Recycling Google Accounts & OAuth Issues
132 views
Skip to first unread message
David Walton
Jan 9, 2024, 10:59:59 AM1/9/24
to google-ap...@googlegroups.com
Hi all,
Do you have any tips or best practices on recycling Google accounts?
We are hoping to start recycling Google accounts, meaning that if we delete john....@biola.edu we want it to be available in our pool of email accounts for a future John Smith.
For example, let's say john....@biola.edu logged in to a service like Notion and created content, then his Google account is deleted by our organization. In my testing, if the new john....@biola.edu account with a new password (simulating an entirely different user) tried to log into Notion—even after a few days and on a different machine—they would see the old John Smith's content. Notion has no way of knowing that this is a new user.
Does this make email recycling untenable? Is there any way around this, or should recycling always be avoided? Is there a way from Google's side to "reset" OAuth connections or properly recycle accounts? I'd love to know your thoughts.
Best,
David Walton
Information Security Analyst
Jay Lee
Jan 9, 2024, 11:14:54 AM1/9/24
to google-ap...@googlegroups.com
See inline.
Jay Lee
On Tue, Jan 9, 2024 at 10:59 AM David Walton <david....@biola.edu> wrote:
Hi all,Do you have any tips or best practices on recycling Google accounts?We are hoping to start recycling Google accounts, meaning that if we delete john....@biola.edu we want it to be available in our pool of email accounts for a future John Smith.
you are describing recycling EMAIL ADDRESSES, not ACCOUNTS. Both have their risks but there is a significant difference.
For example, let's say john....@biola.edu logged in to a service like Notion and created content, then his Google account is deleted by our organization. In my testing, if the new john....@biola.edu account with a new password (simulating an entirely different user) tried to log into Notion—even after a few days and on a different machine—they would see the old John Smith's content. Notion has no way of knowing that this is a new user.
Notion absolutely has the ability to distinguish between old John and new John accounts. Yes, the email address is identical but the unique ID Google assigns to each account will differ. If Notion is considering the Google email address to be the unique and sole identifier for the Notion account then that is a flaw in their application that should be fixed. You should reach out to Notion and ask them to key off of the "sub" parameter during OIDC flows rather than the email address alone.
Does this make email recycling untenable? Is there any way around this, or should recycling always be avoided? Is there a way from Google's side to "reset" OAuth connections or properly recycle accounts? I'd love to know your thoughts.
In theory no, it can be done as long as all connecting services utilize the account unique ID rather than blinding using email address to assume account match. In practice that's sadly not the case, you should consider the risk to your organization.
Personally after a few years of managing student account lifecycle at a University I got tired of all the edge cases. We moved to unique email addresses per-person and never recycled them. Something like first initial, last initial, random 3-4 digit number. It's less personal but it removes a LOT of significant issues. This is only one of them, another big one is email/calendar appts going to the wrong john.smith.
Jay
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGXmKnpYzFcg09kEUAiQZ5RMnu4vPvb1GN2TPo44RBfKf3U1vA%40mail.gmail.com.
David Walton
Jan 9, 2024, 11:23:52 AM1/9/24
to google-ap...@googlegroups.com
Thanks for the response, Jay.
You're absolutely right — I meant addresses, not accounts. The problem is that third party services with poor implementations (like Notion) can't see the difference. I appreciate you explaining the technical failure on their part and think that you're likely right that it isn't worth the effort in chasing down these service providers and telling them to get their act together.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp9eciSkO0a31qVWOUzTVdKtUcc0tM6KHzw95xHeBXs3qg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages