...
Support PKCE in the authorization code flow
Add field to label OAuth 2 clients as either “public” or “confidential”; backfill existing clients as “confidential”
Public clients should not be issued secrets
Note: Refresh tokens become single-use bearer tokens.
Public clients should be required to use PKCE
Revoke the current iteration of a refresh token when an old expired/used refresh token is used
Don’t save consent records for public OAuth clients
...