[brabel]

All the problems mentioned in the blog post are due to the providers not following what the spec clearly said.

If you have an example of where that's not the case, I would also love to hear as I work in this area (perhaps you're thinking about how OAuth does not specify at all how authentication happen? But that was a good call, OAuth 1 did and it was too limiting... also OpenID Connect is pretty widely adopted now, and it fills that gap well).

[icedchai]

"Clearly" is relative. If all these providers are having problems with the spec... what does that tell you?

[brabel]

What that tells me is that people who cannot read and understand a specification (or willingly ignore what the spec says) are implementing it anyway. I claim the spec is completely clear on all the points raised in the blog post. You can't just handwave that away without specifically telling what point was unclear.

[icedchai]

Just imagine if we had these problems with TCP!