If you're on Github, go to "https://github.com/settings/applications" and you can see, and revoke, any OAuth accesses.
I just discovered that "Improbable" (the game engine backend company) had too much access, obtained because I once signed up to look at their SDK. I revoked that. (They used to be legit, but then they got involved with Yuga Labs, the Bored Ape crypto people, so trusting them is now questionable.)
Thinking about it for a bit, I'm sadly hesitant that it might need to be built as a browser extension or mobile app, rather than a website, because none of these services provide programmatically-accessible (even read-only) feeds of what you're looking for, so you'd need to scrape everything. This brings up two issues: 1) the headache of IP ratelimiting (and/or flat-out IP bans from trigger-happy systems optimized for fighting fraud/bots hosted on cloud infrastructure). IIUC there are proxy services that you can outsource the workaround problem to, but this is awkward to get behind in the face of 2), which is that users would need to input their actual usernames and passwords so that the service could request the account page with the details on it in order to scrape the data.
Given that these are broadly web services poked at via HTTPS, you could potentially get everything you needed from a browser extension (as long as the service doesn't require you to set any HTTP headers that extensions aren't allowed to touch).
The second possibility is using an app. Writing a thin layer that lets you craft custom HTTPS/whatever requests from a WebView would probably be the most straightforward approach.
The main issue with both the extension and app approaches is that they code-dump both the idea and methodology of "here is how to do X" into the hands of the IQ-99 skiddie group (especially with an extension). So now you have more people running around scraping pages and whatnot and trying to figure out how to weaponize everything. Probably won't go anywhere (in terms of producing actual attacks), but the noise may potentially make your life harder.
The least-complex solution seems to just be a giant boring list of links, for example:
- https://myaccount.google.com/permissions
- https://twitter.com/settings/connected_apps, https://twitter.com/settings/connected_accounts
- https://github.com/settings/apps/authorizations, https://github.com/settings/applications, https://github.com/settings/installations, https://github.com/settings/apps, https://github.com/settings/developers, https://github.com/settings/tokens
Hmm, that's kind of all over the place for some things. A single aggregate view that combines everything could definitely be very interesting...
Otherwise, GH would still have the approval on file (there's no way for them to know you deauthorized on the GitMonkey side) so they'd instantly be able to get a token again.