OAuth 2.0 is a deceptively simple protocol. For many of us, we create a client id, client secret, set a few environment variables, and watch the black magic take effect. It turns Auth into a Boolean on/off switch. Great! But, what are the best practices for how to configure and use it if we are a bit more behind the scenes? Read on!
First, lets understand some of the threats and security considerations for OAuth 2.0. This is covered in much more detail in “OAuth 2.0 Threat Model and Security Considerations“.
You can see many more details in the IETF Draft “OAuth 2.0 Security Best Current Practice“.
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16