rahimnathwani 4 days ago

  By looking the account up with Google's People API - https://developers.google.com/people
  They would have to verify the account is active
If I log in using Google oauth, you already know the Google account is active.

  AND the id hasn't changed
Yes, but that's an additional check, separate from the one you suggested would eliminate the issue:

  If, when you logged into Slack via Google Oauth with the email address user@company.com, Slack checked with company.com whether user@company.com was a valid user that should be allowed to login, then this problem would be avoided entirely because the defunct company would no longer report any valid users.
  • nodamage 2 days ago

    > If I log in using Google oauth, you already know the Google account is active.

    You know there is an active Google account but (for the public OAuth integration option) it can be any Google account from any workspace, or no workspace.

    "A public application allows access to users outside of your organization (@your-organization.com). Access can be from consumer accounts, like @gmail.com, or other organizations, like @partner-organization.com." [1]

    > Yes, but that's an additional check, separate from the one you suggested would eliminate the issue:

    If you set up an internal OAuth integration option no separate check is necessary, it will actually restrict access to users of your workspace.

    "An internal application will only allow access to users from your organization (@your-organization.com)." [1]

    You can use the SAML integration option as well. [2]

    [1] https://support.google.com/cloud/answer/6158849?hl=en#zippy=...

    [2] https://support.google.com/a/answer/6357481

  • johnmaguire 4 days ago

    Right, this additional check should not be necessary in a typical OAuth or OIDC flow. This workaround is only necessary in this case because the API Google offers to services has a hole in it.