Comment by matja
9 hours ago
OAuth is designed so that an end-user never needs to see an API key (OAuth refresh/access token) or even know what one is. When it is implemented to the spec, that happens well.
I think that most of the "just give me an API key" comments are from a <1% of end-users (developers) that know what an API key is, and are facing a broken OAuth implementation.
> and are facing a broken OAuth implementation.
Or didn't bother to read the spec to understand why it's non trivial. Things like this are complex because attacks will force it to be.
Also, the broken implementation might be an OIDC implementation that doesn't support client_credentials for example. Seen that many times and that does make it rather awkward to implement a server to server flow...