Open
Description
The security considerations for using oauth state the following:
This means that every token has full access to the complete account including read and write permission to the stored files.
and
Without scopes and restrictable access it is not recommended to use a Nextcloud instance as a user authentication service.
I understand that it's risky giving any service access to the tokens themselves.
But in case we use something like pusher/oauth2_proxy do these security considerations still apply? The underlaying app shouldn't get access to those tokens would it?