Try Brian Mulloy's posting at
API Design: Deciphering Security
https://blog.apigee.com/detail/api_design_deciphering_security
Which also links to Greg Brail's OAuth implementation overview at
OAuth: Implementing OAuth 2.0
https://blog.apigee.com/detail/oauth_implementing_oauth_2.0