When implementing an identity solution for my former employer, I ended reading basically every RFC in this space. I found them really confusing the first time through, but the second time I sat by a whiteboard and drew out the sequences and it all started to click.
That being said there are a bunch of RFCs and it's not always totally clean how they fit together. Or in the case of implementing your own IdP, which ones you need to really care about.
The OAuth2 RFC and almost every associated guide on the Internet was way too vague for me to understand, but reading the OIDC spec was amazing, makes things very clear.
That being said there are a bunch of RFCs and it's not always totally clean how they fit together. Or in the case of implementing your own IdP, which ones you need to really care about.