I did, once. But after that one entirely new sessions, they automatically "click" the sign in to google button behind the scenes and log me in with the token.
The first time you logged in with Google, you were presented with a User Consent screen that said "this website wants access to this information, do you agree?" and you clicked yes.
To break the link, go into Google and see what sites, apps, etc you granted access to. That's a good thing to do regularly anyway with every social provider.
I will say I appreciate Facebook's approach to this - after 60-90 days, you have to affirmatively reconfirm your initial authorization when they send you through the OAuth flow.
To break the link, go into Google and see what sites, apps, etc you granted access to. That's a good thing to do regularly anyway with every social provider.
I wrote about the implications of poorly implemented and abusive social authentication practices last month: https://www.scmagazine.com/home/security-news/using-social-a...