Over the last few days, I’ve plunged into finally trying to understand how all of this Auth stuff works.

(The landscape of Acronyms is almost as bad as with the CORS one)

These are the videos/sites I would’ve liked to find from the beginning on:

• The Auth Wiki from Logto, but only as a reference whenever some word is unclear (though that has duplicate pages for some reason)
• Illustrated Guide to OAuth and OIDC (Youtube)
• Everything you ever wanted to know about OAuth and OICD (though the mentions OAuth playground is currently broken, or so it seems)
• OAuth 2 Simplified (Blog Post), which has been expanded into OAuth 2 Simplified (Book)

§ Not super-intuitive stuff

• A normal web client shouldn’t have a client secret (makes sense if you think about it), and needs to use PKCE
• OAuth is only about Authorization (read: Authorizing the service you’re currently logging in to to access some resources on another service), OpenId Connect (OIDC) adds Authentication (read: telling the service you’re currently logging into who you are) to this.
• In my head, every service supporting OAuth (or OIDC, at least) also supported something called “Public Sign Up”. But that’s not the case, most of them actually don’t (which makes sense, because Authorization and Registration don’t even belong to the same area)