This is covered in the oAuth Specification
(I’ve probably not linked the right section I’m still skimming)