While others are still dabbling with OAuth2 – Google does some really sensible stuff!
Someone recently tried to use an application to sign in to your Google Account. We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
Tuesday, February 19, 2013 4:36:30 PM UTC
IP Address: 220.127.116.11
If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately. Find out how at …”
I am indeed in Norway (which I am normally not) and tried to read my Google Reader blogs with a 3rd party application (Reeder). Nicely done!
I should that I got this email the moment Reeder gave me an “access denied” and that unlocking was very easy as well.
On a related note – The OAuth2 threat model document is required reading for anyone implementing one or the other piece of OAuth2.