[ushakov]

understandable!

however, Matrix protocol does not support auth scopes, therefor it's not possible to control what can or what cannot be accessed with the token, although it's possible to revoke each token

your encrypted chats still can't be accessed

[LogonType10]

So you're not verifying identity with matrix, you're taking wholesale access to people's accounts? If I wanted to host a phishing page would I need to modify your code at all?

[ushakov]

one big reason there are things like “Sign in with x” is so that the application can do things on user’s behalf

[detaro]

Yes, with controlled permissions the user can clearly decide about. Nothing gives you full access over an account.

[LogonType10]

This is like disabling MFA and giving you my google username and password. Actually it's worse than that because Google would probably ask me for an email verification code. Try adding this to a phishing/social engineering framework, they will be impressed.