Given that OAuth is all about delegated authorization, meaning entity that uses the access token may not be the user but some third-party service using the token on behalf of the user, using it as proof-of-identity makes no sense.
This point becomes clearer with limited permissions. If access token is proof-of-identity, why limit what the user can do when you know it's the user?
Given that OAuth is all about delegated authorization, meaning entity that uses the access token may not be the user but some third-party service using the token on behalf of the user, using it as proof-of-identity makes no sense.
This point becomes clearer with limited permissions. If access token is proof-of-identity, why limit what the user can do when you know it's the user?