# Standards and References - OAuth 2.0 Authorization Flow

## Core OAuth Standards
- **RFC 6749**: The OAuth 2.0 Authorization Framework
  - https://datatracker.ietf.org/doc/html/rfc6749
- **RFC 6750**: The OAuth 2.0 Authorization Framework: Bearer Token Usage
  - https://datatracker.ietf.org/doc/html/rfc6750
- **RFC 7636**: Proof Key for Code Exchange (PKCE)
  - https://datatracker.ietf.org/doc/html/rfc7636
- **RFC 9700**: OAuth 2.0 Security Best Current Practice
  - https://datatracker.ietf.org/doc/html/rfc9700
- **OAuth 2.1 Draft**: Consolidation of OAuth 2.0 with PKCE mandatory
  - https://oauth.net/2.1/

## Token Standards
- **RFC 7519**: JSON Web Token (JWT)
  - https://datatracker.ietf.org/doc/html/rfc7519
- **RFC 7515**: JSON Web Signature (JWS)
  - https://datatracker.ietf.org/doc/html/rfc7515
- **RFC 9449**: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
  - https://datatracker.ietf.org/doc/html/rfc9449
- **RFC 7009**: OAuth 2.0 Token Revocation
  - https://datatracker.ietf.org/doc/html/rfc7009

## OpenID Connect
- **OpenID Connect Core 1.0**: Authentication layer on OAuth 2.0
  - https://openid.net/specs/openid-connect-core-1_0.html
- **OpenID Connect Discovery**: Provider metadata discovery
  - https://openid.net/specs/openid-connect-discovery-1_0.html

## Additional Grant Types
- **RFC 8628**: OAuth 2.0 Device Authorization Grant
  - https://datatracker.ietf.org/doc/html/rfc8628

## NIST Standards
- **NIST SP 800-63B**: Digital Identity Guidelines - Authentication
- **NIST SP 800-53 Rev 5**:
  - AC-3: Access Enforcement
  - IA-5: Authenticator Management
  - SC-13: Cryptographic Protection
  - SC-23: Session Authenticity
  - AU-3: Content of Audit Records

## Implementation Guides
- **Auth0 PKCE Guide**: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce
- **Microsoft OIDC Flow**: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
- **Okta OAuth Express**: https://developer.okta.com/blog/2025/07/28/express-oauth-pkce
- **PKCE Explained**: https://oauth.net/2/pkce/

## Security References
- **OWASP OAuth 2.0 Security**: Common vulnerabilities and mitigations
- **OAuth Security Workshop**: Annual research on OAuth attack vectors