This email thread is a duplicate. Please see the other thread.
On Sat, Oct 25, 2025 at 2:04 PM Kalivaradhan Aadharsh <[email protected]>
wrote:
> Hi everyone,
>
> I’m a developer building a multi-provider authentication system and I’ve
> run into a consistent pain point when integrating different OAuth 2.0
> providers.
>
> While the OAuth 2.0 spec defines the overall flow, it leaves the token
> response structure fairly open. This has led to each provider returning the
> access token in different formats for example:
>
> - Slack: { "authed_user": { "access_token": "..." } }
> - Google, Discord: { "access_token": "..." }
> - Apple: { "id_token": "..." } (signed JWT)
> - Reddit: requires Basic Auth, different schema
>
> From a developer’s perspective, this inconsistency makes it difficult to
> build generic OAuth integrations or SDKs that can handle multiple providers
> without writing provider-specific adapters. While technically all of these
> are “compliant,” it results in unnecessary complexity for implementers.
>
> Proposal:
> As OAuth 2.1 is being discussed, would it be possible to define a minimal
> universal response schema that all providers should adhere to at least
> ensuring that `access_token`, `refresh_token`, `token_type`, and
> `expires_in` are always top-level and consistently named?
>
> This would help developers build interoperable tooling and SDKs while
> still allowing providers flexibility for additional metadata.
>
> I’d love to know if this topic has been discussed before or if there’s an
> open draft related to improving response consistency.
>
> Thank you for your time and for maintaining such a critical protocol for
> the web!
>
> Best regards,
> Kalivaradhan Aadharsh
> Student Developer | Orion Auth Project
> _______________________________________________
> OAuth mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
