Thanks for reporting @messly & this is worrying.
I was initially really happy to offload the Auth2.0 dance to @Pathfix and they were extremely helpful getting setup (as reported here). We’re currently having a different issue with them which is around GDPR compliance (and lack of it). If you are in the EU you are not currently covered to use Pathfix as a sub-processor.
We reported this non-compliance on 2nd February (they were not aware of any issue) and have received several ‘we will revert back by x date’ from them but have received no updates. We offered them a simple contract from our own lawyers that would bridge them but this hasn’t been signed.
We’re currently exposed and non-compliant and so having to look for alternatives - we would rather not. Has anybody else in Europe or serving European customers found a way around this with Pathfix, or switched to an easy alternative?