From what I understand, oauth2 does does not sign requests and relies on the security of the transport layer (over https). This seems to be vulnerable to both replay attacks and ssl proxy attacks where the certificate is not validated (which seems to be common amongst client apps).
In this sense it doesn’t seem to be as secure as HMAC-sha256 or something along those lines. This may be fine for some apps, but for apps which move large amounts of money this doesn’t seem like sufficient security. Am I understanding it correctly?
I would have to agree with you. For the most part, if you have a user doing activities that require a higher level of scrutiny (i.e. making payments), then you’d like to have a little more security and even some additional confirmation that it is indeed the correct user who is doing the activity. OAuth doesn’t really provide that extra layer of security and I really wouldn’t recommend it for payment activities.