Comment by nodamage

Comment by nodamage 3 days ago

0 replies

View on Hacker News

Assuming the above is correct, if you decide to connect Google SSO to your application using option (3), then it is not a vulnerability that a Google account from a different workspace can connect to your application, because the entire point of option (3) is that users with any Google account (regardless of workspace) can connect to your application.

If you intended to restrict your application to users of your own workspace then you should have used option (1) or (2).