Chrome has "full access" to my signed-in Google account |
||||||
Issue descriptionVersion: 53.0.2785.8 OS: N/A Looking at my account on https://security.google.com/settings/security/permissions , I see Google Chrome Has full access to your Google Account REMOVE Google Chrome has access to: Full account access Learn more Authorization date: March 6, 3:12 AM This seems, at best, confusing (c.f. recent hullabaloo with Pokemon Go having the same issue, see https://gist.github.com/arirubinstein/fd5453537436a8757266f908c3e41538 ). Is there a reason Chrome is doing this? Putting the component as Security for now...
,
Jul 12 2016
,
Jul 12 2016
Pavel, can you explain why this is the case? I believe this refers to the sync token, which is in turn used to mint other down-scoped tokens for apps, the content area, etc.
,
Jul 12 2016
When user signs in, chrome requests login scoped refresh token (the one that has full account access). This token is later used for minting access tokens with reduced scopes for different components communicating with servers: sync, invalidations, gcm, identity_api,... . about:signin-internals shows list of currently requested access tokens and their corresponding scopes. Requesting token with full access allows to mint access tokens for all these components and not ask user for credentials. In a way this token is similar to the one issued to Android phone when user signs in. Android token is later exposed through AccountManager.getAuthToken API.
,
Jul 13 2016
Thanks for the explanation Pavel. Anthony, Ganggui - do either of you have anything to add? This seems WAI to me.
,
Jul 14 2016
Marking as WontFix for now (before I go OOO), since I believe this is WAI. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by palmer@chromium.org
, Jul 12 2016Components: Services>Sync
Labels: OS-All
Owner: ew...@chromium.org
Status: Assigned (was: Untriaged)