Cover image for OAuth 2.1 implicit flow article

The End of the Implicit Flow: Why OAuth 2.1 Matters for Modern Apps

• by Opendata Consult Ltd

In the world of web security, it's not often that deprecating a feature is cause for celebration. But with OAuth 2.1, that's exactly what's happening. The removal of the implicit flow is one of the most significant and welcome changes in the evolution of OAuth - especially for those building modern, secure fintech apps.

What Was the Implicit Flow?

Introduced in OAuth 2.0, the implicit flow was designed for browser-based apps (like SPAs) that couldn't safely store a client secret. Instead of using the authorisation code flow (which exchanges a short-lived code for an access token), the implicit flow returned the access token directly in the URL fragment.

At the time, this approach made sense - but it came with serious drawbacks:

  • Access tokens were exposed to the browser and stored in-memory.
  • Tokens were often cached in browser history or accessible via malicious scripts.
  • There was no way to securely refresh the token - leading to poor UX or repeated logins.

Enter OAuth 2.1: A Clean Slate

OAuth 2.1 is a consolidation of best practices from years of security research, real-world implementation feedback, and lessons learned from breaches and misuse. And at the heart of it: the implicit flow is gone.

Instead, all clients - including SPAs - are expected to use the authorisation code flow with PKCE (Proof Key for Code Exchange). This approach:

  • Keeps tokens out of the browser address bar and history.
  • Enables token refresh without re-authentication.
  • Protects against interception and replay attacks.

Why This Matters for Fintech

In regulated environments like Open Banking, implicit flow has long been forbidden. Specifications like FAPI 1.0 and FAPI 2.0 mandate the use of secure flows like code+PKCE with signed JWT requests, mTLS, and JARM.

But even for non-regulated apps, OAuth 2.1 provides clarity and confidence. Developers no longer need to decide "which flow is right" - the spec gives a clear, secure path forward.

If you're building:

  • A single-page app using React or Vue
  • A native mobile app
  • A B2B platform with delegated access

...then using code+PKCE is your best bet - and OAuth 2.1 makes that official.

Other Improvements in OAuth 2.1

Besides dropping the implicit flow, OAuth 2.1 also:

  • Mandates PKCE for all public clients (like SPAs and mobile apps)
  • Removes the password grant type
  • Encourages use of state and nonce parameters
  • Promotes OpenID Connect for identity use cases

This makes the spec easier to read, easier to implement, and more secure by default.

What Developers Need to Do

If you're still using implicit flow - it's time to migrate. All modern OAuth libraries support code+PKCE, and identity providers (like Auth0, Okta, Cloudentity, etc.) recommend it by default.

For older apps, the migration path may involve:

  • Updating your OAuth client settings in your IDP
  • Implementing token exchange using /token endpoints
  • Using a secure redirect handler for code parsing

Conclusion

The removal of implicit flow is more than a technical change - it's a statement. The OAuth community is prioritising security, simplicity, and clarity. OAuth 2.1 represents a mature, modern approach to delegated authorisation - and it's here to stay.

👋 Enjoyed the article?

Book a Call with Us