I implemented more than a dozen OAuth integrations last year with multiple American and Chinese companies and oh boy it was painful.

I do not know why so many engineers end up reading a clear specification document like RFC-6749 [1] and then ignore 80% of the instructions. I had to deal with so many weird bugs and bad OAuth server implementations, I lost count of how many emails went back and forth trying to make sense of unexpected behavior.

Even Apple engineers got it wrong. They decided to create their own thing based on OpenID Connect for “Sign In With Apple” [2]. OpenID had to write an open letter [3] explaining the repercussions of their changes and fortunately were able to convince Apple to fix the implementation [4].

OpenID was lucky though, they had some leverage, but a no-one like me couldn’t possibly convince a gigantic conglomerate like Tencent to fix their web API. Talking with Tencent engineers has been one of the worst experiences in my career. The company apparently has a culture of constant job rotations, engineers are assigned projects for short periods of time with bonuses for early completion which encourage them to deploy half-finished code before moving to something else.

[1] https://tools.ietf.org/html/rfc6749

[2] https://developer.apple.com/sign-in-with-apple/

[3] https://openid.net/2019/06/27/open-letter-from-the-openid-fo...

[4] https://openid.net/2019/09/30/apple-successfully-implements-...

anderspitman

I can only give my perspective, which is likely to be unique. I'm in the process of implementing an Oauth2 server for the first time. I feel like I have a handle on it now, but it was definitely overwhelming at first. If I were confident that RFC6749 had everything in it that I needed, I would read through and implement it. But it quickly became apparent that there are a dizzying array of RFCs with extensions, deletions, and best practices. So I just skipped the specs, and have been using resources like this, Oauth2 Simplified, and of course YouTube.

So I guess the upshot is I find resources like this and the upcoming 2.1 to be valuable.

vwpolo3

Don't implement your own, there's tons of open source that can do that, for example https://github.com/ory/hydra