Hello! I have a question to @high-optician-2097 regarding his awesome "Why you probably do not need OAuth2 / OpenID Connect" article. The article perfectly states the case against the complexity of OAuth / OIDC for simple situations. If I understood it correctly, the article summary is "OAuth / OIDC is too complex, use simpler services like Ory Kratos if you can". However, OAuth / OIDC is a set of protocols, while Kratos is an implementation. What are the alternative protocols for the first-party-only auth system? In other words, do you have specifications for the protocols Kratos implements? Thank you.

Hello @fresh-oxygen-22993 Happy to help you navigate this. You are right that Ory Kratos is not a protocol - it is an implementation of several core web technologies to solve first-party authN. These are the core technologies that Kratos uses: • HTTP Redirects • HTTP POST (

application/x-www-urlencoded

) and REST GET requests. • HTTP Cookies to prevent CSRF and Session Hijacking attack vectors. So rather then "inventing" a new protocol or standard, Ory Kratos implements existing protocols that have been around for decades. You can read more about the flows that Ory Kratos implements here: https://www.ory.sh/docs/kratos/self-service You can read more about the design philosophy behind the project here: https://www.ory.sh/docs/ecosystem/software-architecture-philosophy