[NewEntryHN]

If I'm not mistaken, OAuth 2 does not support multiple clients, but in this case the token authorized by a user ends up being known by 2 clients: Xkit, and Xkit's customer. What exactly is being shown in the consent screen the user accepts? Are users aware that they grant scopes to 2 distinct parties? Couldn't this be considered abuse by the SaaS Apps themselves?

[tg3]

Xkit acts purely as an agent for our customers, we don't make use of the access granted ourselves (and as mentioned in another comment, we're happy to sign contracts to that effect). As a result, the consent screen and what users are aware of is the identity of the party they're granting access to - the Xkit customer, not Xkit itself.

As a side note, OAuth2 explicitly supports multiple clients and in fact recommends it if you are using the clients in different contexts. Google implements this pretty effectively imo.