OAuth is a system for confirming that a given user has authenticated with a given OAuth provider. If Oculus aren't an OAuth provider, then OAuth does nothing for you here. When you see that GameSparks offers various "social authentication" options, probably some of those are already using OAuth - but it is done on their server via hard-coded URLs.

If the Oculus SDK provides a way of authenticating a user then you can hypothetically use that method, providing your backend provider (e.g. Gamesparks) allows for you to use an arbitrary token, which in this case I don't think it does.

I was planning to have my own server to do some things like keeping list of who is logged in and do matchmaking and possibly running a Raknet service to enable NAT punch for cross platform matchmaking, calculating ping maybe.

I think at this point you guys have given me enough hints on how this stuff works and I now need to get someone involved who knows more about backend/networking design and programming to look into the actual API's/SDK's to see what is possible to do. Which wires can be plugged where.

I also have to consider if I need these Backend services like Gamesparks or Playfab etc, at all. They do seem to have some useful features even for the free indy accounts and probably would speed development up compared to setting up your own database and other things.

Having browsed the different documentations a bit more I have found some promising bits, but I still can't tell for certain what will work which is why I need a more experienced programmer to join the effort.  Here's some tidbits that might help for someone else interested though I'm not sure this is the correct info  !

Thanks everyone for all the advice. I'm very grateful!

Cheers

Fredrik

Oculus:

"The User Access Token is user-specific string that identifies a user and allows your back-end server to act on their behalf.

The User Access Token is retrieved by sending a request to ovr_AccessToken_Get(). The token will be returned as a response. This token can be passed from the client to your backend."

---

Part of the scheme to confirm the identity of a particular user in your backend. You can pass the result of ovr_User_GetUserProof() and a user ID from ovr_User_Get() to your your backend. Your server can then use our api to verify identity. 'https://graph.oculus.com/user_nonce_validate?nonce=USER_PROOF&user_id=USER_ID&access_token=ACCESS_TOKEN'

OAuth:

The steps below outline how to use the Resource Owner Client Credentials Grant Type flow to obtain an access token.

1. Obtain credentials from your OAuth provider. At minimum you will need a client_id and client_secret.

2. Fetch an access token from the provider.

3. etc

Playfab: (I started with Gamesparks but Playfab seems maybe a bit more open)

"Correct - all the PlayFab core services are Web API based, so they work perfectly well from any device that can make an SSL call. "

LoginWithCustomID:  Signs the user in using a custom unique identifier generated by the title, returning a session identifier that can subsequently be used for API calls which require an authenticated user
 

POST https://{{TitleID}}.playfabapi.com/Client/LoginWithCustomID Content-Type: application/json X-Authentication: <user_session_ticket_value>

{ "CustomId": "67AB-5397-CC54-EA31", "CreateAccount": false, "TitleId": "1" }

EDIT: Gamesparks supports something called QQ/Catalyst which seems like it might be OAuth based/compatible.