If your sole purpose is authentication w/o authorization, one should use securelogin.pw which does not depend on identity provider. And btw OAuth2 spec is insecure by design, it's a known fact.
> btw OAuth2 spec is insecure by design, it's a known fact.
OAuth2 is only "insecure" in that it relies on TLS for its security: the same as HTTP, IMAP or SMTP. You should never run OAuth2 over a non-HTTPS (i.e. HTTP) connection. The same is true for any other login system.
That is a really bad specification with no examples, no formalization, and zero references.
However, all server-side attack scenarios listed there are not possible with Hydra. Some of them also boil down to misusing OAuth2 for authentication, which is why we have OpenID Connect.
OAuth2 is only "insecure" in that it relies on TLS for its security: the same as HTTP, IMAP or SMTP. You should never run OAuth2 over a non-HTTPS (i.e. HTTP) connection. The same is true for any other login system.
This is covered in RFC 6819: https://tools.ietf.org/html/rfc6819