A has an account at B, A has another account at C, A wants to allow C to access data at B (or to send data to B on A's behalf).

How can B be sure that C is acting on A's behalf? Can A only allow C to access certain data (or send only certain data) in order to reduce risk?

A protocol that allows for that three way negotiation is OAuth.

Like with most specs, a lot of the complexity is added in the later years, by companies that have thousands of users and complex edge cases and necessities, and they are the ones dominating the council, and their needs are the ones that push forward newer versions.

So with most specs, the best way to start learning it is by learning from the oldest specs to the newest ones, so if you start by reading or using OAuth2, you will be bombarded with a lot of extra complexities, not even the current experts started like that.

If you need to catch up, always start with the oldest specs/versions.