I have written a tutorial on implementing the most secure OAuth flow possible, aptly named, well…
This was originally a reply, but because of it’s comical length I have split it into a separate post as to not pollute this one.