I've read the RFCs several years back and they did not feel clearly written, not like a protocol spec. Maybe it was just me. The reality is each OAuth implementation is unique. Almost no two are the same.

All the problems mentioned in the blog post are due to the providers not following what the spec clearly said.

If you have an example of where that's not the case, I would also love to hear as I work in this area (perhaps you're thinking about how OAuth does not specify at all how authentication happen? But that was a good call, OAuth 1 did and it was too limiting... also OpenID Connect is pretty widely adopted now, and it fills that gap well).

"Clearly" is relative. If all these providers are having problems with the spec... what does that tell you?

What that tells me is that people who cannot read and understand a specification (or willingly ignore what the spec says) are implementing it anyway. I claim the spec is completely clear on all the points raised in the blog post. You can't just handwave that away without specifically telling what point was unclear.

Just imagine if we had these problems with TCP!

It's how people follow something that says what it is.

The RFC is not what people actually implement.