LWN's unreliable predictions for 2022

Ah, OAuth2. Basically, service providers got unhappy that users were using Any Client instead of the Blessed Client™ (which has ads, tracking, and other "fun" enterprise-y things embedded). So OAuth2 has the idea of authenticating a *client* to the service. Users then allow that client to access the service on their behalf. I agree that this does indeed have security benefits including:

- scraping account auth isn't useful as the other client also needs the client secret (though this is a DRM-ish thing in that "fat" clients have the secret embedded somewhere anyways)
- limiting access to the account through specific services (instead of "app passwords" which generally are full account access)
- generally better permission lockdowns (though this isn't exclusive, "no one" implements app password-based limited access)

However, it means that FOSS apps are SOL and users must instead register their copy as a separate client because…the client secret has to come from somewhere and it's not very secret in a public repo (GitHub or F-Droid). FWIW, this has worked for me with Google's enterprise account, but I couldn't find how to register an app with my free account (e.g., for use with `offlineimap` or `rclone`).

Now I have no idea how the Gitea federation stuff is in practice, but if that's any indication, expect pain and suffering when you have to register as a "new app" at each service manually.