It’s better that what people are currently doing. You can cut and paste your auth token into 3rd party services that will give you stats and remote control over your car.
As of 6 months ago there was no way to manually revoke an auth token
I mean, oauth2 is pretty much the standard/best practice for third party access to user-controlled identity and/or resource permissions. I'd like to know more about scopes and how they do authz, but as far as access goes, this has the makings of a best practices implementation like you'd see from Google, reddit, etc. Fine grained access control via scopes, user-facing "you want this app to get access to <list> permissions?" and the ability to later revoke that access.
I'm sure you can find people who'd disagree, but it's far better to build on a standard than something homegrown.
oauth2 was the best practice way to do that back in 2014.
Now, companies like Facebook have discovered the hard way that most users don't think carefully before giving away access to their data. All it takes is one app that says "I'd like access to everything you can see on facebook please", and that's how cambridge analytica happened.
Ever since then, the vast majority of companies have locked down API's - because the company doesn't want to get in legal hot water for the actions of a third party app granted full access by the user.
That doesn't mean oauth2 isn't still the best practice. I'd go as far as saying OIDC is best practice for oauth2 as well.
What you're saying is orthogonal and more about figuring out how to effectively manage users and the accesses they can grant, how easily they can grant certain permisisons, how often they should review access, all that.
Facebook has had issues there, and I'd say Android has also had issues with similarly vague/permissive grants (local-only, completely outside OAuth2), and has learned ways to proactively manage those for users and keep sets of permissions minimized to apps you actively use/want. But none of those really has much to do with whether or not oauth2 is a great way to allow third party access to user resources. That remains a really solid control mechanism.
If anything this is making it safe for the owners because pretty much all the third part apps have full access to vehicle because some owners shared their password to some random third party company so that they can have some additional features on their app.
Probably not a huge risk. Currently third party apps just take your username and password, and log in pretending to be you.
This is a more official and more secure way to do the same - the user/tesla is in full control of which apps have access, what data each app can see, and can revoke access anytime.
I'll take it over the existing situation and over the situation of fully undocumented APIs that others seem to use. I'm afraid there is likely a lot of security by obscurity left in the auto industry.
As of 6 months ago there was no way to manually revoke an auth token