That's just the way oauth works. I agree it's a messy protocol. Classic design by committee stuff. Exactly what you get when mutually incompatible security product vendors try to create a standard that covers what all of them do.
Unfortunately, there are no good alternatives that don't have this problem. Basically people use all sorts of commercial products in the hopes that it will act like magic security pixie dust. Most of them are super complicated to work with. Or expensive. Or both.
There's just no way around the fact that you need to know what you are doing and how stuff sticks together.
Unfortunately, there are no good alternatives that don't have this problem. Basically people use all sorts of commercial products in the hopes that it will act like magic security pixie dust. Most of them are super complicated to work with. Or expensive. Or both.
There's just no way around the fact that you need to know what you are doing and how stuff sticks together.