Kind of tangential, but one thing I realized recently I didn't get about oauth2 (or openid), social logins for that matter: when you click on the login button, you're sent to whatever site the site you're logging in to wants to send you. It could be a fishing page or whatever. Is that not a significant issue?<p>I've never seen any warnings about this - I feel like generally it's touted as a better (practical, secure) alternative than having your own per-site email address and password, and most identity providers are careful to say "are you sure this is the site you want to log into" (mostly because people are abusing oauth2 for logins), but nobody says "hey, triple check before clicking an off-site login link!"<p>I feel like there needs to be browser-side integration that keeps track of which identity providers you have, and which ones you've previously used on which sites. Somehow facebook pushed passkeys through, so it's not like browser-site cooperation can't happen in the login space.<p>IIRC there were some oauth2 alternatives years back but I don't think they went anywhere. It'd be nice to get rid of all the cruft in the standard about http logins, maybe support flows that don't rely so heavily on DNS, etc etc too.