I actually called out in this issue (created separately later), that these oauth endpoints in the actor document are essentially re-implementing part of another existing standard, and that they likely should have never been in the specification in the first place, but instead a authenticationMechanism or similar should have been present (this would allow for OIDC-based authentication, or perhaps WebAuthn or any other number of authentication mechanisms)
It’d also allow for future revisions of those specifications, e.g., had ActivityPub been written before OAuth 2.0, would we really have wanted to be tied to OAuth 1.0b?
I’m very much so arguing that we should defer to and use existing standards where appropriate. I think it’s very unlikely that a server would allow one actor to authenticate in a completely different way to another actor (without all actors potentially being able to authenticate in that other way)