[tisc]

> […] and is an issue with OAUTH

This issue is not caused by OAuth, but by offering authentication via a third party. If you allow visitors to authenticate via a third party, you implicitly trust that third party. If that third party decides to revoke your account, then the logical consequence is that you can no longer authenticate. There’s no solution for this problem imo, other than not allowing authentication via a third party.

It is the same as airlines; They want you to identify using a passport. If your country decides to revoke your passport, you cannot check-in. That’s not an issue, but a logical consequence of choices made.

[Animats]

The trouble is that you can, apparently, have only one trusted third party. You can't have a backup authentication service in case the trusted third party fails. That's what's needed.

I'd like to have a regulated entity such as a bank, or even the California DMV, as a backup authentication provider. They have legal obligations that Google does not.

[judge2020]

You'd need a law saying that the California DMV or whoever must run an oauth service, and then you'd see people integrate it. As it stands, this isn't a thing because the California DMV and even banks aren't interested in being the populus' IDP.

[Animats]

Banks are into this. JP Morgan Chase uses OAuth2 for some services. It's more of an enterprise thing right now.[1]

[1] https://www.jpmorgan.com/technology/technology-blog/protecti...