I just created a shared folder with a vendor in my Dropbox and was notified by Dropbox of the change by email. I went to my Dropbox account settings to check on the scope of sharing that the new vendor just got and was surprised to see that Microsoft Word already had full access to read and write all of my Dropbox. I'm pretty careful about these things and I don't recall ever, for any reason, connecting Word and Dropbox. I assume that I did and just forgot but this kind of thing blows my mind.

My point is simply that scattering my OAuth2-type authorization policies across multiple portals (and multiple OAuth2 Authorization Servers) is completely un-scalable.

The model for policy management relative to either VRM or UMA has to be that each person gets to specify their policy server and notification endpoint to the various vendors.

Adrian