The last bit (removing the grant) already has a PR written: https://github.com/taskcluster/taskcluster-login/pull/9 although it needs to be rebased..
I'm still keen to work on this, but for the record this is not a priority for me for 2016. To my knowledge, that doesn't really bother anyone. If it does, let me know!
https://github.com/mozilla/treeherder/pull/1922#pullrequestreview-6259059 We really suck at authentication. Bug 1312915 may introduce a notion of "identity" (probably extending the existing `mozilla-user/<email>`, `mozillians-user/<username>` format. Let's try to make that more concrete, so there's a way to determine the identity associated with a set of credentials. Then authenticateHawk can return that value and if users want to authenticate they can just use that value and ignore the scopes.
I suspect we're not going to do this, actually. I think we will standardize on auth0 and build a simple way to generate temporary TC credentials around that service. Basically, other services should be talking to auth0 primarily, and us secondarily, since auth0 provides a much better authentication service (even if we are awesome at authorization).
..and so it came to pass