I think they tried to make OAuth(2) too flexible, and to me the lesson -- and I wonder if this is commonly understood this way or not -- is that it's preferable to make very simple clear limited-scope standards for clear use cases, even if that means they won't be able to meet all use cases. And then add on (even possibly in additional separate standards) for other use cases, after the first has been succesful.
With what we actually have, my impression (curious if others with more experience can confirm) is that you have to get lucky for different OAuth2 implementations to even be interoperable?
With what we actually have, my impression (curious if others with more experience can confirm) is that you have to get lucky for different OAuth2 implementations to even be interoperable?