OpenId, OAuth, et al are similar to Kerberos: Using a central authentication server to issue tokens that are trusted for authentication to a third party. OAuth seems a little bit weaker compared to Kerberos since there is no mutual authentication, instead we tend to rely on HTTPS for this.

Last time I checked we had TLS Client Certificates and TLS Certificate Pinning. So yes, we do have mutual auth. Additionally, OAuth2 is not an authentication flow.

> Additionally, OAuth2 is not an authentication flow.

I've heard this before, but tbh I'm not familiar enough with auth systems to see why it's true. I've certainly used "login with Facebook", etc. as an alternative to email/password login for sites I've created in the past, and I've seen others do so.

Do you mind elaborating?

FYI this is Kerberos 4, most kerberos uses preauthentication now, so the whole, try to decrypt the ticket and see if it works isn't a thing now.