Comment by tsimionescu
4 days ago
But the new owner does not have access to the inbox or any other account info of the old bob@DankStartup.com. They're completely separate accounts, with the same email address. Plus, Google already recognizes that fact, by setting a different value in the "sub" field of the claim it returns (though per the article, it seems that may not work properly).
And legal relations just don't work this way. A person is who they are, and it is that person who has legal access to whatever data was stored in their Slack. Another person who happens to have the same email some time later doesn't have any right whatsoever to that same data. OAuth exists to help secure this type of legal relation, not to establish a completely fictitious identity.
> Google already recognizes that fact, by setting a different value in the "sub" field of the claim it returns
Then Google is doing the right thing. It's incumbent on the relying party to enforce its own authorization policies based on the information the authorization server provides.
Google says, "here's bob@example.net <id=n49d0x>", oh now "here's bob@example.net <id=pv82x1d>"
Google can't save consumers from their own negligence.
So why isn't it on Slack to address this (or not use OAuth, if it can't)? Google doesn't verify the actual legal person behind an email address, whether it's through gmail or google workspace, nor would we want/expect them to.