Login forms should definitely not allow access_tokens as passwords, and Heroku should be managing a state header to ensure CSRFs like this don’t occur.
Very nice and clean finding! This sounds like it could have done a lot of damage.
OAuth implementation vulnerabilities have already attracted some attention, but I fear they aren’t as well known to devs as they need to be. More posts like this will do the community good in raising awareness.