First of all: OAuth 2.0 is not an authentication protocol, it is a delegated access protocol. It is clearly stated here: https://oauth.net/articles/authentication/
Although widely adopted, the OAuth 2.0 "authentication framework" left many details open for interpretations - which commonly leads to security flaws of the implementation.
Check here for the 10 most common implementation vulnerabilities in OAuth 2.0: http://blog.intothesymmetry.com/2015/12/top-10-oauth-2-implementation.html
Therefore, the actual best practice is to use OpenID Connect, a similar protocol (built on top of OAuth 2.0), well defined, that mitigate most of the shortcomings of OAuth 2.0.
OpenID Connect is the best practice to authenticate end-users (mostly web).
If you want to authenticate within the datacenter, the variety of used solutions is somewhat wider - but overall I think the most common best practices are:
- "Leaner" implementation: clear HTTP when you appropriate network security (e.g. well-configured VPC, so access from the internet to any of these servers is very unlikely)
- "Safter" implementation: Server to Server Basic Authentication (or similar) over HTTPS, while rotating the key every now and then. The keys should be stored in a secure storage, such as Vault
In any case, it is best the service will delegate the request for the user (i.e. by providing user_id as part of the request) - and permissions will be enforced for this user:
- You probably don't want to allow a bug allowing one user to access the data of another user.
- In any case, it is much better logs / audit will be done with link to user originating the request, and not some generic "system user".
