This may well have been a case of accidental social engineering but it makes the point that multiple random authorization servers will not scale. If Pokemon wants access to my Google stuff, they need to ask my authorization server and not the one Google helpfully gave to me.
Is there any other alternative? How could Google's ever play both sides as both game developer and privacy protector?