Source of truth for OAuth 2.0 is, of course, the RFC 6749. The language and explanation in RFC is very much comprehensible.
+--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+OAuth 2.0 defines quite a few API endpoints. The RFC provides examples for the request and expected responses for these APIs. One of the good ways to understand the RFC is build the OAuth endpoints and try out the samples mentioned in it. Apigee Edge support of OAuth 2.0 is a quick help here. This github project oauth20_apigee contains the proxy and the postman client requests. Apart from the RFC,following are two good resources about OAuth 2.0
- Good Explanation of OAuth 2.0 By Aaron - OAuth 2 Simplified
- If you wondered (like me) why Authorization Code is required in OAuth 2.0 - Stack Overflow Question