[floatingatoll]

That introduces a problem where certain browsers ask the user to confirm the cross-domain interaction before proceeding (which I suppose mitigates various silent credentials theft and tracking problems) unless you do whole-page SSO, in which case you end up with cookie, anti-tracking, and container-routing problems.

[sblom]

What browser prompts for permission to follow a redirect? OAuth flows don't require cross-domain interaction in any of the ways that browsers have fought to reduce.

[floatingatoll]

Redirects are fine as long as no container-type things are in play (since those don't necessarily carry the origin's cookies across the boundary), it's embedded cross-domain auth forms in an iframe that can cause a dialog.