[cookiecaper]

I was just researching OAuth servers last week and came across Hydra several times. Congrats all on a big release!

Ran across some unexpected drama while poking around: apparently, one of the main authors of OAuth2 spec withdrew his name from the publication and has repeatedly publicly derided the standard. https://vimeo.com/52882780. Parts I heard were good.

I'd just like to make a small request that developers on tiny internal-only APIs not make a big ordeal out of OAuth and require a big honking session store anchored against the "user's" OAuth creds on every internal, service-to-service request, thanks.

[vwpolo3]

The blog posts and discussion was long ago (the video is 6 years old). Since then, that particular author acknowledged that (iirc) OpenID Connect solves many of the things he criticized. I have to look up the source, it’s been a while.

However, OIDC and OAuth2 are complex protocols which is also why we encourage most greenfield and small projects to avoid it unless explicitly required.

It’s also important to note that that particular person voiced criticism, but most of the biggest names in tech (GCP, AWS, ...) heavily rely on those protocols (+ extensions). His proposed alternative protocol Oz never got to real world adoption (to my knowledge) and has recently been archived. The prediction that we would see major OAuth2 security wholes within 3 years (so 2015j never came true. It doesn’t mean that he was wrong, but that there are opinions that contradict him, and that those opinions and voices have established themselves in the industry.

[webhamster]

Also, we now have formal proofs for the security of the OAuth and OIDC protocols.