I don't think this is minor / #4484

I feel that the whole authorization system is broken, because it doesn't work as written in the doc. Is this intentional or I'm misunderstanding something?