Obviously, extensions like “an ‘add_scopes’ command” are non-standard. They may not technically violate the spec, but are they even needed?
There would be nothing wrong with collapsing the list of scopes a user has already authorized for a given application. It would even be better for the user because they are being explicitly informed what additional permissions they are granting. It does not even require additional significant work on Twitch’s side (see below).
I do not know if that is true (and I’m not interested in looking it up right now). I do know that most OAuth providers do not list all scopes requested. More relevant, though, is that if a set of scopes is requested, Twitch will automatically authorize it the second time without prompting the user.
If they are required to prompt the user every time, then they are already violating this. If they are not, then not prompting the user for scopes they have already authorized does not violate this. (Also, note that my “compromise” suggestion would still list all scopes requested, just not as prominently. I’ll even go further and say they should have a link from the authorization page to manage the users existing tokens.)
This is a bit off topic
[citation needed]
You could say it’s effectively not another account because it uses Twitch authentication, but it is another account on another service.
Counterpoint: this forum is better moderated (h/t @BarryCarlyon), so the people who might act on suggestions could actually see them (at least until this forum inevitably gets buried in spam too).
Also, we know some of the developers do occasionally drop in here. It may be pretty rare, but seeing any evidence of anyone remotely related to Twitch looking at UserVoice is like a unicorn: even if you see it, people will think you’re insane if you tell them.
If a good idea is suggested here, someone who would be involved in implementing it might see it. That’s not nothing.