All specs - Questioning the complexity of the Connect design

Yaron Goland writes the following. Again, whether we change the specs or not, these are questions that will also arise from others that we need good answers to.

====

Ohh goody... security holes and a byzantine design. I strongly predict OpenID Connect will fail to be useful. Does anyone have the intestinal fortitude to point out the emperor has no clothes and ask for a radically simpler design? I really need to write that blog article "OpenID Connect - Watching a standard commit complexity suicide" I'm serious. This one has jumped the shark. Throw in the complexity of JWTs and their various derived standards and you have a complexity orgy. It's just nuts. Congrats, you have reached WS- levels of impenetrable complexity in record time. I thought it would take more years before we got there. In fact, that's a better title for my blog entry! "OpenID Connect - The new WS-"

OpenID Connect is out of control. It's too big. It's too complex. It isn't going to work in the real world.

I suppose I should start now writing an alternative spec. Sigh... OAuth 2.0 all over again.

(and then Yaron wrote in a later exchange about this...)

I find it hard to believe we could make the level of changes I think are necessary to make something that isn't going to just be DOA. It would have to be giving up on identity tokens all together. It would be about treating identity as an attribute service that one gets permissions to just like any other permission. So all of OpenID connect just boils down to a single trivial JSON endpoint with a few arguments.