I think the reason a lot of people struggle is because they start with OAuth from a consumer perspective, that is, they are the third party requesting data, and their OAuth implementation is imposed by the resource holder, so they have to jump through a lot of hoops that don't have a clear reason for being.

If you start with OAuth from the perspective of a Service Provider/resource holder, it will all come clear.

Web security is often like that as well, most people facing stuff like CORS or HTTPS, is usually not because they are trying to solve a security issue, but it's because an upstream provider is forcing them to increase their security standards in order to be trusted with their user's data.