Hi all, Following up on our discussion about the Auth Manager v2 proposal and the pending SDK decision, I wanted to share the results of the investigation I did today. I also updated the design doc [1] with my findings.
We initially considered two options: Nimbus and Google. My investigation showed that the Google library only supports RFC 6749. Therefore, it lacks out-of-the-box support for the token exchange grant (RFC 8693) and the device code grant (RFC 8628), which are both essential for us. While the missing features could be implemented manually, doing so seems a waste of time when Nimbus provides all of them. Furthermore, the Google library is currently in maintenance mode, and consequently, it has not received any significant updates for a considerable period. On the other hand, Dan rightly raised concerns about Nimbus's limited number of committers. That's true. We can however observe that the project appears "reasonably" active, judging by its recent PRs [2]. I would love to have more options on the table. But given how few candidates we have [3], I've concluded that my initial choice of Nimbus is indeed the most viable choice – or the "least worst" option, if you will. I'm keen to hear what others think about this, or if I missed anything in my investigation. Thanks, Alex [1]: https://docs.google.com/document/d/1Hxw-t8Maa7wZFmrlSujm7LRawKsFP3Q31tET_3aRnQU/edit [2]: https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/pull-requests/?state=ALL [3]: https://oauth.net/code/java/
