OAuth is an protocol used to identify the client, and control resource access. Because it concerns about the privacy of the private resource owner, the security of OAuth protocol is fairly important. This paper mainly research on the OAuth2.0 protocol text, and make an abstraction on it, build an model in AVISPA, an formal verification tool for security protocols, and then verify the model in AVISPA. Finally, we find there is an attack mode that may result in leaking the private resource to attackers. We suggest a way to model the message to be authenticated as a symmetric key, which is innovative. This modelling and verification method we used on analyzing OAuth2.0 can be used in the verification of other security protocols, like the online payment protocol.