What's the point of having a "reauthorization" form if nothing about the consumer has changed (assuming valid request token and no revoked grants)? I wouldn't expect a user to click on "Login" on a tool in order to then revoke the authorization. If I wanted to revoke authorization for an app, the intuitive way for me would be to search for connected apps in the settings on my favorite wiki.

I would suggest to go straightaway to the callback and not show any form, it seems to me that many large oauth service providers do it this way.

Just to make sure I am understanding this right: right now we keep access tokens forever (OAuth 1.0 allows but does not require an expiration time) so if an application does its own user management and records the access token it gets after the user clicks through the authorization dialog, that application can act in the name of the user forever without ever needing to reauthorize. The only thing a user-friendly reauthorization dialog affects is how much more complicated the workflow becomes for applications which do not keep track of the access tokens (or keep track in a non-permanent way such as a cookie) and just re-request them every time.

If that is a correct understanding of the situation, then Sitic's suggestion seems like a no-brainer to me. It would make writing small applications easier and would not have any security effect.

Right. Also, I came here to report a bug/request which would be, I guess, solved by this one: AFAICT, if I remove an optional permission to an application, but come back later and the application asks to reauthorize (reauthenticate, really), the permission is automatically re-added and there is no way to prevent it in the login dialog. I need to approve the application, which re-adds the permission and redirects me to the application, then manually go to Special:OAuthManageMyGrants and remove the permission again.

The dialog should either contain the checkboxes like Special:OAuthManageMyGrants does (pre-filled per the current grant), or it should not touch the currently allowed permissions at all, I’d say.

I don't think we should encourage people to revoke specific grants at random, that will just result in the application breaking and the developer having a hard time to debug. Personally I wouldn't allow piecewise revocation at all. You either trust the developer to know what they are doing or not, in which case you shouldn't authorize.
(Empowering the developer to make the grant more granular would be nice OTOH. That's T59505: Allow more flexibility in what permissions are authorized.)

In any case, there is no way to "un-revoke" grants right now other than going through authorization again, so if that did not reapply all grants, manually revoking the wrong grant would irreparably break the application for the given user.