← Back to context

Comment by niftich

8 years ago

Most of these 'Sign in with [Social Identity Provider]' implementations, including Google [1] use OIDC ("OpenID Connect"), which in turn itself is built on top of OAuth 2.0. From the OAuth 2.0 side, the site into which you wish to gain access into -- in this case, StackOverflow -- only sees opaque tokens that are usually short-lived.

However, OIDC then typically delivers some choice personal info -- no more than you agreed to when first consented to the integration, but usually account name and/or email, and maybe real name and some demographic data -- to the requesting service so that they can both find you in their datastore, and sync up these attributes. In the case of a service whose OAuth/OIDC callback url's SSL is terminated with CloudFlare, which we (as of writing) don't yet know if applies to StackOverflow, this info will touch CloudFlare servers and could have been contents of memory that was exposed. However, your password would not be, as in your case, the password was supplied to the Social Identity Provider (Google) who didn't use CloudFlare to terminate that connection, and the password never left Google, which was the precise usecase and requirement that the OAuth/OIDC specs were authored to support.

[1] https://developers.google.com/identity/protocols/OpenIDConne...