--- > **Series:** OAuth 2.0 / OIDC Deep Dive > **Status:** Living Document | **Last Updated:** June 2026 > **Author:** phn0me --- ## The Context [RFC 6749](https://www.rfc-editor.org/info/rfc6749/) (OAuth 2.0) and [RFC 6750](https://www.rfc-editor.org/info/rfc6750/) (Bearer Token Usage) were published in **October 2012**. While newer specifications like OpenID Connect (OIDC) and JWT-based flows have built upon these standards, **RFC 6749 and RFC 6750 remain the architectural blueprint** for how authorization works today. Every "Login with Google," every API token exchange, and every SSO flow relies on the core mechanics defined here. My goal isn't to rewrite the standards, but to get a deeper understanding of where things go wrong at this fundamental level. I want to de-mystify the core flows and see how they hold up against modern attack techniques. Ultimately, I want to build on the foundation laid by **Frans Rosén's [Dirty Dancing](https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/)** to sharpen my own bug hunting skills and help "unhack the world" by finding these flaws before the bad guys do. ## What to Expect From This Series I won't be providing copy-paste code snippets or "how to integrate Twitter login" tutorials. You can find those anywhere. Instead, this series will focus on **Operational Security & Attack Surfaces**, bridging the gap between developer implementation and sysadmin hardening. I'll be reading the RFC section by section, comparing its 2012 promises against the reality of today's identity landscape. Some conclusions might hold up; others might need re-evaluation as I learn more. The goal is transparency: showing my thought process as I try to reconcile theory with practice. ## Disclaimer *All technical examples and attack simulations discussed here are for **educational purposes only**. Testing these techniques against systems you do not own or have explicit permission to test is illegal.* — phn0me