While others are still dabbling with OAuth2 – Google does some really sensible stuff!

“Dominick,
Someone recently tried to use an application to sign in to your Google Account. We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

Tuesday, February 19, 2013 4:36:30 PM UTC
IP Address: 80.232.78.190
Location: Norway

If you do not recognize this sign-in attempt, someone else might be trying  to access your account. You should sign in to your account and reset your password immediately. Find out how at …”

I am indeed in Norway (which I am normally not) and tried to read my Google Reader blogs with a 3rd party application (Reeder). Nicely done!

I should that I got this email the moment Reeder gave me an “access denied” and that unlocking was very easy as well.

On a related note – The OAuth2 threat model document is required reading for anyone implementing one or the other piece of OAuth2.