Awesome, thanks for this. I think I've read the Road to Hell article 3/4 times at this point. It makes a little more sense each time as I learn more.
I totally agree there are so many resources about implementation, and honestly it's pretty straight forward. My guess is that because of this people don't think to question it and simply assume it's all necessary. And maybe it is, but in my experience necessity is often tied to specific assumptions that may not be true for a specific use case.
With oauth in particular I suspect a lot of the details are tied to the assumption that you have to do a full redirect in order to authenticate. But my emauth.io service uses email over a back-channel to authenticate, so the user can stay on the app page while they verify their identity. So at the very least you don't have to worry about redirect hijacking.
I totally agree there are so many resources about implementation, and honestly it's pretty straight forward. My guess is that because of this people don't think to question it and simply assume it's all necessary. And maybe it is, but in my experience necessity is often tied to specific assumptions that may not be true for a specific use case.
With oauth in particular I suspect a lot of the details are tied to the assumption that you have to do a full redirect in order to authenticate. But my emauth.io service uses email over a back-channel to authenticate, so the user can stay on the app page while they verify their identity. So at the very least you don't have to worry about redirect hijacking.