[welder]

OAuth is super simple, you only need two endpoints for an OAuth provider. It only took a few hours to write the WakaTime OAuth provider implementation[1]. No offense and serious question: why would you need a library for this? Isn't it more trouble to integrate an external OAuth provider with an existing api than to just write two api endpoints yourself?

[1] https://wakatime.com/api

[arekkas]

The libraries (SDK) I used for my first project for had security flaws. OAuth2 is super simple to implement, but hard to get right. It's not just two endpoints, it's multiple specs with ~200 written pages. Some people for example don't even know that [rfc6819](https://tools.ietf.org/html/rfc6819) even exists. Most SDKs are also very limited or hard to extend (e.g. adding OpenID Connect).

I believe that adding a docker container to your deployment and creating a consent token (JWT) is even less work than integrating with an SDK and implementing the missing parts every time you hit that new edge case. On top of that, you can be sure that it is backed by an open source community.

[abritishguy]

OAuth is a framework not a protocol. The security it provides can vary greatly between implementations.

Fosite (which is what this is based on) is a very good implementation from a security perspective: https://github.com/ory-am/fosite#a-word-on-security