This is in fact broken and has caused a massive headache.
For everyone else: If you have the user’s authentication and the correct scope, you can switch around your authentication.
This has been letting people access private sub servers protected by MCLink.