> Yeah it’s not difficult if you know all the specs.
I don't think this is a valid point. Specs only cover a single responsibility: interoperability. This is not a critical requirement of auth services, unless you have a hard requirement on federated auth.
But given that BetterAuth is an open source project with a large following, and also given that they just got funding so they can hire more help, now we can evaluate BetterAuth's competency in terms of their ability to coordinate help.
The issue is 99% don’t know them and are not very good at following them. And the cost of error is very high.
I’ve seen a lot of startups that failed to implement even google oauth securely.
So yeah it’s a far cry from fud and you really should not do it unless you are actually good.