If your sole purpose is authentication w/o authorization, one should use securelogin.pw which does not depend on identity provider. And btw OAuth2 spec is insecure by design, it's a known fact.
> btw OAuth2 spec is insecure by design, it's a known fact.
OAuth2 is only "insecure" in that it relies on TLS for its security: the same as HTTP, IMAP or SMTP. You should never run OAuth2 over a non-HTTPS (i.e. HTTP) connection. The same is true for any other login system.
That is a really bad specification with no examples, no formalization, and zero references.
However, all server-side attack scenarios listed there are not possible with Hydra. Some of them also boil down to misusing OAuth2 for authentication, which is why we have OpenID Connect.