Intermission: What Industry Ships and Who Gets Paid

Sun, 21 Jun 2026 00:00:00 +0000

A deliberate pause #

v07 is in the repo. It consists of OpenID Connect on top of the v06 split; i.e. id_token, discovery, UserInfo, nonce, and the openid scope; while keeping v06’s opaque-or-JWT access-token modes. The runnable snapshot is versions/v07-openid-connect/. In my opinion, that is a lot of ground for seven incremental snapshots.

I started drafting this market-research post earlier, then paused the write-up to implement OIDC first. Almost every commercial IdP ships OAuth and OIDC together; reading vendor pricing without knowing what an id_token would not be correct. With v07 done, the OAuth+OIDC spine is complete enough to read the landscape.

Splitting the Auth Server from the Resource Server

Mon, 15 Jun 2026 00:00:00 +0000

Why v05’s single process is not the finish line #

v05 closed the refresh loop: short-lived access tokens, silent renewal via grant_type=refresh_token, and a protected GET /api/me. One convenience hid an architectural lie.

In v05, the authorization server and resource server share one Flask process on :25000. The client calls the same host for POST /token and GET /api/me. Token minting and token validation both read memory.access_tokens in the same Python dict. That works in a toy lab; it is not how production OAuth is deployed.

Mcp on Sauvik Biswas

Intermission: What Industry Ships and Who Gets Paid

A deliberate pause #

Splitting the Auth Server from the Resource Server

Why v05’s single process is not the finish line #