@J12t yes. I think the most that the spec does is to say (and provide a little support) that OAuth2 should be used.
Gregory's Server