Some security experts think OAuth2 is not a secure mechanism for use in browsers, JavaScript applications, web servers, or web applications. However, you can use OAuth2 to reduce security vulnerabilities if you follow best practices. The basic best practices are::
Securing Authorization and Resource Server implementations using code reviewed/scanned implementations
Ensuring that every HTTP message travels via TLS network connections
Ensuring that cryptography keys are securely stored and shared between Authorization and Resource Servers
Fully validating an access token (according to its specifications) before it is used used to access data
Securing Authorization and Resource Server implementations using code reviewed/scanned implementations