> you are showing bad faith

No, I'm not. You haven't proven it.

> just like AD, oauth is used for authentication and authorization

In a sort of roundabout way, but in those cases what the relying party is accessing are the user's identifying details.

> of course, we do not use "web" inside internal enterprise networks

That's not really what I mean. I would never expose an AD domain to the internet, that's not what it's for.

> can you execute any kind of code on AWS' IAM servers

That's not what I was saying, I was saying it in the context of a self-hosted identity provider. If all you've meant by this entire exchange is that OAuth means you don't have to worry about security because you've outsourced it to someone else, then I've really wasted my time.