OAuth2 indeed is a powerful tool however as other tools if you use it without proper understanding it will cause you trouble as much as you can imagine. The first mistake I did was starting to use OAuth2 without much understanding. If you need to understand OAuth2 you need to understand following concepts and you should be able to map them into your business requirements.
- What is an authentication server and what's its purpose.
- What is a resource server and what's its purpose.
- Who is a client or what is a client application?
- What is a resource?
- Who is a resource owner?
- What are authentication flows or what are grant types?
If you able to gain a good knowledge of this concepts and if you can map them clearly into your business requirements then it is safe to assume that you know about the concept of OAuth2.
Then comes the implementation. In My case, I used Spring OAuth2, which is a solid implementation and just with some configuration I could make it work. However, Spring OAuth2 does not allow CORS request to be sent to the authentication URLs. With some hacks and with some more digging you will be able to get it work but from what I understand we don't need to allow that. With correct authentication workflow for the given business use, it should work perfectly fine.
Following are some links I used.