[noonat]

The fact that the user was logged into Facebook after giving Facebook credentials to Spotify is not the problem. The login screen communicates that this will occur. Maybe it doesn't communicate it as well as it could, but it does communicate it.

The problem is that Spotify added itself to the user's list of apps and granted itself access to the user's data without any communication that this would occur. I guess you could say that permission for Spotify to do that is implicitly granted by giving them your Facebook credentials. But these days, federated authentication and authorization are two different things for end users -- especially so for Facebook apps. Spotify should at least prompt the user before making these changes on their behalf. Very underhanded behavior.

[szidev]

Here's the tricky part: they do ask for permission to post on your behalf when you open the app. It's pretty muted, at the bottom of a popup, and dwarfed by a larger, more colorful call to action.

Here's a screenshot: http://i.imgur.com/oWDstiC.png

It's also not entirely obvious to me what happens in every case. If I close the popup, does it still count as my giving consent? If I close the app? My guess is that most people skim over the copy and click the big blue button, totally disregarding the checkbox down there.

[pbhjpbhj]

Well spotted. But a user who'd disabled/cancelled/deactivated their FB account would assume that action was moot rather than that Spotify were going to illegally access a secondary service posing as you in order to enable that activity.