“OAuth can be anything you want it to be, the standards are lax and give you plenty of room for getting the right implementation for your system”

And this is why people dislike working with OAuth, because they see a statement like that and go and implement insecure crap on the backend then cry because every implementer has created something different and we have hundreds of different libraries to work with specific providers.

OAuth 2.0 is actually quite a well defined standard with explicit (and very readable) instructions on how implementations should function. As an OAuth advocate I strongly recommend and urge anyone reading this ignores the article featured here and looks and makes uses of an implementation that follows the standard to the letter – Brent Shaffer has created an excellent implementation (https://github.com/bshaffer/oauth2-server-php) and I have my own implementation as well (https://github.com/php-loep/oauth2-server).