Thank you for the question! There are not many licenses to choose from that people accept. For example GPL and AGPL are generally frowned upon. I think Apache 2.0 offers the greatest freedom, while being more nuanced than MIT. It helps with borad community contribution and adoption which was the initial goal (never intended for this to become a business, it just so happened).

> Also I have to say that about a year ago I wanted to teach myself about OAuth and I find almost every online guide and book to be terrible (and usually trying to sell me something). Two things finally put it all together for me: reading the OIDC spec and reading the Hydra & Kratos code and docs.

Awesome! I was in the exact same boat. Usually OAuth2 is a marketing thing for companies that are closed source, because it is the only "open" thing they can offer. Then they bend the protocol to fit the actual use case - which is sign in, registration, and so on. OAuth2 was never intended to be a protocol for "login". It's a protocol for Developer X to get access to your Facebook Fotos.

My personal goal with Ory is to educate people around security (good security is easy, not hard) and clean up the misconceptions. I hope this helps the developer ecosystem become more secure and better educated as a whole!