I am looking at integrating Google OpenID Connect (OAuth 2.0 for Login) as a login option for a web application.
My question: Does use of OpenID Connect (and similar schemes) imply that Google could impersonate my users, log on to my website, and access all their data there?
My guess is that the answer might be different for the "server flow" versus "implicit flow" (see Google link), with the latter involving javascript in the browser. But depending on underlying implementation on Google's side, I'm not sure about either.
I don't believe Google has any interest in committing criminal acts of unauthorized network access, but on the other hand, a vulnerability is a vulnerability and I want to understand the real relationship of the systems.
Aucun commentaire:
Enregistrer un commentaire