Oauth is unnecessarily complicated. No wonder so many implementations are vulnerable...

If you want simple, use session, if you want something robust, use OAuth2.

JWT has a lot of cons, and therefore very limited use case. Not fun to change authentication system after app is complete and running.

@frogstair Security is not the problem. The problem is access management. The problem is that it is just too basic. For example: Want to log out specific user? There is no way

// I am not saying that it sucks, but for any project larger than small use somthing else.

@lamka02sk That depends on the JWT payload.

i can't speak for oauth, but oauth2 is great. it seems complicated when you first see it, but then you realize it's still the minimum complexity to get the job done

@calmyourtities The whole redirect thing is so retarded. I don't have a server, just a client. What do I do? Make my own server just to be able to use an API that requires Oauth2?

@olback what do you mean you don't have a server? like you're implementing it for an app? in that case i'd register a domain and have a web view in the app for the user to sign in with. the user would finish the sign in process, and the webview would redirect to mydomain.com/callback?token=xyz.
you can listen for the url of the webview to change to the callback url, and then extract the token from there.
i agree it's designed for websites and should be improved for non-website applications.

also, it'd probably be better to open the web browser and register your app to handle mydomain.com urls, but that's harder.

@calmyourtities yeah, I'm making a native desktop app and using an Oauth2 api. So hard without a server and/or WebView.

@olback
What are you doing with OAuth on a desktop app that's not connecting to APIs?

@SortOfTested GTK based Twitch player.

@olback make the callback open your app if possible (with xdg-open for linux if that's possible) i think that's the only way.