I did some digging into Plex OAuth and found that it still works when using a value of Plex Web for the following OAuth URL parameter:
context[device][product]=Plex Web
It does not seem like any other URL parameter affects OAuth.
We can patch our apps to identify ourselves as Plex Web, but obviously this isn’t the proper way to fix this. We should be identifying our individual apps with our own product name.
I believe this is an accidental bug in Plex’s authentication. I don’t believe there is any malicious intent.
Edit: The context[device][product] URL parameter is passed to the X-Plex-Product header in the request PUT https://plex.tv//api/v2/pins/link.
In other words, PUT https://plex.tv//api/v2/pins/link requires the exact header X-Plex-Product: Plex Web, otherwise it returns 403 Forbidden.
