[andrewstuart2]

I mean, oauth2 is pretty much the standard/best practice for third party access to user-controlled identity and/or resource permissions. I'd like to know more about scopes and how they do authz, but as far as access goes, this has the makings of a best practices implementation like you'd see from Google, reddit, etc. Fine grained access control via scopes, user-facing "you want this app to get access to <list> permissions?" and the ability to later revoke that access.

I'm sure you can find people who'd disagree, but it's far better to build on a standard than something homegrown.

[londons_explore]

oauth2 was the best practice way to do that back in 2014.

Now, companies like Facebook have discovered the hard way that most users don't think carefully before giving away access to their data. All it takes is one app that says "I'd like access to everything you can see on facebook please", and that's how cambridge analytica happened.

Ever since then, the vast majority of companies have locked down API's - because the company doesn't want to get in legal hot water for the actions of a third party app granted full access by the user.

[andrewstuart2]

That doesn't mean oauth2 isn't still the best practice. I'd go as far as saying OIDC is best practice for oauth2 as well.

What you're saying is orthogonal and more about figuring out how to effectively manage users and the accesses they can grant, how easily they can grant certain permisisons, how often they should review access, all that.

Facebook has had issues there, and I'd say Android has also had issues with similarly vague/permissive grants (local-only, completely outside OAuth2), and has learned ways to proactively manage those for users and keep sets of permissions minimized to apps you actively use/want. But none of those really has much to do with whether or not oauth2 is a great way to allow third party access to user resources. That remains a really solid control mechanism.