I am tempted to agree with you because I could never quite wrap up my head around it, but I never had to implement OAuth beyond a brief skim through the doc for my own understanding. I always thought this complexity was there for some good reason (security?).

> I always thought this complexity was there for some good reason (security?).

It's just design by committee.

> was there for some good reason (security?).

To cover the myriad of (sometimes downright stupid) requirements that large enterprises have.

far from it! it was just designed by comitee who both future proofed it and made sure it worked on low powered devices from 1971.

i make a point to implement oauth from scratch, because using the overly complex libraries expose you to bugs such as attacker sending a token which the metadata just says "no encryption or signature. trust me bro", which is actually part of the spec if you combine some options.

while in the real world, if google or apple sends you a token that is not always the same signature cypher (one of a dozen by the spec) you are better of threating as malicious, because it pretty much is. a manual implementation of a token consumer is about 20 lines... including downloading the provider keys and checking it (which most startups never do! allowing anyone to just sign a token as anyone)