[jjluoma]

How does the course-swapping site work? Is there some part that requires users to enter their credentials (email, password) on a web site that is not operated by the university? Is there some part that saves an access token or a refresh token in other place than the web browser?

Is some OAuth2 authentication flow involved so that the university has registered the application and assigned a client id and return URI?

I think the university might have valid security concerns if the application somehow accesses student accounts without valid OAuth2 authorization flow (or equivalent).

Entering login credentials for university on a third-party site is probably forbidden by terms of service for the university site.