#[dmitshur]so if tilde.club/~bob uses the authorization endpoint evil.com/auth that returns a "me" value of "tilde.club/~alice", then we check and see tilde.club/~alice doesn't have the same authorization endpoint evil.com/auth, so we can't trust bob.