Yeah start with https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-... Deprecating the unsecure&outdated/it's easy to shoot yourself and summarizing so you don't need to go through the rabbit hole of specs...

Also follow the BCP that will remain in a draft state forever(at least for the near future): https://datatracker.ietf.org/doc/html/draft-ietf-oauth-secur...