so much this. tried to implement oauth recently.

all providers only document their bloat-spyware-buggy javascript that creates a button and handles all in the client.

then using libraries you are open to attacks in one hundred ways because those implement all the unrealistic things in the spec (including overriding issuer and setting crypto to nothing, via attacker controlled fields). after two days of evaluating i just gave up and wrote my own, server side and handling the singular case everyone uses. 20 lines, which was less then adopting the libraries.