Standards and References - OAuth 2.0 Authorization Flow

Core OAuth Standards

RFC 6749: The OAuth 2.0 Authorization Framework
- https://datatracker.ietf.org/doc/html/rfc6749
RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage
- https://datatracker.ietf.org/doc/html/rfc6750
RFC 7636: Proof Key for Code Exchange (PKCE)
- https://datatracker.ietf.org/doc/html/rfc7636
RFC 9700: OAuth 2.0 Security Best Current Practice
- https://datatracker.ietf.org/doc/html/rfc9700
OAuth 2.1 Draft: Consolidation of OAuth 2.0 with PKCE mandatory
- https://oauth.net/2.1/

RFC 7519: JSON Web Token (JWT)
- https://datatracker.ietf.org/doc/html/rfc7519
RFC 7515: JSON Web Signature (JWS)
- https://datatracker.ietf.org/doc/html/rfc7515
RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)
- https://datatracker.ietf.org/doc/html/rfc9449
RFC 7009: OAuth 2.0 Token Revocation
- https://datatracker.ietf.org/doc/html/rfc7009

OpenID Connect Core 1.0: Authentication layer on OAuth 2.0
- https://openid.net/specs/openid-connect-core-1_0.html
OpenID Connect Discovery: Provider metadata discovery
- https://openid.net/specs/openid-connect-discovery-1_0.html

RFC 8628: OAuth 2.0 Device Authorization Grant
- https://datatracker.ietf.org/doc/html/rfc8628

NIST SP 800-63B: Digital Identity Guidelines - Authentication
NIST SP 800-53 Rev 5:
- AC-3: Access Enforcement
- IA-5: Authenticator Management
- SC-13: Cryptographic Protection
- SC-23: Session Authenticity
- AU-3: Content of Audit Records

Auth0 PKCE Guide: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce
Microsoft OIDC Flow: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
Okta OAuth Express: https://developer.okta.com/blog/2025/07/28/express-oauth-pkce
PKCE Explained: https://oauth.net/2/pkce/