Reference

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the IETF OAuth Working Group.

Specifications

• OpenID Connect Core 1.0 incorporating errata set 1 - OpenID Connect core
• OAuth 2.0 Multiple Response Type Encoding Practices - OpenID Connect multiple response types
• OAuth 2.0 Form Post Response Mode - Form post response mode
• OAuth 2.0 Threat Model and Security Considerations - Information on all sorts of threats in OAuth 2.0 specification.
• JSON Web Key (JWK) - Enable federated OAuth 2.0 provider clusters.
• OAuth 2.0 Token Introspection - Used as reference to implement de-reference opaque token to JWT.
• OAuth 2.0 Token Revocation - Revoke access token and refresh token when they are compromised.

Articles and Blogs

• OAuth 2 and Fragment encoding - Some browsers changed behavior for fragment encoding and the impact on OAuth 2.0
• Open Redirect Vulnerability - A vulnerability that requires OAuth2 provider to validate redirect_uri.