What I don't understand is why OAuth is rarely talked about in a privacy context, however your OAuth provider knows all the sites you log into and when.

It's a privacy nightmare.

▲

vintermann 4 hours ago | parent | next [-]

Your OAuth provider can also vouch for anyone who pretends to be you, if they so desire. They can give access to anyone, including themselves.

▲

spaghettifythis 5 hours ago | parent | prev | next [-]

Though given most people use gmail or outlook, the two main oauth providers (Google and Microsoft) will know anyway

	▲	v5v3 38 minutes ago \| parent \| next [-]
		Three main providers (Apple login is in nearly every iOS app and most websites)
	▲	willtemperley 5 hours ago \| parent \| prev [-]
		True they'd know which sites you've signed up to, but not the login times, unless the service emails you every time you log in.

▲

userbinator 4 hours ago | parent | prev | next [-]

Centralised identity is basically the government... and having some other entity behave the same way is not good.

▲

niyikiza an hour ago | parent | prev [-]

there are some emerging mechanisms for offline verification that don't require AS in the OAuth WG. (I'm working on one of them)