I’m reading the Android AppAuth readme because I’m playing with Android development.
So since I use Keycloak and OpenID-Connect I’d like to utilize it for authentication and authorization.
What I find hypocritical and actually really funny, also considering this Ian McGin guy is a total dick,
the fat warning about utilizing client secrets.
Really, if you have the freaking implicit flow, that allows your client to access your freaking userbase without a secret and then complain about not utilizing a client secret because it would make your oidc less secure, then you are an idiot and were not able to comprehend anything at all.
The only thing that oidc even has going for it, it expiring tokens. But since they are so freely available, who cares if you token lasts 10 minutes or 365 days.
OpenID-Connect is tech done wrong. It’s a way to make some people richer without actually improving the safety of your endpoints.