[namanaggarwal]

Yes it is really provider issue. Apple implemented it and so can any other provider.

I also don't think people want an IDP that provides fake data when you deny a scope. That's a bad implementation IMHO. When you say no that means you don't authorize access for that scope, not that send fake data. Applications should deal with it.

[jrockway]

You are fighting conflicting constraints, though, and that's the underlying problem. Application developers won't use an IDP that protects user data. They want that data, that's why they wrote their app! Because nobody would use such an IDP (at least not without being forced to in order to be on a large platform), nobody will write such an IDP.

I'm actually working on an open-source IDP in my spare time, and to me this sounds like something to seriously consider doing right. I appreciate the idea and the discussion. I doubt anyone in the real world will care, though. (Sometimes you need to get the early adopters that do care about these things, though :)