At long last, the OAuth working group has finished the Best Current Practice for OAuth 2.0 Security and it was just published as RFC9700! This has been a long time in the works, and I'm very thankful to everyone who has helped out with it over the years! https://www.rfc-editor.org/rfc/rfc9700.html This is ... aaronparecki.com