What's OAuth2, anyway?
Commented on Hacker News
Excellent writing and diagrams!
If you want to expand your knowledge beyond OAuth2 (and most probably you should if you want to design systems used by big guys from 0 to 1) , highly recommend to jump straight into OpenID Connect (OIDC) which is an identity layer built on top of OAuth 2.0.
Besides reading specs, Sascha Preibisch's videos on both OIDC and OAuth2 were the most useful to solidify a bigger picture for me
https://www.youtube.com/@saschazegerman/playlists
Specs are actually well written despite of all jargon and train of buzzwords used inside. The most annoying on my list are OP (OpenID Provider) and RP (Relying Party) ...
https://openid.net/specs/openid-connect-core-1_0.html
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/
Most useful knowledge however personally gained from studying ORY Hydra mentioned in the article and Zitadel
The problem with OIDC and OAuth2 space - IDP providers are too "creative" in their interpretation of specs starting from userinfo and token exchange endpoints.
Without allocating significant amount of time getting all flows and related cyberops into your brain might never happened.
Good news - it's a life time investment ...
Oidc search on github gives good results - libraries, open source IDPs, all kind of proxies, etc
