@andypiper well but the last larger paragraph is absolutely junk.
using old tokens cannot be used for signing in with twitter because a) the application doesnt know WHO wants to sign in, and the application cannot check whether that person is properly signed into twitter, which are the 2 important things of twitter sign in. twitter sign in can only be used with tokens where you know that they are fresh and come from that specific client you are trying to sign in.
long story short, the small step of letting the user bounce through twitter is the SOLE THING making OAuth for social sign-in secure
but I rather wanna know why there was a need to keep authorize and authenticate seperate in the first place especially since EVERY service I played OAuth with is not gonna ask again (except for Github, which kills permissions from apps that havent been used for a long time, or steam although it doesnt have any authentication on their openID at all)
and in the other thread I also asked why it isnt possible to create a simple “Authentication only” permission which doesnt need this stupid intersitial all the time but instead grants less data (essentially just one pairwise ID which is unique to both the application and user (microsoft does that as well by the way) and it’s pretty awesome since an application can recognize you but not identify you).
and if just need this most basic permission there should imo be no more intersitials beyond the first one.
