain Method: Always disable plain in production to prevent "downgrade" attacks.
If you allow clients to register dynamically, you must define which "Grant Types" they are allowed to use by default. This ensures that a new client doesn't gain more power than intended.
Cloud Platform