Why you probably do not need OAuth2 / OpenID Connect

OAuth2 and OpenID Connect, while powerful protocols when used correctly, are often unnecessarily complex and misapplied in many scenarios, leading to potential security vulnerabilities. The text, authored by an expert with significant contributions to the OAuth2 and OpenID Connect ecosystem, argues that these protocols are not always needed, especially for small and medium-sized teams or first-party applications. Instead, simpler authentication methods can suffice until a more complex system is necessary. The article highlights the intricacies and potential pitfalls of improperly implementing OAuth2 and OpenID Connect, emphasizing the need for a clear understanding of when these protocols are truly required, such as in scenarios involving third-party integrations for data access and user authentication. The author also introduces Ory Kratos as an alternative approach to identity authentication that aims to address these challenges by offering a scalable, secure, and straightforward solution that can later be extended to include OAuth2 and OpenID Connect if needed.