[magicalhippo]

But there's nothing in the spec that requires you to disclose that data to begin with.

And there's nothing they could write in the spec to deny that besides a perfunctory "please don't do that" which companies could ignore without consequence.

[fuzzy2]

Sure they could. What you allow or deny would be enforced by the identity provider. The relying party simple would not receive the data and could not access it.

However, that’s really about OpenID, not about OAuth.

[freeone3000]

These are treated as permissions in the AAD OAuth model. Your issue seems to be with the Google and Facebook implementations, not the spec.

[qwerty456127]

The spec could say something like "a client may ask for extended information but can't demand it unconditionally and must gracefully handle situations when access to particular fields is denied".

[BHSPitMonkey]

But that's already possible, right?

The problem is that you can't make _everything_ optional, or else the user can deny everything and the application then has to tell the user "You denied X, but we really need it to proceed. Try again...", which is a definitively worse experience than having the grant request say "here's what this app is asking for".

[freeone3000]

This is anticipated by scope requested by the client being able to be ignored by the authorization server. This appears in the AAD flow for the user as a list of toggles. The application has to handle the case where the scope is less than what is listed - this is all in section 3.2. Actually defining what data or permissions is bound to what scope is rightfully beyond the goals of the specification.