Since OIDC is a layer on top of OAuth 2, it inherits its complexity. OAuth 2.1 (currently draft) will help bring some sanity. GNAP - https://oauth.net/gnap/ - will, one day, tie everything.
When I looked at it a few years ago[0] it seemed like a modernization of OAuth (which still uses form posts(?!?)). But I'm worried about uptake, myself. Haven't had a single client request it or bring it up.
Since OIDC is a layer on top of OAuth 2, it inherits its complexity. OAuth 2.1 (currently draft) will help bring some sanity. GNAP - https://oauth.net/gnap/ - will, one day, tie everything.
GNAP was just codified to be an RFC: https://www.rfc-editor.org/rfc/rfc9635.html
When I looked at it a few years ago[0] it seemed like a modernization of OAuth (which still uses form posts(?!?)). But I'm worried about uptake, myself. Haven't had a single client request it or bring it up.
0: https://fusionauth.io/blog/gnap-next-gen-oauth
I see that the GNAP WG has been closed [0]. I don't know how this works with IETF, but is anyone caring for the spec and its adoption atm?
[0] https://mailarchive.ietf.org/arch/msg/txauth/uEXUsdk43TbPlls...
1 reply →
PS. I submitted GNAP RFC separately: https://news.ycombinator.com/item?id=42105487