The Good and the Bad of OAuth 2.0 Authorization Implementations — John Sheehan

**Bad:** When requesting an Access Token the request will fail if you include any parameters that it is not expecting. Google does not require a `state` or `type` parameter when getting the token like some other APIs do and will give you a 400 Bad Request with an `invalid_request` error if they are included. … ### 37signals **Bad:** When you create the app you select which services you want your app to have access to but during the auth flow only one of the services is displayed. **Bad:** There’s no support for limiting access to read-only via scopes. The only option is full read/write for all of the apps selected. … ### Box **Bad:** The redirect URL settings requires HTTPS which can be difficult if you’re trying to test locally (for instance my test app runs on http://localhost:5001 which is accepted every where else). Box has informed me this will be resolved soon. **Bad:** Does not use scopes for read-only or read/write access (is configured with the application). Box has also told me they will be changing this once they have more than one scope.