[homakov]

Not just that, a couple of other bad decisions that caused made many websites inherently insecure https://sakurity.com/oauth

[machete143]

That is a really bad specification with no examples, no formalization, and zero references.

However, all server-side attack scenarios listed there are not possible with Hydra. Some of them also boil down to misusing OAuth2 for authentication, which is why we have OpenID Connect.

[homakov]

No, ignore the spec (it's just a list of traits i'd like to suggest), design issues are outlined after it.

[ForHackernews]

At a glance, this looks like a proprietary re-invention of of https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-...