This attack like OP says is not new. For a corporate environment you simply prevent all users except one or two admins/approvers from allowing 3rd party authorizations.

For consumers, my suggestion is for federation providers (auth0,github, google,etc...) review and human-approve applications that ask users authorizations.