I've been recently learning my way around web dev. Most of it is straightforward enough, but security is my sticking point. Everything on the web is contradictory, half explained, and rapidly changing. Seems like you know your way around best practices. Can you point to a decent trustworthy tutorial/book on how to handle logins and identity? Seems like lesson one is "don't implement it yourself" and lesson two is never quite spelled out.

Agreed. The token should be used only after the user is authenticated through another channel (e.g., username+password).

Otherwise, an attacker could obtain the target's OAuth token by getting the target to provide the token to a malicious application. The attacker can then easily authenticate through your library.

On OAuth 2.0 token substitution threat model: https://tools.ietf.org/html/rfc6819#section-4.4.2.6

Given that OAuth is all about delegated authorization, meaning entity that uses the access token may not be the user but some third-party service using the token on behalf of the user, using it as proof-of-identity makes no sense.

This point becomes clearer with limited permissions. If access token is proof-of-identity, why limit what the user can do when you know it's the user?

Upvotes happen from titles only

So how would this apply to using a JWT as a bearer token?

JWT is designed for authentication, it's what OpenID connect is based on (in conjunction with OAuth 2.0).

No. A JSON Web Token defines a compact and self-contained way for securely transmitting information between parties as a JSON object

That attack is trivially fixed - just inspect token and see its app id. But no one should use oauth for auth.

Maybe I'm missing something but isn't every single "social login" effectively using OAuth for auth?

Yes. Some apps without sensitive info can do it, but that's it.

So in other words StackOverflow etc (i.e. all non-trivial apps that support third-party login via OAuth) are all broken from a security POV?

In one way or another. Most are vulnerable to bugs in standard (see sakurity.com/oauth) but every single one depends on central authority which is just stupid for auth.