Say we signup and login to an OAuth 2.0 enabled security application called “AI Car Command Center” via Google OAuth 2.0
We then logout.
Does Google then have the capability to then grant itself access to “AI Car Command Center”, if it was forced to by some entity, of course without the account owner’s consent or credentials?
Examples of popular OAuth 2.0 services include:
Remember the OAuth 2.0 login flow:
- “AI Car Command Center” redirect to OAuth Google
- Google generates an valid OAuth grant token, but without user consent
- “AI Car Command Center” validates Google token
- Google then has full, unsolicited access to “AI Car Command Center”?
We can mitigate this by adding 2FA (TOTP) among other techniques.
As a sub question, it may be useful to mention these briefly.