In-depth: OAuth implementation RFCs and BCPs

Client implementations

RFC 6749 (OAuth 2.0 Core)

RFC 6750 (Bearer Tokens)

RFC 6819 (Threat Model and Security Considerations)

RFC 8252 (OAuth for Native Apps)

RFC 8628 (Device Grant)

OAuth for Browser-Based Apps

OAuth 2.0 Security Best Current Practice

RFC 7009 (Token Revocation)

RFC 8414 (Authorization Server Metadata)

Server implementations

JWT Best Current Practice

A Look at the Draft for JWT BCP

JWT Profile for Access Tokens

Hard Parts of JWT Security