Matthias, > On Dec 23, 2025, at 9:14 AM, Matthias Fulz <[email protected]> > wrote: > > The problem is again you miss the main point: > > > it's not about issues with trust handling. It's all about MISSING TRUST > GRANTING of the Identity owner (USER) itself. > > Again think about the following: > > I've an account at service-cool-stuff with my mail [email protected] + pw -> ok > service-cool-stuff enables login via Facebook -> oauth, etc. ok > I DO NOT HAVE ANY FACEBOOK RELATION!!!!!! > > Facebook says ok here is the login for [email protected] signed by us -> > service-cool-stuff trusts -> login valid POINT. > > Where is the part that I BY MYSELF have ever said that Facebook is allowed to > identify FOR ME ?????
Facebook validates that you have access to your email account. They even make you setup a FB account to use the login via Facebook and authorize using a password, passkey, etc. Moreover, the RS had to be configured to provide login via Facebook, and you (the user) had to click on it to start the authorization process. If you don't want to authorize via FB, then don't click that button. ________________________ Michael Sweet _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
