In-depth: OAuth implementation RFCs and BCPs

Client implementations

RFC 6749 (OAuth 2.0 Core)

RFC 6750 (Bearer Tokens)

RFC 6819 (Threat Model and Security Considerations)

RFC 8252 (OAuth for Native Apps)

RFC 8628 (Device Grant)

OAuth for Browser-Based Apps OAuth 2.0 Security Best Current Practice

RFC 7009 (Token Revocation)

RFC 8414 (Authorization Server Metadata)

Server implementations

RFC 7519 (JWT)

JWT Best Current Practice A Look at the Draft for JWT BCP JWT Profile for Access Tokens Hard Parts of JWT Security