[LogonType10]

So you're not verifying identity with matrix, you're taking wholesale access to people's accounts? If I wanted to host a phishing page would I need to modify your code at all?

[ushakov]

one big reason there are things like “Sign in with x” is so that the application can do things on user’s behalf

[detaro]

Yes, with controlled permissions the user can clearly decide about. Nothing gives you full access over an account.

[LogonType10]

This is like disabling MFA and giving you my google username and password. Actually it's worse than that because Google would probably ask me for an email verification code. Try adding this to a phishing/social engineering framework, they will be impressed.