[mcintyre1994]

It's not, log in with Facebook takes you to a facebook.com URL to enter your details. It tells you which website you're logging into. If you have multi-factor auth etc. on your Facebook account then it'll be applied there. Your password never goes to any website that isn't facebook.com and nobody else ever sees it in any form. The login token returned from Facebook to the website can be time limited (in addition to the limited scopes as you highlighted). Facebook should have a UI that allows you to view and revoke any sites you've authorised in this way. OAuth solves all of these problems, but it requires the provider (Facebook or Matrix) to implement it on their side.

[notreallyserio]

Yeah, that's what I was referring to. Facebook calls the token an access token, FWIW.

Are passwords entered in to a Matrix form sent to servers other than the one specified? If so that's crazy.

[mcintyre1994]

Well the form is embedded on your website, not one controlled by the Matrix server. I assume this open source code sends the request directly to the Matrix server. But it'd be impossible for a user to know where it's being sent when they enter their details on the random website that's embedding this. You could watch network requests but obviously when you notice it going somewhere else it's too late and your account is stolen.