>OAuth is a Authorization protocol, not an Authentication protocol however people do mix in the authentication into the flows.
This is what I don't get. Using OAuth2 for authentication is so complex, whereas Ory has a simple authentication system based o cookies: https://www.ory.sh/docs/security-model
With OAuth2 it seems to me to be the same just with extra steps keeping track of tokens and expiration.
Why use OAuth2 for authentication, it was never designed for that.
My understanding is that this is usually done by companies that need to implement delegated authorization which is the bread and butter of OAuth 2.0. By starting and implementing their authentication flows with OAuth2, you can support both delegated authorization and native authentication where your own apps are simply OAuth clients with some special casing. That isn’t absolutely necessary since you could build authentication separately from OAuth but then you would still need those OAuth2 flows for delegated authz eventually if you do.
This is what I don't get. Using OAuth2 for authentication is so complex, whereas Ory has a simple authentication system based o cookies: https://www.ory.sh/docs/security-model
With OAuth2 it seems to me to be the same just with extra steps keeping track of tokens and expiration. Why use OAuth2 for authentication, it was never designed for that.