OAuth 2.0 client authentication over TLS with X.509 certificates
To address the requirements of fintech and open banking apps, where TLS
certificate-based authentication is mandated by law, the OAuth WG is putting
together a new spec.
This spec also defines a neat security enhancement: The issued access token includes a hash (thumbprint) that binds it to the client’s certificate, preventing misuse of the token if it’s accidentally leaked or stolen.
JWT-secured authorisation requests
The OAuth 2.0 Token Exchange spec defines an STS API for obtaining tokens as well as implementing impersonation and delegation use cases.
The token exchange spec will be implemented once it becomes final or sufficiently stable.
OAuth 2.0 Device Flow
For browser-less and input-constrained devices, such as smart TVs, media consoles and printers. The spec is still in development.