Standards are Standards until they are not

In my junior developer days, literally last century, a senior developer enlightened me: "An open standard is only complete once its wording allows all participants to faithfully implement it to be absolutely incompatible to each other"

Ambiguity is king

Our modern software is build on a few standards which made progress at an unprecedented scale possible:

• Unicode
• HTTP
• HTML
• SMTP
• ECMA Script
• JSON
• OIDC

There are plenty more. Each of them have rock solid parts (nobody questions a <h1>) and parts of, let's call them disagreements. I'll pick on JWT as an example:

• agreed upon are the three parts: header, payload & signature
• agreed upon ia that the payload is JSON

The actual content of the payload is already subject to interpretation.

• Keycloak stands out for its flexibility and steep learning curve
• Refresh tokens are handled quite differently:
• Keycloak issues refresh tokens as JWT, others as opaque strings
• Okta doesn't issue refresh tokens for PKCE
• EntraID returns the Application ID in the aud field instead of an array of target servers, the iss parameter does't match the .well-known info
• PING Identity sends scopes not as space separated list, but as JSON array

And all implement "the standard"