This shouldn't be possible as the server-to-server request to Facebook to exchange the Authorization Code for an Access Token requires the client_id and client_secret to be provided. Facebook should (though I haven't actually confirmed this) verify that the code was issued to the given client_id. If the code was issued for client 123, when client 456 tries to exchange it for an Access Token Facebook should throw an error.
I think they've always done this redirect. Release artifacts are uploaded to S3 and then their Rails app generates a presigned S3 URL that gives short-term access. This is because the artifacts could belong to a private repo, so access control is required.
I’m building a side project that has an enterprise customer, and the Enterprise Ready website was a good intro to the concepts that enterprises value: https://www.enterpriseready.io
From my (limited) experience, one thing that enterprises love is asking you to fill out a 30 page security questionnaire. They take an age to complete so be aware of this if you’re thinking of going down the enterprise-sales path. I think it’s one of the big reasons that “contact us for pricing” exists for very large customers.
This frontend presents them nicely: https://trains.jo-m.ch