I've been working with OAuth for a ruby app off and on for a year or so, and just today took it up again. I had, many months ago, created a remote access application in one of my sandboxes or dev orgs, and had put the client id and secret keys into my omnioauth strategy file. Since that time, I've deleted that remote access application.

What concerns me is that, upon running my ruby app with the old (presumably defunct) id an secret, I was able to get a token from this deleted app. I would expect that I shouldn't be able to do that. Worse still, is that I could get a token regardless of the org I was logged in to! To be clear, I could of course only see the data for the org I was logged in to, but the fact remains that an id and a secret from a delete remote access app on Org A served to give me access to not only Org A (after logging in there), but Org B (after logging in to Org B), and Org C (after logging in to Org C).

So my questions:

1: Why does a deleted remote access app still give out tokens?

2: Why does that same app, regardless of the answer to question 1, give out tokens to multiple orgs? - EDIT - OK, I see after looking around that this is relatively normal. That is SFDC doesn't partition by org. Question 1 still stands, though.

Thanks,