Comment by losvedir

What? This makes no sense to me. What's the threat model where you'd rather the OAuth flow result in the client app getting fake data?

If you reject the permissions the client already doesn't hear about it because the callback redirect isn't invoked (or at least, there's no reason for it to be, but that's up to you).

> What are you to do: say no, and then not use the app?

Um, yes? That's literally the point of what's happening. The app is asking for permissions because it needs it to do whatever it's doing. If you don't want to give it access to the data then there's no reason to use the app.