#[fluffy]There’s still the issue that like… if a group blog has an authorization_endpoint that accepts any login to it, then theoretically *anyone* could use that group blog to identify to another site (even if they aren’t granted post access to that group blog)