I think we'll get there eventually, like how on iphone/android you can deny individual "scopes" these days. It took a long time and there were some growing pains, but now I have little worry about some sketchy app slurping all my photos from my phone.
Platforms can implement that and some already have, e.g. Facebook’s auth works like this.
That being said, this approach requires monitoring and enforcement; otherwise nothing prevents the developer from not allowing the user to proceed without granting some specific permissions. Facebook again seems relatively strict here, at least post- Cambridge Analytica.
yeah, the granted scopes are part of the id tokens, so they're visible from the requesting application.
They could theoretically be hidden by encrypting the bearer_token itself (thats part of the standard already, though few seem to actually do it atm) and omitting them in the id_token, but omitting it would to my knowledge be in violation of the standard
the scope mechanic would have to be reworked altogether if this feature has any chance of actually achieving the desired effect, so a scope can only be granted for n-minutes or something. But that would make a lot of good use-cases borderline impossible (i.e. the previously mentioned alternative frontends for popular pages).
Its really hard without revamping the oidc standard altogether, but thats unlikely to happen as well.
Good authentication/authorization is just super hard and continues to be unsolved, especially if untrusted entities are involved.
It would be a PITA for developers, but if it was the norm, you wouldn't think about it twice.
The minimum scope should be a random identifier that's unique to the service provider you are logging in to.