We’ll never know what would have happened had we created the functionality of OpenID Connect as a new protocol not using OAuth 2.0. I’ve sometimes wondered about that.
Could it have been simpler with fewer corner cases? Yes. Would developers who were already using OAuth 2.0 have *also* implemented the new authentication protocol alongside it? Or would it have failed to be adopted? We’ll never know. It was certainly a tactical choice to build on top of OAuth 2.0, since developers were already there and going there. Adoption of OpenID Connect followed. Original sin or no. 😉 Here’s Vittorio’s New Year’s 2013 post “OAuth 2.0 and Sign-In<https://web.archive.org/web/20130105031040/http:/blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx>”. Still a great read! -- Mike From: Brian Campbell <[email protected]> Sent: Thursday, March 5, 2026 3:31 PM To: Michael Jones <[email protected]> Cc: oauth <[email protected]>; Blaine Cook ([email protected]) <[email protected]> Subject: Re: [OAUTH-WG] What is OAuth? Thanks for sharing that Mike. Blaine certainly has a relevant and important perspective. I was struck by this bit, though: "OIDC itself is an interesting thing –immediately after creating OAuth, we realized that we could compose OpenID's behaviour out of OAuth." It reminded me of a conversation I had with Vittorio, whose perspective I also consider relevant and important, where he referred to that composition, only partly in jest, as the "original sin." The layering of OIDC on top of OAuth has had benefits but has also been the source of seemingly endless confusion and downstream problems. It's worth noting, in the ol' email archives, that it hasn't been all puppies and rainbows. On Sat, Feb 21, 2026, 10:31 AM Michael Jones <[email protected]<mailto:[email protected]>> wrote: Read this insightful description of the core of what OAuth is by Blaine Cook, former lead developer for Twitter and one of the inventors of OAuth. Blaine was an OAuth working group chair when I first started working with the IETF in 2011 (when OAuth was still in the IETF Applications Area). Here’s his post “What is OAuth?<https://leaflet.pub/p/did:plc:3vdrgzr2zybocs45yfhcr6ur/3mfd2oxx5v22b>” and his LinkedIn article referencing it<https://www.linkedin.com/posts/blainecook_what-is-oauth-activity-7430814106888134656-eaeH/>. -- Mike _______________________________________________ OAuth mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
